Back to Blog
theme

AI in Regulated Industries: The Pattern Never Changes

I put AI into six regulated industries this year. The winning move was never the model. It was building the compliance constraint before the generator.

By Mike Hodgen

Short on time? Read the simplified version

Six Regulated Industries, One Lesson

Over the last two years I've built AI systems for six regulated or compliance-heavy operations: a financial advisory firm, a longevity and telehealth startup, a personal-injury law firm, a security-guard staffing company, a child-development app, and a multi-state payroll system.

Six different industries. Six different regulators. One identical lesson.

In every single one of these builds, the model was the easy part. Picking Claude or Gemini, writing the prompts, getting good output, that took days, not weeks. The hard part, the part that actually decided whether the thing shipped or died in a legal review, was the constraint. The compliance gate. The banned-words filter. The deterministic rule engine. The human approval step.

Here's the thing nobody tells you about AI in regulated industries: regulation is actually where AI's discipline beats a human's. A well-built system applies the same rule to output number one and output number one million. It never gets tired, never skips a step, never decides the disclaimer doesn't matter on a Friday.

But that only holds if you architect the guardrail before the generator. Build it the other way around and you've made an expensive liability machine.

This article is a roll-up of those six builds. I'm going to show you the exact pattern I now use in every regulated vertical, the five guardrails I put in place before I let a model write a single word, and the two-question test you should run on anyone trying to sell you AI for a regulated business.

The pattern transfers. That's the whole point.

The Mistake Everyone Makes: Generator First

Most teams and most vendors start in exactly the wrong place. They say "let's get AI writing our content" or "let's get AI answering customer questions" or "let's get AI making this decision." They build the generator first. Then, when someone in legal raises a hand, they bolt compliance on afterward as a review layer.

Comparison diagram showing generator-first architecture with compliance bolted on afterward versus guardrail-first architecture where the compliance constraint wraps around the AI generator. Guardrail-First vs Generator-First Architecture

That is backwards. And in regulated work, backwards isn't a quality problem. It's a structural one.

In a normal business, a piece of AI output that's 90% good with a small problem is fine. You ship it, you fix it next sprint. In a regulated business, that math doesn't work. A financial advisory blog post that promises returns isn't "90% good with a compliance issue." It's illegal. The SEC doesn't grade on a curve.

This is the same reason most AI projects fail: people treat the hard requirement as an afterthought and the demo as the deliverable. The demo always looks great. The demo is the generator doing its thing in a controlled room. Production is where the constraint lives, and if you didn't design for the constraint, production is where you get hurt.

So I flipped the order. In regulated industries, the guardrail isn't a feature you add later. It's the spec. It's the actual product requirement, written down before anything else.

Build the cage first. Then put the animal in it.

When you start from the constraint, something useful happens. The constraint tells you what the product can and cannot be. It removes ambiguity. The financial advisory engine wasn't "an AI that writes posts." It was "a system that cannot produce a non-compliant claim, that happens to write posts." Different spec. Different architecture. Different outcome.

The Five Guardrails I Build Before Any Generator

After six builds, the pattern generalized into five reusable primitives. I now install these before the model ever runs.

Vertical infographic listing the five reusable AI guardrails: hard compliance gate, banned-words filter, deterministic rule engine, human approval step, and audit log. The Five Reusable Guardrail Primitives

The hard compliance gate

A request that violates a rule should never reach the model in the first place. Not "the model declines politely." Structurally blocked, upstream, in code.

For the personal-injury law firm, the intake agent is structurally forbidden from quoting a settlement number. It physically cannot. The path that would produce a dollar figure doesn't exist in the code. I wrote up the full build in an intake agent forbidden from quoting a number. The model never gets the chance to be wrong, because it never gets the request.

The banned-words and claims filter

For the financial advisory content engine, words like "guaranteed," "risk-free," and "assured returns" are blocked twice. Once at generation, where the prompt is constrained to avoid them, and again at output, where a deterministic filter scans the finished text before anything moves forward.

Belt and suspenders. The model is good, but I don't trust a single language model to be the only thing standing between a client and a regulatory letter. Two gates, one prompt-side, one output-side.

The deterministic rule engine

California wage law does not get "estimated" by a model. In the multi-state payroll system, overtime, meal-break premiums, and split-shift differentials compute in code, against statutory rules with actual court-case examples baked into the logic.

I covered the reasoning in made the risk math deterministic with no AI allowed. The model cannot be allowed to approximate a number that determines whether someone got paid legally. Anything with legal consequence runs on testable, deterministic code.

The human approval step

The telehealth and medical content never goes live without a human signing off. Not "usually." Never. The system stops by design and waits for a person.

This is one of the kill-switches I build into every system. For some categories of output, automation is the wrong answer no matter how good the model gets, because the cost of one bad output is a health claim that shouldn't exist. The stop is built in, not bolted on.

The audit log

Every decision, every prompt, every override gets recorded. In a regulated industry, "we think the AI did the right thing" is not a defense. "Here is the exact input, the exact rule applied, the exact output, and the person who approved it" is.

The audit log is boring. It's also the difference between a defensible system and a hopeful one. When a regulator asks what happened on a specific date, you answer with a record, not a shrug.

Let the Model Judge, Let the Code Compute

If you take one architectural line from this whole article, take this one.

