The State of Mid-Market AI Compliance, 2026 Securem Annual Report
Securem's inaugural annual report on mid-market AI compliance: eight structural patterns from 2025–2026 engagements across healthcare, fintech, property management, construction, and nonprofit. Citable reference.
Executive summary The mid-market AI compliance gap is wider than the public conversation suggests, and the gap is not the one the trade press is covering. The trade press is covering frontier safety, model evaluation benchmarks, and the federal AI policy debate. What the firm sees in regulated mid-market engagements is more prosaic and more dangerous: contracts that do not extend to every component on the AI request path, governance designed for human operators applied to non-human ones, procurement budgets sized for seats now metered by action, and an inventory of AI surfaces that no one in the organization can produce in writing. The frontier-vendor news cycle has crowded out the operational one. This report is an attempt to put the operational one back in front of the audit committee. Across roughly two hundred engagements in 2025 and 2026, and across healthcare, fintech, property management, construction, and nonprofit organizations between fifty and two thousand employees, eight structural patterns recur with enough consistency that the firm treats them as the canonical mid-market AI compliance gap. Each pattern is a category of finding the firm has documented across multiple, unrelated engagements. Each is named here once and indexed for reuse. The eight patterns are: 1. The vendor BAA chain that does not extend to the full request path. The model vendor's contract is in order. The orchestration vendor, the observability vendor, the retrieval index, and the agent middleware are not. Roughly four of every five engagements the firm runs surface this gap on the first request-path map. 2. The data residency posture that does not match the workload. Hosted endpoints carry regulated workloads they were never classified for, and on-device options that exist for regulated professions are not being procured because the procurement office has no SKU template for them. 3. The agent governance that does not exist. Non-human actors with tool access, write access, and credentialed identities are operating against regulated data with no validator gate, no audit log the regulator will accept, and no defined blast radius. This is the pattern with the steepest dollar consequences when it goes wrong. 4. Workforce supervision built for human operators. The supervision protocol, onboarding, separation of duties, expense controls, four-eyes review on irreversible actions, assumes a human on the other end of the keyboard. The agent is not a human. The protocol does not adapt automatically. 5. The agent licensing meter that rewrites every renewal. The shift from per-seat to per-action pricing is now consensus among the vertical SaaS incumbents and the horizontal hyperscalers. The CFO is not warned. The renewal is the warning. 6. Shadow AI and the inventory that does not exist. Tens of thousands of AI surfaces, chat instances, agent endpoints, retrieval indices, model gateways, are exposed to the open internet without authentication. The firm's own clients are not exempt from the population that appears in those scans. 7. The compliance frameworks racing to catch up. HIPAA Security Rule modernization, FFIEC AI examination guidance, NIST AI RMF adoption, OCC third-party risk extensions, FTC and CFPB enforcement, and a widening patchwork of state AG positions are reshaping the controls evidence the regulator will demand at the next examination cycle. 8. The procurement sequence that has inverted. The mature mid-market buyer no longer procures a model first and a governance layer afterward. The mature buyer procures a governed-action layer first and treats the model as a substitution. The capital follows the inversion. The single sentence that captures the year: the mid-market AI compliance posture is not failing for lack of intent, it is failing because the artifacts produced for the prior cycle of SaaS do not survive contact with non-human, metered, agentic, frontier-vendor request paths. The reference architecture the firm uses to address all eight patterns at once is published as the five-layer compliance stack for AI in mid-market regulated industries. The remainder of this report walks each pattern, names the artifacts the firm produces against it, links the underlying field guides and AI Watch briefings the practice has published in the last eighteen months, and ends with what the firm expects in 2027. Methodology and scope The report synthesizes the firm's engagement record across calendar 2025 and the first five months of calendar 2026. The underlying source material is the firm's case file: vCISO retainer notes, fixed-price written assessment deliverables, AI procurement reviews, M&A cyber and technology diligence reports, incident response and tabletop after-action reports, and the firm's own AI Watch briefing series. The firm does not publish proprietary client data, individual engagement findings, or identifying details. The patterns named in this report are categories of finding that have recurred across multiple, unrelated engagements with enough frequency that the firm treats them as structural. The firm's engagement profile is deliberately narrow. Securem serves regulated mid-market organizations in the United States, between roughly fifty and two thousand employees, in five primary verticals, healthcare, regulated software-as-a-service and fintech, property management, behavioral health, and nonprofit, with adjacent exposure to construction back-office, private equity portfolio company diligence, and professional services. The report does not generalize to enterprise organizations above ten thousand employees, to organizations outside the United States, or to non-regulated businesses. The patterns may rhyme outside that range; the firm does not claim they apply there. "Mid-market