The Five-Layer Compliance Stack for AI in Mid-Market Regulated Industries
The canonical Securem reference architecture for AI compliance in mid-market regulated industries. Five layers, vendor BAA chain, data residency, agent governance, workforce supervision, procurement posture, stacked in the order that survives the next regulatory cycle.
Why the existing playbook is incomplete The playbook most mid-market regulated buyers are running on AI in 2026 was assembled from three sources. The first source is the model vendor's own enablement content, useful for what the model does, silent on what the buyer is responsible for. The second source is the legacy SaaS procurement checklist, necessary, but built for a world where a vendor processed a fixed set of inputs through a fixed set of code paths and returned a fixed set of outputs. The third source is the firm's existing GRC program, usually a SOC 2 control library, sometimes a HIPAA Security Rule mapping, occasionally a NIST CSF crosswalk, designed for an environment in which the actors taking action against regulated data were human users with named accounts. Each of the three sources is correct on its own terms. Stacked together they leave five structural gaps that every audit we have run in the last eighteen months has surfaced. The gaps are not exotic. They are not the result of a frontier failure mode or an adversarial novel attack. They are the predictable consequence of a buyer treating an AI deployment as if it were a new SaaS application when it is in fact a new actor class with a new request path, a new identity model, a new accountability surface, and a new commercial structure. The five gaps are: the vendor BAA or DPA chain that does not extend to every component on the request path; the data residency and classification posture that does not match the workload sensitivity; the absence of governance for non-human agents acting on regulated data; the supervision model built for human operators that now has to supervise machine ones; and the procurement posture built for seat-based SaaS that now has to absorb metered agent licensing. We have written individually about each. The unifying observation, that they compound, that skipping any one of them destabilizes the others, and that there is a defensible order in which to build them, is the subject of this reference. The five layers are not optional and the order matters. A regulated mid-market buyer with the vendor BAA chain in place but no agent governance has a contract that is technically clean and operationally undefended. A buyer with sophisticated agent governance but no procurement-meter discipline has built a program the CFO will defund at the next renewal. A buyer with all five layers, built in order, has a posture that survives the next regulatory cycle, the next model substitution, the next acquisition diligence, and the next OCR or FFIEC examination. The buyer who builds them out of order rebuilds two layers next year. The remainder of this article walks the layers in order, names the artifacts each one produces, and maps them to the compliance frameworks the firm's audit committee will be asked to report against. Layer one, vendor BAA/DPA chain The first layer is the contractual chain along the request path. For a regulated mid-market buyer this means that every component touched by a single AI request, the user interface vendor, the orchestration vendor, the model vendor, the storage layer holding session state, the observability and telemetry vendor, any retrieval-augmented generation index, any agent middleware, any third-party tool the agent is allowed to call, has a contractual link that covers the data class flowing through it. In healthcare that link is the Business Associate Agreement. In financial services it is the data processing agreement and the third-party risk management attestation contemplated by the OCC's Third-Party Risk Management guidance and the FFIEC IT Examination Handbook. In other regulated verticals the analogue is whatever contract carries the data-handling, breach-notification, and audit-rights language the regulator expects to see. The structural failure we audit most often is not the absence of a BAA on the model vendor. The model vendor's BAA is, in our experience, the one piece of the chain the procurement team has secured. The failure is the orchestration layer, the middleware, and the observability vendor, components that the engineering team adopted in a Tuesday afternoon decision and that sit on the request path without a contractual link. The middleware trap is the most common shape of the gap. The orchestration-layer BAA gap is the second most common. Both are operational issues in disguise: the contract office never saw the procurement because engineering never raised a procurement record. The defensible posture is a single artifact, the request-path map, that lists every component PHI, PII, NPI, or other regulated data touches between the user's keystroke and the persisted response, and the contract that covers each. We walk through how to build that artifact in the vendor BAA chain procurement field guide. The point for this reference is that the BAA or DPA chain is layer one because every layer above it presumes it. There is no useful agent governance over a request path the firm has no contractual right to inspect. There