How AI Agent Workflow Automation Works in Regulated Industries, and Why Most Firms Get It Wrong

Leanware
Private AI Assistants for Teams (Secure LLMs)

Most RIA principals, MGA owners, and accounting firm partners already know which workflows they want to automate. An MGA underwriter spending 90 minutes on submission intake. A compliance team preparing audit packages from multiple systems. Advisory staff waiting for communication drafts to clear review. These are the workflows AI agent workflow automation is built for: repetitive, high-volume, and spread across multiple systems. 

The question that decides whether the project happens is simpler: when an AI tool processes client data, where does that data go?

Compliance teams ask this during vendor reviews, contract negotiations, and regulatory examinations. Many general-purpose AI tools process data through shared infrastructure, use third-party sub-processors, and may retain data under their standard terms. For regulated firms, those details matter.

Let's look at how AI workflow automation works in regulated industries and what to consider before using AI tools with client or policyholder data. 

The Compliance Objection That Kills Most AI Projects Before They Start

The process usually follows the same pattern. A firm identifies a workflow to automate, tests a general-purpose AI tool, and brings it to the compliance team for review. The first question is simple: Where does the data go during processing?

The answer often includes shared cloud infrastructure, third-party sub-processors, and data retention policies. Those details need to be reviewed before the tool can be approved for use.

This does not mean the AI tool is ineffective. It means its data handling may not match the firm's compliance requirements. For RIAs, CPA firms, and MGAs, that review is part of determining whether the tool is suitable for handling client or policyholder data.

What Happens to Your Data When a Generalist AI Tool Processes It

Most general-purpose AI tools process requests through shared infrastructure. Before using one with client data, compliance teams typically ask:

  • Is data retained after processing?
  • Is it used to train or improve the model?
  • Which sub-processors have access to the data?
  • Where is the data processed and stored?

For example, an MGA underwriter uploads an ACORD 125 to extract structured fields. The document contains business details, financial information, and loss history. Depending on the vendor's terms, that data may be retained or shared with third-party sub-processors. If the firm's carrier agreements include confidentiality requirements, the compliance team will need to determine whether the vendor's data handling meets those obligations.

Morrison Foerster's guidance for SEC-registered investment advisers notes that information entered into AI tools may be exposed to third parties, may affect attorney-client privilege in some situations, and requires firms to evaluate vendor data retention, cloud processing, and the limits of "zero-retention" settings. The same questions apply to MGAs and accounting firms using these tools.

What Auditors and Regulators Are Starting to Ask About AI Tool Use

Regulators are paying closer attention to how firms use AI, and the requirements are no longer prospective.

For RIAs, the SEC's Division of Examinations released its fiscal year 2026 Examination Priorities on November 17, 2025, and treats AI as a cross-cutting risk area. Examiners will look at whether a firm's AI-related disclosures, supervisory frameworks, and controls match its actual practices, alongside cybersecurity and vendor oversight. Separately, the 2024 amendments to Regulation S-P now apply to every SEC-registered adviser: larger entities had to comply by December 3, 2025, and smaller entities by June 3, 2026. The amended rule requires a written incident response program, customer breach notification within 30 days, and documented oversight of service providers that handle customer information, including due diligence and ongoing monitoring. The SEC has named Reg S-P compliance an examination focus for fiscal year 2026.

Regulators are also treating AI tools like any other business technology. If employees use AI in their work, it may be subject to the firm's supervision and recordkeeping requirements, even if the tool was never formally approved. That makes "shadow AI" a compliance concern.

For MGAs, the relevant framework runs through the carriers. The NAIC's Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted in December 2023, has been adopted by 24 states and the District of Columbia, and four more states have issued their own AI regulations or guidance. The bulletin applies to insurers, and it expects them to oversee the third parties in their AI supply chain. For an MGA operating under delegated authority, that means carrier agreements and carrier audits will increasingly include questions about the MGA's AI use and data handling. The NAIC is also piloting an AI Systems Evaluation Tool with state regulators through September 2026, a structured framework examiners will use to review AI governance during examinations.

Requirements vary by industry and jurisdiction, so firms should review their obligations with compliance counsel. 

The Difference Between Shared AI Tools and Workflow Automation Built to Your Environment

The key compliance question is not which AI tool a firm uses. It is how client data is handled, who controls it, and whether the process can be audited.

General AI Tool

Custom Workflow Agent

Data is processed through the vendor's infrastructure.

Data moves through the firm's existing systems and integrations.

Data handling follows the vendor's policies.

Data handling follows the firm's workflow and approved integrations.

Compliance review covers the vendor's overall data practices.

Compliance review focuses on a defined workflow and data flow.

How AI Agent Workflow Automation Works When It's Built to Your Environment

A custom workflow agent connects to the systems a firm already uses. For an MGA, that might include the agency management system, email intake, and carrier portals. For an RIA, it could be the CRM, document management system, and compliance platform. For an accounting firm, it may include the practice management system, document management system, and client portal.

The agent reads data through managed integrations, completes its task, and writes the results back to those same systems. Most real workflows involve several of these steps chained together, which is what separates a workflow agent from a single-prompt tool (we cover how multi-step AI agents work in operations in a separate piece). The goal is to keep the data flow documented and auditable so the firm can clearly show where data was processed and where it was stored.

