Field Notes · AI and Data · 2026-05-20 · Six minutes read · By Rodrigue Fouafou

How regulated organizations should approach AI adoption

The most expensive thing a regulated buyer can do with AI is start before they have decided what "governed AI" means for them. Here is the order we run it in, the artifacts each phase produces, and the question we ask before we accept the mandate.

The wrong way to start

Most regulated organizations start AI the same way: a board hears that a peer institution shipped something impressive, an internal champion volunteers, a vendor demo lands well, and someone signs a statement of work that promises a working pilot in 90 days. Sixty days in, the team realizes they cannot answer two questions: where the data lives during inference, and who signs off on a model that gets a decision wrong. By day 80, the procurement officer is asking for evaluation reports that nobody owns. By day 100, the pilot is paused.

We have walked into that room more than once. The cleanup is more expensive than doing it in order from the start.

The order we run it in

Wouessi runs every AI engagement in regulated industries through the same five phases. Each is sized to the scope, but the shape does not change.

Phase 1, Diagnose (two weeks)

We do not write a single line of code. We interview the people who will live with the system: the operator who will use it daily, the auditor who will review it quarterly, the executive who will be asked about it at a board meeting. We map the workflow as it actually runs today, not the workflow the diagram on someone's slide shows. We name the decisions the model would make and the consequence of each one being wrong.

Artifact: a written interview log, a current-state workflow diagram, and a one-page list of the decisions the AI would be allowed to make, with the cost of each one going wrong.

Phase 2, Govern (two weeks)

Before the model exists, the governance does. We write the policy: which decisions require human review, which model the system is allowed to call, what the data residency boundary is, what happens when the model refuses. We map to NIST AI RMF in the US, AIDA in Canada, ISO/IEC 42001 internationally. The output is a document your audit committee can read. If the document is uncomfortable, we say so before we accept the build.

Artifact: a 4–8 page Responsible AI policy specific to this system, plus the controls inventory and the model card template.

Phase 3, Build (six to twelve weeks)

Now we ship. RAG, agents, evaluation harnesses, the replayable decision log built in from the first commit. We are using the same patterns we have shipped in Canadian banks, federal departments, and provincial health systems, not patterns we read about. The model is hosted in the customer's perimeter by default. Self-hosted is the default, not the upgrade.

Artifact: a running system with an evaluation harness, a model registry, a decision-log query interface, and a runbook your team can operate.

Phase 4, Evaluate (two weeks, then ongoing)

The team you trained in Phase 1 runs the evaluation. We ship a set of golden examples and red-team prompts. The team grades them. We compare against the policy from Phase 2. Where the model fails, we fix or we refuse. Refusal-tuned agents are worth more than agents that hallucinate confidently.

Artifact: the first evaluation report (and the template for the next twelve), plus a recorded red-team exercise.

Phase 5, Compound (ongoing)

Quarterly reviews. New evaluations. A drift-monitoring dashboard. The decision log gets queried by a real auditor at least once. The system that survives this becomes part of how the organization works.

Artifact: a quarterly evaluation cadence and a hand-back package your team can run without us.

The question we ask before we accept

If the answer to "can your team operate this six months after we leave" is no, we do not take the mandate. The whole point of regulated AI is that the organization can defend its own work. A consultant-shaped system that depends on the consultant is worse than no system at all.

What this is not

This is not the fastest way to ship a working AI prototype. If the only goal is a demo for a board meeting, the right answer is one weekend with three engineers and OpenAI's API. Use that to learn what the system needs to do. Then run the five phases above before you call anything production.

If you are at the start of this and the order is unclear, the next useful conversation is twenty minutes long. We will not sell you a phase you do not need.

---

About the author. Rodrigue is the founder and CEO of Wouessi. He sits in every standup, signs every scope, and stays accountable from kickoff to handover.