AI compliance" in scope means the operational, contractual, and supervisory work required to allow a regulated mid-market organization to use AI systems, model endpoints, agent platforms, vertical SaaS agents, embedded copilots, retrieval-augmented generation pipelines, autonomous workflows, against regulated data classes including protected health information, non-public personal financial information, donor and beneficiary records, tenant and trust funds, and other categories the relevant regulator polices. It does not include questions of AI model development, foundation model safety research, frontier alignment, or AI ethics in the abstract. The firm consumes that work; the firm does not produce it. The report draws on twenty-two AI Watch briefings the firm has published since the series launched and ninety-plus field guides covering the practice areas above. Where a pattern in this report has been written about in isolation, the relevant briefings and field guides are linked inline. The report itself does not duplicate the underlying field guides; it synthesizes across them and names what they have in common. A reader who wants the operational detail behind a pattern should follow the inline links. Pattern one: the vendor BAA chain that does not extend to the full request path The single most common compliance gap the firm surfaces in a first-pass AI procurement review is also the simplest to describe and the hardest to fix retroactively. The model vendor's Business Associate Agreement is in order. The procurement team negotiated it. The contract office has a copy. The audit committee has been told that the firm has "a BAA with the model vendor." The statement is accurate. It is also insufficient. The request path between the user's keystroke and the persisted response touches between four and eleven additional vendor components, an orchestration framework, an observability provider, a retrieval-augmented generation index, a vector store, a function-calling middleware, a feature-flagging layer, a session-state cache, an agent platform, an evaluation harness, a logging pipeline, a third-party tool the agent is permitted to call, and the contractual link on those components is absent, expired, or covers a different data class than the one actually flowing through it. The firm's audits across 2025 and 2026 surfaced this gap on the first request-path map in approximately four out of five engagements where the buyer self-reported a "complete" AI procurement posture. The pattern's modal shape is described in two AI Watch briefings the practice has published: the orchestration-vendor BAA gap and the middleware trap. The two together cover roughly seventy percent of the pattern by engagement count. A third briefing, the AWS Bedrock BAA scope for healthcare knowledge bases, covers a fourth: hyperscaler BAA scopes that include the model invocation but not necessarily the managed retrieval surface the engineering team is actually using. A fifth, the distilled-model BAA procurement question, covers the case where the buyer believes a model is one thing and the contract names another. The reason the pattern recurs is structural rather than negligent. The orchestration layer, the middleware, the observability vendor, and the evaluation harness are not procured by the contract office. They are adopted in a Tuesday afternoon engineering decision, often as free or low-cost tiers, often by an individual contributor with neither procurement authority nor visibility into the regulated data class moving through the component. By the time the contract office sees them, the production traffic has been flowing for months. The remediation is straightforward, produce a request-path map, identify the components, route them to procurement, and either secure the BAA or DPA or extract the data class, and uncomfortable. The defensible artifact is named and walked in the vendor BAA chain procurement field guide. The firm's posture is that the request-path map is the single most undervalued artifact in mid-market AI compliance. It is the artifact every other layer in the program presumes. Without it, the agent governance layer cannot enumerate the components it is governing; the workforce supervision layer cannot scope the surface it is supervising; the procurement layer cannot price the meter exposure; the incident response runbook cannot identify the components that touched the data class implicated in the incident. The firm produces the map in the first week of any AI engagement and treats the version-controlled map as the canonical reference for the program. The OCR enforcement actions the firm expects in 2027 will be triggered, in our judgment, by the absence of this artifact more than by any other single failure mode. The full reference for the healthcare instance of the request-path map is published as the HIPAA AI architecture reference implementation. Pattern two: the data residency posture that does not match the workload The second pattern is the failure of the firm's data residency and workload classification posture to keep pace with the procurement velocity of hosted AI endpoints. The practice observes three sub-patterns at engagement frequency. The first is the hosted commercial endpoint accepting regulated workloads it was never classified for: a marketing-team adoption of a general-purpose model that, six months in, has half a million sessions of customer support transcripts containing protected health information running through it. The second is the foreign-hosted model, most prominently the wave of DeepSeek-class procurement requests the firm fielded in Q1 2026, where the buyer asked whether the price-performance ratio could be made compliant for a regulated workload and the firm's answer was that it could not, on either residency or contractual grounds, for the data classes the buyer wanted to run through it. The third is the on-device shift for regulated professions, where the right answer is local inference on the practitioner's device and