is no useful procurement posture over a vendor relationship the firm has no contractual exit from. Layer one is the soil. The artifact a board can be shown at the end of layer one is a one-page request-path diagram with each component annotated with the executed contract, its data-handling coverage, the indemnity floor, and the audit-rights clause. The artifact an auditor will ask for is the same diagram and the underlying contracts. When the diagram and the contracts agree, the layer is built. When they do not, the program is not at layer one yet, no matter what the model vendor's marketing says. Layer two, data residency and classification The second layer is the workload-to-architecture fit. A regulated mid-market buyer running a single AI deployment across a heterogeneous data estate, some public marketing copy, some internal operational data, some regulated client data, some highly sensitive clinical or financial records, cannot apply one architecture to all of it. The HIPAA Security Rule does not require the same controls for a marketing draft that it requires for a discharge summary, and a sensible architecture stops paying for the higher controls on the lower-sensitivity workload while ensuring the higher-sensitivity workload never escapes the architecture it needs. We have written the canonical four-architecture taxonomy in the HIPAA AI architecture reference implementation. Architecture A is the cloud-hosted model under a clean BAA, suitable for the majority of workloads. Architecture B is the same model behind a private deployment, suitable for workloads that have specific egress or tenancy concerns. Architecture C is the self-hosted open-weights deployment, suitable for workloads where the buyer needs full control of the inference perimeter. Architecture D is the on-device deployment, local inference on hardware the regulated user already controls, suitable for the small but real category of workloads where the data should never leave the device. The on-device option for HIPAA-regulated professionals has matured to the point where it is now a real choice for sole-practitioner clinicians and small clinical teams in 2026, a choice that did not exist in production form two years ago. The discipline at layer two is the classification map. The firm produces a list of every workload AI is or will be applied to, classifies the data the workload touches against the firm's existing data classification policy, and maps the workload to the architecture appropriate for its class. The map is not static. A workload migrates between architectures as the data class changes, a marketing summarization workload that begins using customer testimonials becomes a Class 2 workload and may have to move from architecture A to architecture B. A clinical note summarization workload that begins to be used for ambient capture of a patient encounter is now in the highest class and architecture D may be the only defensible answer. The board-level artifact at layer two is the classification map alongside the architecture map. The auditor's question is whether the highest-class workloads run only on architectures that contain them, and whether the firm can demonstrate, with logs, not assertions, that no spill has occurred. The HHS guidance on the HIPAA Security Rule, the FFIEC handbook, and the NIST AI Risk Management Framework all converge on the same expectation: the buyer demonstrates fit between the workload sensitivity and the controls applied, and the demonstration is documented. Layer three, agent governance The third layer is where most mid-market programs stop being recognizable to the firm's existing GRC controls. The reason is simple: GRC was built for human users with named accounts. The first regulated AI workflows were augmentative, a clinician summarizes a note, a loan officer drafts an adverse action explanation, a fund accountant queries a ledger, and the human stayed in the loop with their named identity, their seat license, and their audit trail. The 2026 shift, which we have tracked in the governed action shift briefing and the agent control layer briefing, is that agents now take action, write records, dispatch messages, move funds, post to ledgers, and the human's role compresses to supervision rather than execution. The audit posture has to follow. Agent governance, as we define it for the layer-three artifact, has five required components. First, identity per agent, each agent in the firm's inventory has a distinct identity, not a shared service account, so that an audit can attribute every action to a single named actor whether the actor is a person or a process. Second, scoped permissions, the agent's identity carries the minimum-necessary scope for the workflow, expressed in a way the orchestration layer enforces at runtime rather than at design time. Third, a validator or judge layer, every consequential action passes through a separate model or rules engine that approves or rejects it before execution, producing its own log entry. Fourth, an audit log with five required fields for every action: actor identity, action taken, target resource, time, and outcome, populated automatically, not by application convention. Fifth, an escalation surface, a queue, dashboard, or workflow where actions the agent is uncertain about or that the validator has rejected are routed