Private AI Assistants for Teams (Secure LLMs)

Why Off-the-Shelf AI Platforms Fall Short 

General-purpose automation platforms such as Lindy and Zapier Agents work well for simple, standardized workflows. They become harder to use when a workflow depends on firm-specific rules, custom integrations, or outputs that must match internal systems.

That is often the case in regulated industries. An MGA may need to follow carrier-specific underwriting rules, pull data from an agency management system, and return results in a format that supports compliance and auditing. Those requirements usually go beyond what a self-serve platform is designed to handle.

How Regulated Firms Use Custom AI Agents

The best use cases share a few characteristics: high-volume work, repetitive decision-making, multiple data sources, and a need for traceable outputs. 

Document Processing for Insurance MGAs 

Commercial insurance submissions often include ACORD forms, loss runs, and financial statements. Reviewing and entering that information can take significant time before underwriting begins.

A custom workflow agent can extract structured data, check submissions for missing information, and route completed files to the appropriate underwriter. We've written a detailed walkthrough of insurance submission triage that covers this workflow end to end. The extracted data is written back to the firm's agency management system, creating a documented record of the process.

Compliance and Audit Preparation

Preparing for audits often means collecting records from multiple systems and matching them to carrier or regulatory requirements.

A workflow agent gathers the required records, organizes them into an audit package, and links each item back to its source. Compliance staff review the completed package instead of building it from scratch. The reviewer still makes the final decision, while the system provides a documented record of the process.

Firms should review their regulatory obligations with their compliance or legal counsel.

Client Communication Drafting for RIAs 

RIA teams regularly prepare market updates, portfolio summaries, and responses to client questions. Those communications still need compliance review, but drafting them often takes more time than the review itself.

A custom workflow agent works inside the firm's CRM and document management system. It pulls approved information from the firm's records, drafts a communication, and sends it to the review queue. The draft stays in the firm's systems instead of a third-party conversation history, and reviewers can trace it back to its source documents.

Firms should verify the specific recordkeeping requirements applicable to their communications with their own counsel.

What the Build and Ongoing Management Actually Looks Like

A custom AI project starts by defining the workflow, identifying the compliance requirements, and deciding how the agent will fit into the firm's existing systems. At Leanware, this work is structured as two engagements: the AI ROI Assessment scopes the opportunity, and a Managed Custom AI Agents build delivers and operates it. 

Starting with the AI ROI Assessment

The AI ROI Assessment maps the workflow, measures the current process, identifies the relevant compliance requirements, and recommends a build scope with estimated ROI.

It also documents the data sources, required integrations, and audit requirements before development begins. Compliance teams and legal counsel can review that plan early instead of after the solution has already been designed.

Connecting to Existing Systems 

The agent only accesses the systems and data needed for the workflow. It reads information through managed integrations, completes its task, and writes the results back to the firm's existing systems.

Every action is logged, and the integration plan is reviewed before development begins. The goal is to keep the data flow documented and auditable without introducing another data storage layer.

The architecture supports compliance, but each firm should work with legal counsel to determine whether it meets its specific regulatory requirements.

Ongoing Management 

Compliance requirements, regulations, and business systems change over time. When they do, AI workflows may need updates.

Leanware's managed service includes prompt updates, integration maintenance, and system monitoring. Larger changes, such as new integrations or workflow redesigns, are handled as separate projects. For current service details, contact the Leanware team or visit the AI ROI Assessment page.

Build vs. Buy: Evaluating Your Options 

For regulated firms, choosing between a self-serve platform and a custom solution is not only about cost. It is also about whether the tool meets the firm's compliance requirements. If a vendor cannot clearly explain how it handles client data, the tool may not be suitable for regulated workflows. 

Questions to Ask Any AI Vendor 

Use the following questions as part of your vendor due diligence process. 

Private AI Assistants for Teams (Secure LLMs)

Where is data processed during a workflow run, and is that infrastructure dedicated to the firm or shared with other clients? The answer governs whether multi-tenant infrastructure concerns apply to the firm's regulatory obligations.

What is the vendor's data retention policy for inputs and outputs? Inputs retained beyond the processing session create potential conflicts with the firm's own data management and retention obligations.

Who are the vendor's sub-processors, and what data do those sub-processors access? Morrison Foerster advises investment advisers to confirm that vendor agreements include confidentiality provisions that protect uploaded information, including from use in model training. That scrutiny should extend down the full sub-processor chain, not stop at the primary vendor relationship, and it applies equally to MGA and accounting firm engagements.

What audit logging does the vendor provide, and in what format? The logging needs to be sufficient to produce a traceable chain of inputs for each output in the event of an exam request.

What is the data residency jurisdiction? For firms with state-specific data residency obligations, or whose clients are subject to jurisdiction-specific privacy requirements, the vendor needs to specify where data is stored at rest.

How does the firm retrieve its data and terminate the relationship? The firm needs a defined termination procedure with guaranteed data return written into the contract before signing.