the procurement office has no template for buying it. The DeepSeek disqualification is, in the firm's view, the most instructive moment of the last eighteen months. The pattern was not that the model was deficient; the pattern was that the procurement office had no framework for declining a procurement on residency grounds when the engineering team had already validated the model on a benchmark and the CFO had already noted the per-token cost. The firm's recommended posture, a written, board-ratified data residency policy that names which data classes may be processed on which hosting topologies, is the artifact the firm produces in week two of every engagement where the pattern surfaces. The policy itself is short. The discipline of enforcing it across a fast-moving engineering organization is not. The on-device shift is the more strategically interesting half of the pattern and is covered in the on-device AI briefing for HIPAA-regulated professionals. The economics of local inference on consumer-grade hardware have crossed the threshold at which a behavioral health practitioner, a small medical practice, or a community lender can run a meaningful AI workload against regulated data without that data leaving the practitioner's machine. The compliance posture for the on-device shift is structurally cleaner than the hosted equivalent, there is no third-party data processor on the path, but it requires the procurement office, the IT department, and the compliance function to adopt a model they have spent twenty years moving away from. The firm expects the on-device infrastructure gap to close materially in 2027 as the regulated-vertical channel begins to package the offering as a SKU. A subordinate pattern within the residency category is the OpenAI zero-data-retention addendum mechanics, the operational reality that even the model vendor's strongest data-handling commitment requires procurement and contract-office mechanics that many mid-market buyers have not built. The firm's posture is that the residency layer is the second of the five layers for a reason: it presumes the request-path map of pattern one and it is presumed by every layer above. Pattern three: agent governance that does not exist The third pattern is the steepest in dollar consequence and the least well understood by the audit committee. The mid-market organization that has deployed agentic AI, agents that take tool calls, that read and write, that hold credentials, that operate on regulated data with persistence between sessions, has in most cases done so without any of the governance artifacts a regulator or a board will expect to see when something goes wrong. There is no validator gate between the agent's proposed action and the irreversible execution. There is no audit log structured in a way the regulator will accept. There is no defined blast radius for the agent's authority. There is no separation between the model that proposes the action and the policy that authorizes it. The firm calls the structural answer to all of this the trust architecture, and it is published in full as the trust architecture for regulated AI. The twelve-piece operational checklist is published as the agent infrastructure twelve pieces every regulated buyer needs. The canonical incident the firm references in client conversations is the agent blast-radius Terraform data loss event. The incident, a coding agent given write authority over an infrastructure-as-code repository, no validator gate, no human four-eyes on irreversible destructive operations, the consequent loss of production state, is not exotic. It is the predictable outcome of giving an agent a credential and a tool and treating the resulting configuration as if it were a developer with a laptop. The firm's experience across operations-adjacent engagements in 2025 and 2026 produced the agent supervision protocol for regulated operators, which is the workforce-side companion to the trust architecture. The protocol is summarized in pattern four. A second canonical reference is the matplotlib-class incident the firm has now seen in three variants across client engagements: a coding agent or notebook agent, given file system or shell access, that takes an action, installing an unintended dependency, modifying a file outside its working directory, executing a long-running operation, that no human operator would have authorized and no audit log captured in a form the security operations team could reconstruct. The firm's posture is that any agent with shell or file-system reach should be wrapped in code execution audit-trail discipline before the agent is permitted to operate against regulated data or production infrastructure. The agent-to-employee ratio in mid-market organizations the firm advises has, by mid-2026, crossed eighty-to-one in the most aggressive adopters. The ratio is computed informally, agent endpoints provisioned, including embedded copilots, vertical SaaS agents, internally built workflow agents, and the long tail of skill-marketplace agents discussed in pattern six, divided by full-time headcount. The eighty-two-to-one figure is not a benchmark the firm publishes as definitive. It is a directional observation that the population of non-human actors operating on the firm's data has, in the most AI-forward mid-market organizations, outnumbered the human workforce by nearly two orders of magnitude. The governance program built for the human workforce does not scale to that population by adding chapters to the employee handbook. The frontier vendors themselves now publish sabotage and scheming evaluations, Anthropic's sabotage risk reports released alongside its model cards, Apollo Research scheming evaluations, and adjacent work from peer labs, that the firm reads not as a frontier safety story but as a HIPAA audit posture story. The firm's posture is that if the model vendor itself documents the model's capacity for instruction failure, sabotage, or specification gaming in a published system card, the regulated buyer's