to a human for resolution, with the resolution itself logged. The twelve infrastructure pieces required to operationalize these five components are the subject of the agent infrastructure field guide. The point for this reference is that layer three is where the firm stops auditing the model and starts auditing the agent. The OWASP Agentic AI threat taxonomy and the CSA AI Controls Matrix both formalize the same expectation: agents are first-class actors, and the controls applied to them are at least as rigorous as the controls applied to a privileged human user. We agree, and in regulated contexts we go further, the agent's controls have to be richer than the human's, because the agent cannot be cross-examined and a regulator cannot subpoena a model's reasoning. The log has to do the work the deposition does for human users. Layer four, workforce supervision The fourth layer is the operator-side discipline. Layer three governs the agent. Layer four governs the people supervising the agent. The two are different problems and require different artifacts, and the most common failure we see at this layer is the assumption that layer three is enough because the technical controls are in place. The workforce supervision program a regulated mid-market firm needs has two components, both of which we have written about in field-guide form. The first is the four moments of supervision, defined in the agent supervision protocol for regulated operators, which establish that human supervision is not a single moment of approval but a set of four discrete checkpoints: at the time the agent is delegated a task, at the time the agent proposes a consequential action, at the time the agent escalates uncertainty, and at the time the agent's batch of work is reviewed for systemic issues. The second is the three-tier escalation discipline, junior operator escalates uncertainty to senior operator; senior operator escalates to the workflow owner; workflow owner escalates to the governance committee, with the escalations themselves becoming an audit artifact and a leading indicator of agent drift. Layered against the agent inventory, this becomes the trust architecture program described in trust architecture for regulated AI and reinforced by the field observations in the trust architecture briefing on frontier model instruction failures. Trust is not a property of the model; it is a property of the supervision posture around the model. A model that is trusted to draft a clinical note is not trusted to send it. A model that is trusted to summarize a loan file is not trusted to communicate adverse action. The supervision posture is what makes the trust gradient operational rather than aspirational, and it is what gives the firm something to point to when a regulator asks how the firm prevented a known-failure-mode action from being taken. The board-level artifact at layer four is the workforce supervision metrics dashboard, escalation rates by workflow, rejection rates by validator, time-to-resolution on agent-initiated escalations, and the trailing-quarter trend on each. The auditor's question is whether the firm can demonstrate that supervision is being exercised, not merely policy-stated. Numbers, not assurances. Layer five, procurement posture The fifth layer is the commercial structure. AI procurement in 2026 is not seat-based and is not behaving like seat-based SaaS. The shift we have written about in the agent-licensing meter briefing and the agent-licensing meter field guide is from a flat seat license, predictable per user per month, to a metered consumption model in which the firm pays per agent action, per token, per workflow run, per credit, or per some vendor-defined unit that the procurement team had no role in defining. The exposure compounds month over month and is unbudgeted in most mid-market firms we audit at the close of 2026. Layer five has three components. The first is the agent-licensing meter audit, the inventory of every meter the firm is currently on, the rate, the trailing-twelve-month consumption, and the projected exposure at current growth rates. We routinely find firms whose total metered AI exposure has grown by a factor of three to six in the last twelve months without a corresponding line item in the budget. The second is the fair-versus-rent-seeking meter screen, a structured evaluation that distinguishes meters that reflect real marginal cost to the vendor (token consumption, inference cost passthrough) from meters that reflect vendor pricing power and have no underlying cost basis (per-workflow-completed, per-record-touched, per-business-outcome). Both are legitimate vendor choices; both have very different procurement implications, and a firm without the screen is paying rent-seeking meters as if they were marginal-cost meters. The third is the multi-year contract structure that survives model substitution, language that anchors the firm's commercial terms to the workflow output rather than to the model identity, so that the vendor cannot substitute a more expensive model and pass through the cost increase without contractual notice. The board-level artifact at layer five is the agent-licensing exposure forecast, twelve and twenty-four month projections against actual budget, by meter, by vendor, with a sensitivity analysis showing exposure under a doubling of