What contractual representations does the vendor make about training on client data? The vendor's terms of service are not sufficient on their own. The firm needs a written representation in the vendor agreement that client data will not be used to train or improve the vendor's models.

These questions apply to any AI vendor the firm is evaluating. A vendor that cannot answer all of them clearly and in writing, including Leanware, should not be approved for use in a regulated workflow. 

Why Custom Workflow Agents Can Be Easier to Review 

A custom workflow agent defines the systems it connects to, the data it uses, and how information moves through the workflow. That gives compliance teams and legal counsel a specific implementation to review instead of evaluating a broad platform with standard terms.

The result is a documented integration plan, a defined data flow, and contractual terms that can be reviewed as part of the approval process.

The Next Step

For regulated firms, AI agent workflow automation starts with the workflow and its compliance requirements, not with the tool. Before choosing a vendor, understand how client data will be handled, where it will flow, and how the process will be documented.

The AI ROI Assessment helps map the workflow, identify compliance considerations, and define an implementation plan before development begins.

If you run an MGA, RIA, or accounting firm and want to explore AI workflow automation, schedule a 30-minute qualification call to discuss your workflow and whether it is a good fit for automation.

Frequently Asked Questions

Does the AI agent ever process our client or proprietary data on third-party servers we do not control?

The architecture is defined during the AI ROI Assessment. For regulated firms, the goal is to keep data flowing through the firm's existing systems using managed integrations. If third-party model providers are used, Leanware documents which providers are involved, what data they process, and the contractual protections in place. Firms should review those arrangements with their compliance and legal teams before implementation.

How is a custom AI agent different from adding Copilot or a similar AI assistant to our existing tools?

A general AI assistant like Microsoft Copilot adds AI capability across the firm's existing software environment, and its compliance review covers the full scope of data that the firm's Microsoft environment touches.

A custom workflow agent is built for a specific workflow, connecting to the exact systems that workflow uses and producing outputs in the format those systems require. The compliance review for the workflow agent covers a documented scope with defined data flows, rather than a horizontal tool's access to the firm's entire operational data environment. For a regulated firm, that difference is what makes the compliance review answerable in a reasonable timeframe.

What does the AI ROI Assessment cover, and how does it help a compliance-conscious firm evaluate automation?

The Assessment is a paid engagement that maps a specific workflow, measures the current operational baseline, identifies the compliance requirements that govern how an agent can operate in that context, and produces a recommended build scope with ROI projections.

For a compliance-conscious firm, the Assessment produces a documented rationale for the automation decision that the compliance officer, outside counsel, and any required reviewers can evaluate before the firm commits to a build. That documentation is independently useful regardless of whether a build follows. For current engagement terms, visit the AI ROI Assessment page or speak with the Leanware team directly.

How long does it take to go from Assessment to a working agent in production?

The Assessment produces the build recommendation, and the timeline from Assessment to production depends on the number of systems the agent integrates with, the complexity of the workflow logic, and the compliance review and change management steps the firm requires. All of those factors are scoped during the Assessment, which is why the Assessment runs before any build commitment is made.

What happens if a regulation changes or a carrier updates a data format after the agent is in production?

Leanware's managed-service model includes ongoing prompt refinement, integration updates, and system monitoring as part of the monthly engagement. If a compliance requirement changes or an upstream system changes its data format, the necessary adjustments to the agent are handled through the ongoing service.

Firms do not need internal engineering resources to maintain the system after launch. Larger changes, such as adding a new system integration or redesigning the workflow logic to cover a new line of business, are managed through scoped change orders.

Keep reading

All posts
Agentic Workflow Automation: Architecture and Use Cases
January 15, 2026 · 12 min read

Agentic Workflow Automation: Architecture and Use Cases

Learn what agentic workflow automation is, how it works, and when to use it. Explore architecture patterns, real-world use cases, costs and risks.

Workflow Automation Agentic AI Agent Orchestration
AI-Driven Process vs AI Workflow Automation
January 15, 2026 · 11 min read

AI-Driven Process vs AI Workflow Automation

Learn the real difference between AI-driven process and AI workflow automation. This in-depth guide explains when each approach truly.

Workflow Automation Agent Orchestration Insurance
When Enterprise Workflow Automation Outgrows the Platform
June 3, 2026 · 19 min read

When Enterprise Workflow Automation Outgrows the Platform

Lindy, Gumloop, and Zapier Agents solve the simple lane. Here is what breaks when your 3PL, MGA, or manufacturing workflow hits multi-system logic, unstructured inputs, and compliance requirements no template was built to handle.

Workflow Automation Insurance Logistics & 3PL
AI Agent Development Services | Complete Guide
May 4, 2026 · 13 min read

AI Agent Development Services | Complete Guide

Explore top AI agent development services. Learn key use cases, capabilities, implementation steps, and how businesses automate workflows with custom AI agents.

AI Agent Development Logistics & 3PL Workflow Automation
READY?

Stop managing operations. Let the system run them.

Show us the workflow that's eating your week. We will map it, show you what AI can automate, and tell you what we will run for you.

Tell us what you are trying to solve. We will map your workflows and show you exactly what AI can automate, and what we will run for you.