audit posture must reflect that documentation. The trust architecture for frontier models and the agent control layer for the judge-validator architecture are the firm's reference patterns for closing the gap between what the model vendor admits and what the regulated buyer can defend. The firm's working definition of agent governance, refined across the 2025–2026 engagement record, has four components and the absence of any one of them is treated as a finding. The first component is a validator gate, a policy-as-code engine that sits between the agent's proposed action and the irreversible execution and that can deny, modify, or escalate the action according to a written policy. The second is an audit log structured for non-human actors, every proposed action, every authorized action, every denied action, every escalation, every tool call, every credential use, recorded in a form the regulator will accept as evidence and the security operations team can reconstruct against. The third is a defined blast radius, a written, contractual, and technical scoping of what the agent is permitted to read, write, modify, delete, spend, transmit, or escalate to a human, with the scope reviewed at least quarterly by a named owner. The fourth is a separation between the model that proposes the action and the policy that authorizes it, the judge-validator architecture in shorthand, so that a model update does not silently expand the agent's authority and a policy update does not require a model evaluation cycle. The four components are mutually reinforcing and individually insufficient. The firm's experience is that the buyer who has built two of the four believes they have built the program, and the gap between two and four is where the dollar consequences live. The procurement implication of pattern three, which connects forward to pattern eight, is that the four components are not features of the model vendor's offering and cannot be procured as part of the model contract. They are features of the governed-action layer and must be procured separately, contractually before the model is selected, and instrumented against every agent the firm deploys regardless of which model vendor's API the agent is calling. The firm treats this as the single most important procurement-sequence change the mid-market buyer can make in the 2026–2027 cycle. Pattern four: workforce supervision built for human operators The fourth pattern is the operator-side counterpart to pattern three. The supervision model the mid-market organization built across the prior decade, onboarding, separation of duties, expense controls, four-eyes review on irreversible actions, account provisioning and deprovisioning, periodic access reviews, the annual SOC 2 audit's user-administrative-action sample, was built on a single, unstated assumption: that the actor taking the action was a human with a named account, a manager, a chain of accountability, an HR file, and a credential that could be revoked by the IT helpdesk. The agent is not a human. The supervision protocol does not adapt automatically. The firm's agent supervision protocol for regulated operators is the published reference for the adaptation. The canonical reference the firm uses in client conversations is the agent blast-radius Terraform data loss event. The incident is useful as a teaching artifact because it is operationally simple, contractually clean from the model vendor's perspective, and catastrophic from the buyer's. The agent had a credential. The credential had write authority. The supervision protocol assumed a human at the other end of the credential. The supervision protocol was wrong. The remediation, credential scoping, validator gates on irreversible operations, four-eyes review on destructive operations, audit logging structured for non-human actors, is the same set of controls a senior site reliability engineering team would build for a human contractor with the same authority, applied to a different actor class. The firm's posture across regulated operations engagements is that the supervision protocol must be rewritten with the assumption that the actor class is heterogeneous: humans, agents, and the long-running automation that the firm's existing GRC framework typically buckets as "service accounts" but which now includes agentic actors with model-mediated decision authority. The rewrite is not a frontier safety exercise. It is a discipline of identity management, credential scoping, audit logging, and four-eyes review applied across an actor class the controls framework was not designed to police. The published shadow agent discovery and middleware spread audit is the firm's reference for the discovery half of the work: an organization that cannot enumerate its agent population cannot supervise it. The firm expects the workforce supervision pattern to be the entry point for the first wave of OCR and FFIEC enforcement findings against mid-market AI deployments in 2027. The reason is procedural: the audit log is the first artifact the examiner asks for, the absence of a workforce-grade audit log for non-human actors is the easiest finding to write, and the remediation is unambiguous. The buyer who has rewritten the supervision protocol in advance of the examination cycle will not have a clean finding. The buyer who has not, will. Three subordinate patterns within pattern four recur in the firm's engagement record and deserve naming here. The first is the deprovisioning gap, the agent that retains a credential past the project's end, the model API key embedded in a configuration file no one in the operations team owns, the orchestration credential cached in a CI/CD pipeline that survives the departure of the engineer who created it. The firm's posture is that the credential lifecycle for non-human actors must match the credential lifecycle for human ones, with named owners, periodic recertification, and automated revocation at the end of the actor's scoped purpose. The second is the four-eyes gap, the agent permitted