usage. The audit committee question is whether the firm understands its forward exposure to a class of cost that is growing faster than any other line item in the IT budget. The answer the firm wants to give is that exposure is bounded, contracted, and forecasted. The answer most firms have today is that exposure is none of those things. How the five layers compound, and what happens when one is skipped The layers compound because each one presumes the prior. The vendor BAA chain is the contractual surface against which all governance and supervision are exercised. The data residency and classification posture is the workload map against which agents are scoped. The agent governance is the runtime surface the workforce supervision program supervises. The workforce supervision program is the operating discipline that gives the procurement posture something concrete to be procuring against. The procurement posture is what keeps the program funded and contractually defensible through the next renewal cycle and the next regulatory examination. Skip layer one and the rest of the program is built on contracts the firm cannot enforce. The agent governance log has no contractual right to exist; the supervision program has no contractual right to demand vendor remediation; the procurement posture has no leverage at renewal because the existing contracts already gave away the firm's audit-rights position. Skip layer two and the firm builds expensive controls for low-sensitivity work and inadequate controls for high-sensitivity work simultaneously. The audit finding is overspending on the marketing workload while a clinical workload runs in an architecture that does not contain it. Skip layer three and the firm has a model with a clean contract that nobody can attribute actions to. The OCR letter or the FFIEC finding asks who took the action, when, against which record, with what scope, and the firm's answer is a shared service account and a log that does not list the agent's identity. The sabotage-risk pattern in HIPAA audit posture is the predictable consequence. Skip layer four and the firm has a governance log full of agent actions with no supervisory countersignature. The finding writes itself: the controls existed on paper, the operators were never trained to use them, and the agent took two thousand actions in a quarter that no human reviewed. Skip layer five and the program runs for two renewal cycles before the CFO defunds it. Most regulated AI programs we have seen wound down in the last twelve months were wound down at layer five, not because the technology failed, but because the metered cost surprised the budget and the firm had no procurement posture to fight the renewal from. The compounding is also what makes the order matter. A firm at layer three with no layer one is operating ungoverned. A firm at layer five with no layer three is procuring an undefended actor class. A firm that builds layer four before layer three has a supervision program with nothing to supervise. The order is layer one, then two, then three, then four, then five, and there is no shortcut that does not produce an artifact a regulator will mark. Cross-vertical translation, healthcare, fintech, property management, construction, nonprofit The five-layer stack is universal across regulated mid-market verticals. The artifacts are vertical-specific. Healthcare. The BAA chain is HIPAA-anchored and the request-path map names every component that touches PHI. Architecture D, on-device, has more applications here than in any other vertical, particularly for ambient clinical capture and behavioral-health intake. Agent governance has to satisfy §164.308, §164.312, and the meaningful-use audit-log expectations. Workforce supervision is the clinician-facing program and has to map against the firm's existing minimum-necessary policies. Procurement has to absorb the shift in EHR-adjacent vendors who have begun adding metered AI features to previously seat-licensed products. See the healthcare industry page and the behavioral health page for vertical-specific applications, and the regulated SaaS page for digital health platforms. Fintech and mid-market lenders. The DPA chain is the analogue of the BAA chain and the request path includes any model touching consumer financial data subject to GLBA, ECOA, the CFPB's UDAAP regime, or, for bank-partnership fintechs, the partner bank's third-party risk program. The bank-fintech partnership AI audit briefing walks the BAA-equivalent expectations a partner bank now imposes. Architecture choice is dominated by data residency requirements imposed by the partner bank, not by the fintech's own preference. Agent governance is fair-lending-anchored, see AI credit decisioning and fair lending for mid-market lenders, and the validator layer carries the disparate-impact monitoring the firm's compliance officer reports against §1002.9 of Regulation B. Workforce supervision is the loan officer and adverse-action communications discipline. Procurement is dominated by the metered cost of decisioning agents at the volume modern origination platforms generate. Property management. The request-path map names the property accounting platform, the resident communications platform, the maintenance dispatch agent, and any vendor adding agentic functionality to a previously seat-licensed product. The