Diagram dividing AI responsibilities: the model handles judgment and classification tasks while deterministic code computes any number or decision with legal consequence. Model Judges vs Code Computes Boundary

The model is good at language, classification, and judgment. It's genuinely excellent at "is this customer message angry," "does this paragraph read naturally," "which of these three categories does this fall into." Soft, fuzzy, human-language tasks.

The model is terrible at being the source of truth for a number that has legal consequences. Not because it's dumb, but because it's probabilistic by design. It will give you a plausible answer, and plausible is exactly the wrong standard when the answer is someone's overtime pay.

So in the payroll engine, AI never calculates wages. Code does, against statutory rules. The AI sits beside the calculation. It can help interpret a messy timesheet note or flag an unusual pattern for review. It never touches the math.

Same structure in the security-guard staffing build. The AI can read a roster and flag that a guard's training certification is expiring in eleven days. Useful. But the AI does not decide whether that guard is allowed to be scheduled. A deterministic check does that, the training-gated scheduling shield, and it's pure code. If the cert is expired, the guard cannot be assigned to a post that requires it. Full stop. No model in the loop on the decision that creates liability.

The rule I now apply everywhere: anywhere a wrong answer creates liability, the math is deterministic and testable. The AI advises, surfaces, classifies, and drafts. It does not adjudicate.

This is the core of good deterministic AI architecture. You're not choosing between AI and code. You're putting each one where it's strong. The model judges. The code computes. And the boundary between them is the most important design decision in the entire system.

Get that boundary wrong and your "AI in regulated industries" project becomes a regulated-industry incident.

Why Regulation Actually Favors AI (When You Do It Right)

Here's the counterintuitive part.

Comparison chart showing a human reviewer's scrutiny declining across outputs while a correctly built AI system applies identical scrutiny to every output from one to one million. Why Consistency Favors AI in Compliance

Regulation is almost always framed as the reason you can't use AI. Too risky, too sensitive, too many rules. I'll argue the opposite: done correctly, regulated work is where AI's strengths matter most.

Think about what a human compliance reviewer actually does at the end of a long day. They're checking post 40 of 60. They've seen the same disclaimer thirty-nine times. At 6pm, tired, they skim it. They miss the banned phrase. They forget the required disclosure on that one post. Not because they're careless, but because they're human, and consistency under repetition is the exact thing humans are worst at.

A correctly-built system applies the same gate to every single output. Post one and post sixty get identical scrutiny. The banned-words filter runs the same way at 6pm as it did at 9am. It logs every check. It never has a bad day.

The child-development app's safety classification runs identically on input one and input one million. That's not a nice-to-have in that context. That's the requirement. You cannot have a content-safety check that works most of the time when children are involved.

Consistency is exactly what compliance demands. Consistency is exactly what AI compliance guardrails, built right, deliver better than any human team.

Now the honest catch, because I won't sell you a clean story.

This only holds if the guardrail is built first and actually tested. Not assumed. A generator with a hopeful disclaimer stapled to the bottom is worse than no AI at all, because it produces volume, and volume of non-compliant output is a faster path to a problem than a slow human ever was.

The consistency advantage is real. It's also conditional. The condition is that you did the unglamorous work of building and testing the cage before you turned on the generator. Skip that, and AI doesn't reduce your risk. It scales it.

What This Means for Your Regulated Business

If you run a regulated or compliance-heavy operation, you've probably been told AI is too risky for you. Maybe by your own legal team. Maybe by a vendor who didn't want to do the hard part.

Vertical flowchart of the two-question vendor test asking where non-compliant requests get blocked and where a human signs off, with branches leading to trustworthy or walk-away outcomes. The Two-Question Vendor Test

Reframe the question. It is not "is AI safe for my industry." After six verticals, I can tell you the answer to that is yes, with the right architecture. The real question is: "is my vendor building the constraint first, or the demo first?"

Here's a two-question test you can run on anyone selling you AI. It takes thirty seconds and it filters out most of the noise.

One: Where does a non-compliant request get blocked? They should be able to point to a specific place in the system, upstream of the model, where a forbidden request never reaches the generator. If they wave at "the AI is trained not to do that," that's not a guardrail. That's a hope.

Two: Where does a human have to sign off? For the categories that matter, there should be a hard stop, a named approval step, by design. If everything is fully automated end to end with no human in the loop on the high-stakes output, walk away.

If the answers to both are vague, you have your answer about the vendor.

I've now built this pattern across six regulated industries, and it transfers cleanly because the underlying primitives don't change. Compliance gate, claims filter, deterministic rule engine, human approval, audit log. The industry changes. The architecture doesn't.

If you've got something you're trying to ship and you're not sure it can be done safely, tell me what you're trying to ship. I'll tell you straight whether the constraint can be built first, because that's the only way I build it.

I write the guardrail and the generator. I don't hand you a slide deck about risk and call it a strategy.

Want to explore what AI could do for your business?

Book a free 30-minute strategy call. No pitch deck, no sales team, just a real conversation about your operations and where AI fits.

Book a Discovery Call

Get AI insights for business leaders

Practical AI strategy from someone who built the systems — not just studied them. No spam, no fluff.

Ready to automate your growth?

Book a free 30-minute strategy call with Hodgen.AI.

Book a Strategy Call