to take an irreversible action with no human in the loop and no written justification for the absence of the human. The third is the periodic access review gap, the quarterly access review the SOC 2 audit samples against, which the firm in most engagements finds excludes the non-human actor population entirely. All three are administratively simple to remediate and all three persist past initial remediation in the absence of an ongoing owner. Pattern five: the agent licensing meter rewriting every renewal The fifth pattern is commercial rather than strictly compliance, but it shapes the compliance program because it determines what the CFO will fund. The shift from per-seat to per-action pricing, from a license that bills for a named user to a meter that bills for a token, a successful action, an agentic step, or a closed task, is now consensus among the vertical SaaS incumbents and the horizontal hyperscalers. Salesforce reported $800 million in Agentforce revenue in its most recent fiscal quarter and named agentic action as the dominant unit of growth on the earnings call. Microsoft's three-layer stack, Microsoft 365 Copilot, Copilot Studio for agent authoring, and the Frontier suite for the most capable models, is metered across all three layers, and the Microsoft Frontier suite pricing carries action-based meter components that the typical mid-market buyer's renewal budget was not built to absorb. Yardi Virtuoso, ServiceNow Now Assist, Workday Illuminate, and the vertical SaaS roster the firm sees across property management, healthcare, and back-office engagements are all moving the same direction. The pattern the firm sees on the buyer side is a renewal cycle in which the line item the CFO budgeted at the prior year's seat-license run rate now arrives with a meter component the procurement office cannot model. The agent licensing meter shift in vertical SaaS renewal audits names the operational shape of the pattern. The property management instance of the pattern in Yardi Virtuoso names the vertical variant. The agent licensing meter and vertical SaaS renewals for 2026 names the cross-vertical shape. The firm's posture in advance of any renewal cycle that the firm advises on is that the procurement office should model the meter in three scenarios, adoption flat from the prior year, adoption at the vendor's pro forma growth rate, and adoption at the actual run rate the firm observed in the trailing ninety days, and that the renewal should be signed against the run rate scenario with a contractual ceiling, not against the vendor's pro forma. The pattern the firm sees when the discipline is absent is a renewal that arrives twenty to forty percent above the budgeted line item and a CFO conversation in which the AI program is asked to justify the variance against business outcomes that the program was never asked to instrument. The compliance consequence is that the AI program loses the political capital to fund the governance work in patterns one through four. The meter is a compliance issue dressed as a procurement issue. The firm's recommended commercial posture is documented in the one-page AI governance policy a mid-market organization can defend, which includes the meter-modeling discipline as a named requirement. The board-level conversation about how the firm intends to fund the AI program in a metered world is the conversation the firm's chief financial officer should be having with the audit committee in advance of the renewal, not in response to it. Pattern six: shadow AI and the inventory that does not exist The sixth pattern is the most operationally inconvenient and the most regulator-attractive. The mid-market organization that has not deliberately published an AI inventory has, in the firm's experience, between four and twelve times the AI surface area the audit committee believes it has. Public scans by Censys, Snyk, and adjacent research firms have catalogued more than twenty-one thousand exposed AI instances, chat endpoints, agent platforms, retrieval indices, model gateways, evaluation harnesses, running on the open internet without authentication, many of them inside organizations the public would assume have a mature security program. The firm's own clients are not exempt from the population that appears in those scans, and the firm treats a shadow AI discovery audit as a near-mandatory week-one exercise on any new AI engagement. The published reference is the briefing on the 21,639 exposed instances across mid-market. The two subordinate patterns the firm sees with frequency are the agent skill marketplace credential exposure, agents downloaded from a third-party marketplace, granted credentials by an enthusiastic individual contributor, and forgotten in production with the credentials intact, and the shadow agent discovery and middleware spread audit, in which the agent population spreads through middleware adoption the contract office never authorized. The two together account for the substantial majority of the shadow agent population the firm finds in any mid-market discovery audit. Neither is the result of a malicious insider. Both are the result of an organization that adopted agentic AI before it adopted the inventory discipline to track it. The firm's defensible artifact is the AI inventory, version-controlled, owned by a named function, typically the chief information security officer or the vCISO the firm provides on retainer, and reviewed quarterly by the audit committee. The inventory is not glamorous. It is also the artifact every regulator the firm has interacted with in 2025 and 2026 has asked for first. The firm's posture is that the organization that cannot produce its AI inventory on demand has, in any practical regulatory sense, not begun the work. Adjacent to the shadow inventory pattern is a discovery sub-pattern the firm now systematizes in the intent-engineering briefing: the agent that does what it was asked to do, in a way the operator did not anticipate, because the prompt and the tool authority