Yardi Virtuoso agents audit posture briefing is the canonical example of the vendor-side shift. Architecture is dominated by tenant data, payment data, and the trust accounting boundaries of the firm's state-level regulators. Agent governance has to interlock with trust accounting controls and the vendor compliance discipline for 1099 contractors. Workforce supervision is the property manager and accounting team. Procurement is in the middle of the most aggressive meter shift in the vertical-SaaS market and is the layer most mid-market property managers are under-prepared on. See the property management industry page. Construction. The request-path map is unusually long because construction estimating, scheduling, and document control platforms have integrated agentic features faster than most mid-market construction CIOs have adapted. The construction AI pilots field guide describes the data-hygiene prerequisite without which layers two and three are unbuildable. Architecture is dominated by project document sensitivity and the data-sharing posture across general contractors, subcontractors, and owners. Agent governance has to map to the change-order and RFI workflow accountability the project executive answers for. Workforce supervision is the project management office. Procurement is dominated by the bundled-meter pricing the major construction-tech vendors have adopted in the last twelve months. Nonprofit and development. The request-path map names every component that touches donor data, beneficiary data, and grant-restricted information. The Blackbaud development agent governance field guide is the vendor-specific reference; NIST AI RMF for nonprofits is the framework reference. Architecture is dominated by donor confidentiality, beneficiary protections, and the funder restrictions in grant agreements. Agent governance has to handle the dual-population accountability, donors and beneficiaries, that distinguishes nonprofit data from commercial data. Workforce supervision is the development office and the program staff. Procurement is dominated by mission-aligned discipline against the metered cost of fundraising agents. See the nonprofit industry page. A PE-portfolio operating company sits across the verticals, see the private equity industry page, and inherits the five-layer stack as a portfolio-level standard the sponsor enforces across operating companies. The 100-day post-close cyber integration playbook is the post-close artifact most sponsors are now using. The 6-to-9 month implementation sequence A regulated mid-market buyer building the stack from a standing start typically takes six to nine months. The sequence is layer-ordered. Months one and two are layer one and the beginning of layer two. The contract office runs the request-path map across every AI workflow currently in production or in pilot, identifies every component without a contractual link, and either remediates the contract, ejects the component, or escalates to the governance committee for an exception with a sunset. In parallel, the firm builds the data classification map and identifies which workloads are running on architectures that do not fit their class. Months three and four are the rest of layer two and the beginning of layer three. Workloads are migrated to the architecture appropriate for their data class, with on-device or self-hosted options selected for the highest-class workloads. Agent identity, scoped permissions, and the validator layer are designed against the agent inventory. The audit log schema is locked. Months five and six are the operational build-out of layer three and the beginning of layer four. The agent inventory is loaded with identities; the permission scopes are activated; the validator layer goes into shadow mode, then enforce mode. The supervision program is designed and the four moments of supervision and three-tier escalation are documented, with training delivered to the operator population. Months seven through nine are layer four operational maturity and layer five. The supervision metrics dashboard becomes the operating cadence. The agent-licensing meter audit is run, the fair-versus-rent-seeking screen is applied, the renewal calendar is anchored to the new contract structure, and the multi-year procurement strategy is presented to the audit committee alongside the exposure forecast. A program in production at month nine is presentable to a regulator, a board, an acquirer, and the firm's auditor. A program shorter than six months has compressed one of the layers, typically layer one or layer five, and the compression is visible to the auditor. A program longer than nine months is usually not a sequencing problem but a sponsorship problem, and the AI adoption playbook for regulated industries and the one-page AI governance policy are usually the artifacts the firm needs to recommit on. Mapping the stack to HIPAA, FFIEC, NIST AI RMF, and SOC 2 The five layers map cleanly to the frameworks the firm's audit committee is asked to report against, and the mapping is itself a board-level artifact. Against the HIPAA Security Rule, layer one corresponds to §164.308(b), business associate contracts and other arrangements. Layer two corresponds to §164.312(a)(1), access control, and §164.312(e)(1), transmission security, with the workload-to-architecture fit producing the