Regulated Industries
You already have five compliance regimes. AI governance is the sixth. HUMMBL primitives compose into your existing stack — they don't replace your HIPAA, FINRA, SOC 2, or ISO 42001 programs, they compose with them.
The compound compliance problem
A single AI-assisted clinical workflow simultaneously triggers HIPAA Privacy + Security Rules, FDA SaMD requirements (with PCCP for iterative models), HHS Section 1557's nondiscrimination rule (enforceable since July 2025), ONC HTI-1 DSI transparency, state medical board disclosure laws, and CMS prior authorization AI rules.
A single AI-assisted trading workflow simultaneously triggers FINRA 24-09 supervisory guidance, Federal Reserve SR 11-7 model risk management, SEC investment adviser AI disclosure rules, NYDFS Part 500, and — if you're global — EU AI Act Annex III.
Mid-size health systems and financial services firms are running 3-5 disconnected compliance programs. Each one has its own evidence format, its own audit cadence, its own control catalog. Adding another disconnected AI governance program makes the problem worse.
Why HUMMBL composes
- Primitives, not platform — you import what you need, where you need it. HUMMBL doesn't replace your existing SOC 2 or HIPAA evidence tooling; it adds an AI-governance layer to it.
- Append-only JSONL evidence — portable to whatever GRC system you already use (ServiceNow, OneTrust, Drata, Vanta, Archer)
- Signed, attributed actions — every agent action produces an audit artifact that maps 1:1 to the "what, who, when, why" structure every regulator expects
- Air-gap capable — deploys into your existing HIPAA perimeters, your broker-dealer isolation zones, your PCI CDE — wherever your data already lives
Regulatory coverage
Healthcare:
- HIPAA Privacy Rule + Security Rule — audit trail artifacts
- FDA SaMD & PCCP — algorithm change control via contract baselines
- HHS Section 1557 — nondiscrimination evidence via delegation logs
- ONC HTI-1 DSI — transparency requirements via governance bus
- State medical board AI disclosure laws
Financial services:
- FINRA 24-09 — supervisory record-keeping
- Fed SR 11-7 — model risk management documentation
- NYDFS Part 500 — cybersecurity + AI governance
- SEC investment adviser AI — disclosure & conflict management
- OCC AI risk management guidance
For healthcare IT, clinical informatics, trading technology, risk, and compliance leaders scoping AI governance against your existing regulatory stack:
Book a compound-compliance architecture call →See also
- Browse the primitives
- Compliance calendar — track framework deadlines
- Readiness assessments — per-framework gap checks
- Framework crosswalk — NIST / ISO / EU / Colorado / Singapore