together produced a behavior the prompt author had not specified. Intent engineering is not a substitute for the validator gate of pattern three. It is the discipline of designing the agent's specification in a way that does not require the validator gate to catch every defect. Both are required. Neither, in the firm's experience, is consistently present. The firm's recommended discovery cadence for the mid-market buyer is a quarterly outside-in scan against the public attack surface, a quarterly internal enumeration against the identity provider's service-account population and the credential vault, and a quarterly review of the agent middleware spend in the engineering organization's monthly SaaS reconciliation. The three together typically surface between sixty and ninety percent of the agent population the firm finds in a first-pass discovery audit, and they are inexpensive to operationalize once the artifact owner is named. The remaining ten to forty percent is the long tail of skill-marketplace agents, free-tier middleware adoptions, and individual-contributor experiments that escape any structured enumeration and surface only through targeted interview work with the engineering and operations teams. The firm's posture is that the long tail is real and that the discovery program should be designed to surface most of it within a reasonable cadence, not to surface all of it in a single audit. Pattern seven: the compliance frameworks racing to catch up The seventh pattern is the regulatory landscape itself. The frameworks the mid-market regulated buyer's compliance program is built against, the HIPAA Security Rule, the FFIEC IT Examination Handbook, the NIST AI Risk Management Framework, the OCC Third-Party Risk Management guidance, the FDIC supervisory letters, the FTC AI guidance, the CFPB position on AI and fair lending, and the patchwork of state attorney general positions on agentic AI and consumer protection, are all moving in the same direction at different speeds. The firm's reading of the landscape is that 2027 is the inflection year for examination cycles that will materially test the AI compliance posture for the first time. The HIPAA Security Rule modernization, including the OCR's expanding interpretation of what constitutes a "system" subject to the Security Rule, has implications the firm now treats as governing for AI deployments in healthcare. The published reference for the architecture-side response is the HIPAA AI architecture reference implementation. The firm's posture is that the OCR enforcement actions the firm expects in 2026 and 2027 will be triggered by the absence of the request-path map of pattern one and the audit log of pattern four more than by any other single failure mode. The OCR's recent enforcement actions against HIPAA-covered entities have already shifted toward systemic findings, the absence of a risk analysis, the absence of an asset inventory, that will translate directly to AI deployments at the next examination cycle. In financial services, the FFIEC's expanding AI examination guidance and the OCC's third-party risk management updates have established the framework against which examiner findings in 2027 will be written. The published reference for the credit-decisioning instance is the firm's AI credit decisioning and fair lending guidance for mid-market lenders. The bank–fintech partnership AI audit addresses the partnership-bank pattern that the FFIEC and OCC have signaled will receive examiner attention. In the nonprofit sector, the NIST AI RMF adoption for nonprofits with donor and beneficiary data is the firm's reference for an organization that does not have a primary federal regulator but does have state-level donor privacy obligations and a board fiduciary duty that increasingly extends to AI governance. The state-level patchwork, donor privacy laws, biometric privacy statutes, consumer protection AG positions, and the emerging state attorney general positions on agentic AI consumer harm, is the most fragmented and the most likely to surface a first-mover enforcement action that resets the field. In healthcare specifically, the firm has tracked four cross-cutting developments that the audit committee should treat as governing for the 2026–2027 cycle: OCR's expanding interpretation of "system" under the Security Rule; the Office of the National Coordinator's information-blocking enforcement; the Centers for Medicare and Medicaid Services' positions on AI in clinical decision support; and state-level prescribing, telehealth, and behavioral health rules that interact with AI deployments in ways the federal framework does not yet anticipate. The published reference for the telehealth-adjacent posture is the telehealth compliance architecture for HIPAA and state prescribing. In financial services, the firm has tracked three cross-cutting developments: the FFIEC's expanding AI examination guidance referenced above; the OCC's third-party risk extensions, which the firm reads as functionally extending the bank's third-party risk obligation to the bank's AI vendors' AI vendors; and the CFPB's positions on AI-driven adverse action notices, fair lending, and consumer dispute handling, which together reshape the model documentation and explainability evidence the regulated lender must maintain. The bank–fintech partnership AI audit referenced above addresses the pattern most likely to receive examiner attention in the 2027 cycle, and the firm's view is that the partnership-bank pattern is where the first publicly disclosed FFIEC AI finding will surface. The firm's posture across the seven-pattern landscape is that the mid-market regulated buyer's compliance program should be built against the most demanding of the applicable frameworks and crosswalked to the others, rather than built against the least demanding and patched as each framework moves. The crosswalk is operationally cheaper. The most demanding framework, for the vertical the buyer operates in, is the one to build to. The firm produces