technical safeguards documentation. Layer three corresponds to §164.312(b), audit controls, and §164.308(a)(1)(ii)(D), information system activity review. Layer four corresponds to §164.308(a)(5), security awareness and training, and §164.308(a)(3), workforce security. Layer five does not have a direct rule mapping but supports the §164.308(a)(8) evaluation requirement by giving the firm the commercial structure that survives a periodic evaluation. Against the FFIEC IT Examination Handbook and OCC guidance, layer one corresponds to the Outsourcing Technology Services booklet and the third-party risk management lifecycle. Layer two corresponds to the Information Security booklet and the data classification and protection expectations. Layer three corresponds to the audit and event-logging expectations in the Audit booklet and the Operations booklet. Layer four corresponds to the management and personnel expectations across the handbook. Layer five corresponds to the contract management expectations the OCC has explicitly elevated in its third-party risk guidance. Against the NIST AI Risk Management Framework, the five layers map across the Govern, Map, Measure, and Manage functions. Layer one is Govern. Layer two is Map. Layer three is Measure and Manage. Layer four is Govern and Manage at the operator population. Layer five is Govern and Manage at the commercial layer. The NIST RMF is the cleanest external taxonomy to communicate the stack against because it was written for exactly this question. Against SOC 2, the five layers map to the trust services criteria. Layer one supports CC9.2 (vendor and business partner management). Layer two supports CC6.1 (logical and physical access). Layer three supports CC7.2 (system monitoring) and CC7.3 (incident response). Layer four supports CC1.4 (commitment to competence) and CC2.2 (internal communication). Layer five supports CC9.1 (risk mitigation activities). A firm carrying a SOC 2 Type II that wants to extend the report to cover the firm's AI program has the mapping in hand the moment the five layers are built. The board-level artifact is a single page that shows the five layers down the left side and the four framework column headers across the top, with the section reference for each layer-framework intersection populated. We deliver this artifact in every Adopt-AI-Safely engagement, and it is the artifact regulators and auditors uniformly tell us is the most useful single document the firm can produce on AI compliance. What we recommend The five-layer audit is now a standing component of the Adopt-AI-Safely Diagnostic and is included in every engagement that begins through the Diagnostic intake. The audit produces the request-path map, the data classification and architecture map, the agent inventory with identity and scope, the supervision metrics dashboard, the agent-licensing exposure forecast, and the four-framework mapping page. The artifacts are designed to be presented directly to the audit committee, the board, an acquirer's diligence team, or an OCR, FFIEC, or SOC 2 auditor without modification. For a CIO, CISO, General Counsel, or Audit Committee Chair reading this in May 2026, the next ninety days are sequenceable. 1. Within thirty days, commission the request-path map for every AI workflow currently in production or in pilot, and identify every component on the path without a contractual link. The artifact does not require new tooling; it requires a half-day with engineering and a half-day with the contract office. 2. Within thirty days, surface the firm's agent inventory, every model, every agent, every metered AI feature embedded in a previously seat-licensed vendor, to the governance committee. If the inventory does not exist, building it is the first deliverable. 3. Within sixty days, classify the workloads against the firm's existing data classification policy and map each to the architecture appropriate for its class. Identify any workload running on an architecture that does not contain its data class and place it on a remediation calendar. 4. Within sixty days, design the agent governance artifacts, identity per agent, scoped permissions, validator layer, audit log schema, escalation surface, and put the validator layer into shadow mode for the highest-volume workflows. 5. Within ninety days, design and deliver workforce supervision training against the four moments of supervision and the three-tier escalation discipline, and stand up the supervision metrics dashboard. 6. Within ninety days, run the agent-licensing meter audit, apply the fair-versus-rent-seeking screen, and present the twelve and twenty-four month exposure forecast to the CFO and the audit committee. 7. Present the four-framework mapping page to the audit committee at the next regularly scheduled meeting, alongside the five-layer status report and the remediation calendar for any layer not yet in production. The buyer who builds the layers in order has a posture that survives the next regulatory cycle, the next model substitution, the next acquisition diligence, and the next audit. The buyer who builds them out of order rebuilds two layers next year. The order is layer one, then two, then three, then four, then five. The artifacts are listed above. The frameworks the artifacts satisfy are listed above. The audit committee report writes itself.