the crosswalk as a deliverable in the first quarter of any vCISO retainer where the buyer operates across multiple regulatory regimes, a healthcare technology company subject to both HIPAA and state biometric privacy law, a regulated lender subject to both FFIEC examination and CFPB enforcement, a property management company subject to state trust accounting rules in multiple jurisdictions, and treats the crosswalk as the canonical reference for the program's evidence collection. Pattern eight: the procurement sequence that has inverted The eighth pattern is the strategic shift the firm now sees in mature mid-market buyers and the procurement sequence that defines it. Through 2024 and into 2025, the procurement sequence was: select a model, validate it, contract for it, then layer governance on top. By the second half of 2025 and across 2026, the procurement sequence has inverted. The mature buyer now procures a governed-action layer first, an agent control plane, a validator architecture, an audit-log substrate, a policy-as-code engine, and treats the model as a substitution. The firm's published reference for the inversion is the governed-action shift in Q2 2026 enterprise procurement. The capital is following the inversion. The firm's tracking of public venture and corporate capital allocation against the governed-action layer through Q2 2026 totals roughly $5.5 billion in disclosed funding rounds and corporate development activity into agent control, evaluation, observability, validator-gate architecture, and policy-as-code categories, a meaningful reallocation from the model-layer concentration of the prior eighteen months. The firm reads the reallocation as the market's recognition that the durable value in the AI stack accrues to the layer the buyer can substitute against, not to the layer that gets substituted. The model is the substitutable layer. The governed-action layer is the durable one. The implication for the mid-market buyer's procurement office is twofold. First, the procurement office should write the governed-action contract before it writes the model contract. The model contract is the easier negotiation; the governed-action contract carries the audit-log substrate, the validator-gate architecture, the policy-as-code engine, and the artifacts pattern three of this report depends on. Second, the procurement office should preserve substitution authority on the model layer in the master services agreement. The model the buyer selects in May of 2026 is not the model the buyer will run in May of 2027. The contract that locks the buyer to a model is the contract the firm will be asked to renegotiate at the next renewal cycle. The firm's posture is that the inversion is permanent. The patterns of the prior cycle, the seat-licensed SaaS contract, the model-first procurement sequence, the governance-as-overlay posture, were artifacts of an actor class (the human user) and a unit of consumption (the seat) that no longer describe the AI request path. The mid-market buyer who has not yet inverted the sequence has time to do so in the 2026–2027 procurement cycle. The buyer who waits past the 2027 cycle will, in the firm's judgment, be renegotiating two contracts under examination pressure that could have been negotiated cleanly under planning pressure. What we expect in 2027 The firm's expectations for 2027 are organized against the eight patterns and are offered as planning inputs rather than as forecasts. The firm has been wrong about the pace of regulatory action in prior cycles and will be wrong about elements of the 2027 cycle as well. On enforcement. The firm expects the OCR to bring its first publicly disclosed enforcement action against a HIPAA-covered entity for an AI-deployment-specific failure in 2027, most likely against an organization in the middle of a broader breach investigation where the AI deployment is identified as a contributing factor rather than the headline. The firm expects the FFIEC examination cycle to begin producing examiner findings against AI governance posture in 2027 examination letters, with the absence of a workforce-grade audit log for non-human actors as the most likely finding category. The firm expects the FTC and at least one state attorney general to bring a consumer-protection action that names agentic AI as a contributing factor in 2027. On the on-device shift. The firm expects the on-device infrastructure gap of pattern two to close materially in 2027 as the regulated-vertical channel packages local inference as a SKU. The firm expects the first credible mid-market vCISO offering with an on-device AI procurement template to be in market by mid-2027. On the agent control layer. The firm expects the agent control layer, judge-validator architecture, policy-as-code engine, agent audit-log substrate, to become standard mid-market procurement by end of 2027, with the leading agent control platforms reaching the procurement-template stage in vertical SaaS. The firm expects the agent control layer judge-validator architecture briefing to be the firm's most-referenced briefing of 2026 and to remain so through 2027. On the procurement inversion. The firm expects the inversion of pattern eight to become majority practice among mid-market regulated buyers by the end of 2027, with the seat-licensed model-first procurement sequence becoming the minority pattern. The firm expects the capital reallocation against the governed-action layer to continue at or above the 2026 pace. On the meter. The firm expects the per-action meter of pattern five to become the dominant pricing structure across vertical SaaS by mid-2027, with the per-seat license persisting as a floor component rather than a sole pricing structure. The firm expects the first publicly disclosed mid-market buyer renewal dispute over agentic meter overage to surface in 2027. On frontier capability. The firm makes no prediction on the frontier capability curve and treats predictions about it as outside the firm's domain. The firm's posture is that whatever the frontier does in 2027, the eight patterns in this report describe the mid-market regulated buyer's defensible response, and the response is not capability-curve-dependent. On the firm's own publication cadence. The firm expects to publish between four and six AI Watch briefings per quarter through 2027, the second annual report in May of 2027, and updates to the underlying field guides as the eight patterns evolve. The firm expects the pattern numbering to remain stable. New patterns will be added; existing patterns will not be renumbered. How to use this report The report is intended as a citable reference. The firm asks that readers who reference the patterns by number do so against the numbering in this edition and treat the numbering as stable across subsequent annual reports. Subsequent reports will add patterns, not renumber them. The report is appropriate to share with board members, audit committee chairs, general counsel, chief compliance officers, chief information security officers, chief information officers, chief technology officers, chief financial officers, and senior procurement leadership. The firm has designed the executive summary as a single-page board read; the body sections are designed to be excerpted into board memos under each pattern's heading. The firm grants permission for the report to be reproduced in board materials with attribution. The patterns themselves are not proprietary; the synthesis is the firm's view. A PDF edition of the report, formatted for board distribution and offline reference, will be published as a downloadable artifact from this page. The PDF will carry the same pagination across editions, with the eight patterns occupying the same numbered sections in subsequent annual editions, so that a board memo referencing "pattern three in the 2026 Securem report" remains valid when the 2027 edition is published. For readers evaluating where the firm can assist directly: the firm's vCISO retainer is the engagement model for ongoing pattern-by-pattern remediation; the firm's AI advisory practice is the engagement model for procurement reviews, request-path mapping, and the governed-action layer architecture of pattern eight; the firm's M&A diligence practice is the engagement model for diligence reads against the eight patterns in acquisition contexts; and the firm's twenty-one day diagnostic is the entry point for an organization that wants a written assessment of its posture against the eight patterns before committing to a longer retainer. Methodology appendix The report draws on the firm's engagement record across calendar 2025 and the first five months of calendar 2026, supplemented by published research and regulatory guidance from the sources named below. The firm does not claim that the patterns described are exhaustive; the firm claims that they are the eight patterns that recurred with sufficient frequency across the firm's engagement record to be treated as structural. Regulatory and government sources cited or relied upon. U.S. Department of Health and Human Services and the HIPAA Security Rule; the Office for Civil Rights enforcement record; the Federal Financial Institutions Examination Council; the Office of the Comptroller of the Currency; the Federal Deposit Insurance Corporation; the Federal Trade Commission; the Consumer Financial Protection Bureau; the National Institute of Standards and Technology AI Risk Management Framework; state attorneys general publications on agentic AI and consumer protection; state donor privacy and biometric privacy statutes referenced through the firm's nonprofit practice. Frontier vendor and platform sources. Anthropic sabotage and scheming reports published alongside Claude system cards; OpenAI published model documentation and zero-data-retention addendum mechanics; Amazon Web Services Bedrock BAA scopes for healthcare; Microsoft Frontier suite and Copilot Studio pricing documentation; Salesforce Agentforce earnings disclosures; vertical SaaS pricing disclosures across Yardi, ServiceNow, Workday, and adjacent platforms in property management and back-office software referenced through the firm's practice. Independent research sources. Apollo Research scheming and capability evaluations; Censys exposed-instance scans; Snyk and Reco shadow AI inventory research; Galileo agent evaluation research; Cisco and Palo Alto Networks AI-traffic and shadow-inventory research; adjacent published research from security firms named in the underlying AI Watch briefings linked throughout this report. Securem engagement base. Approximately two hundred engagements across vCISO retainer, fixed-price written assessments, AI procurement reviews, M&A cyber and technology diligence, and incident response and tabletop exercises in calendar 2025 and the first five months of calendar 2026, weighted toward healthcare, regulated software-as-a-service and fintech, property management, behavioral health, and nonprofit organizations between fifty and two thousand employees, headquartered and operating in the United States. Limitations. The firm's engagement base is concentrated in the U.S. mid-market regulated segment and does not generalize to enterprise organizations above ten thousand employees, to organizations operating outside the United States, or to non-regulated businesses. The patterns may rhyme outside that segment; the firm does not claim they apply there. The firm's view of regulator behavior is informed by publicly available enforcement actions and examiner guidance and by the firm's experience advising buyers through examination cycles; the firm does not claim insider knowledge of regulator priorities, internal enforcement queues, or pending actions. The firm's forecasts for 2027 are planning inputs and should be treated as such. The firm has been wrong about prior cycles and will be wrong about elements of the 2027 cycle as well. The patterns in this report are the firm's view as of May 2026. The numbering is stable. The synthesis will be updated annually.