AI integration in regulated industries: what changes the budget.

HR, healthcare, legal, and finance AI builds cost meaningfully more than the same scope in an unregulated SaaS, for specific structural reasons. The seven cost multipliers, the contract clauses that matter, and how to scope an AI integration that actually ships compliantly.

European and US founders building AI features into regulated SaaS have two questions when they get a quote: why is this more expensive than the LinkedIn case study they read, and what specifically am I paying for. This post answers both.

The base case for an AI integration in 2026, covered in a separate post, is €25K-€80K with a typical band of €25K-€55K for RAG over a clean corpus. That number assumes no special data handling, no audit obligations, no deletion guarantees, and no model attribution requirements. As soon as any of those become hard requirements, the band moves.

What actually kills the engagement.

Before the cost conversation, before the timeline conversation, there is one document that decides whether a regulated AI build can ship at all: the contract chain between you, your build vendor, and the underlying model provider.

If the model provider does not sign a Business Associate Agreement (in healthcare) or a Data Processing Agreement that lets your data sit under your jurisdiction's protection (in finance, HR, and most EU contexts), the engagement is dead before scoping starts. If the build vendor is routing prompts through a default-tier API and assures you the data is not used for training, the assurance is at the wrong layer. The no-training contract lives on the model provider's enterprise tier; you need that tier in writing, or you do not have the contract.

This is the question that surfaces in week two of a build that did not have its compliance review front-loaded, and it kills the project. I tell clients to handle it before the SOW is signed, not after. The cost conversation below assumes the contract chain is intact; if it is not, the cost conversation is moot.

What you are actually paying extra for.

The same AI integration scope that runs €25K to €55K in an unregulated SaaS lands €15K to €60K higher in a regulated one. The uplift is not vendor markup. It is real engineering work plus real legal work, and most of the engineering happens around things that are invisible in a demo.

The biggest line item is audit logging. Every prompt, every retrieval result, every model call, every user-facing output, stored tamper-evident, retained for the regulator's window (often seven years). The infrastructure is straightforward; the discipline of capturing it on every code path including the ones added in week ten is where teams skip and pay later.

The second biggest is data residency and deletion. EU personal data must stay in EU; PHI usually must stay in-country. That means per-region inference endpoints, regional vector stores, region-aware routing. Deletion rights under GDPR Article 17 propagate not only to the database but to vector stores, retrieval caches, and any embedded fine-tunes. Most teams remember the database and forget the cache, and the cache is what the regulator looks for.

Then there is explainability and bias testing, which apply almost everywhere a model informs a decision about a person, money, or care. Why did the AI say this; what confidence; what sources. Disparate impact measurement, with a documented test set the regulator can review. The EU AI Act's high-risk obligations phase in through 2026 and 2027 for hiring, lending, and other categories; if your AI is in any of those, this work is non-negotiable by next year.

Everything else (the timeline uplift from internal and external compliance review, the BAA premium charged by the model provider, the slightly larger scoping window) is real but smaller. The three above are where the money goes.

The industries in one paragraph.

Healthcare is the most expensive band because PHI handling pulls inference logs, prompt history, and cached output into HIPAA scope, and some use cases trigger FDA software-as-medical-device review which is a different conversation entirely. Legal and insurance sit just below; privilege rules mean privileged data through a third-party LLM without a no-training contract carries real exposure in most jurisdictions, and model output disclaimers plus human-in-the-loop are mandatory in most US states. Finance follows; audit logging is non-negotiable, explainability is required for any AI that informs financial decisions, and PCI scope creeps fast if AI prompts touch card data even briefly. HR is the lowest band of the four; personal data is the default but the EU AI Act's hiring-AI obligations are still phasing in, and most of the cost is data deletion machinery and bias documentation for regulator review.

The contract things to actually negotiate.

Most of the contract work for a regulated AI build is procedural. Annual right to audit, SOC 2 Type II on request, BAA with the right-to-audit clause for healthcare; these go in the standard template, your counsel asks for them, the build vendor's counsel agrees. They are the floor.

The one that matters most, and that gets dropped most often, is breach indemnification that explicitly includes regulator fines. Standard carveouts exclude "GDPR fines" or "regulator fines" by default; without that explicit inclusion, capped at whatever the parties agree is reasonable, the entire downside of a vendor breach lands on you. I have seen a client absorb a six-figure cost on this exact carve-out, in a contract their counsel reviewed twice and signed because nobody flagged that line. Push for it; cap is fine, exclusion is not.

Subprocessor notification is its sibling. Without a clause that obligates the build vendor to tell you before they swap the underlying LLM provider, they can break your compliance posture mid-engagement and you find out at audit. Standard DPA language; the build vendor should not push back.

The remaining two are audit log access (you should be able to pull the logs yourself for a regulator investigation, on demand, not on the build vendor's schedule) and the no-training clause being on the correct model-provider tier rather than just being claimed. Verify the tier name, not the assurance. Both of these get sloppy in default contracts.

How to scope a regulated AI build.

Two moves keep a regulated AI integration on time and on budget.

One, front-load compliance review. Schedule the internal counsel and external regulator-track counsel to review the SOW BEFORE engineering starts. Most teams discover compliance requirements during week 8 of a 12 week build, which collapses the timeline. The compliance findings should shape the architecture, not retrofit into it.

Two, separate the regulated path from the convenience path. If 80 percent of users are not in a regulated category and 20 percent are, build two paths from day one: a regulated path with full audit, deletion, and attribution machinery, and a default path that does not pay those costs. Most teams build everything to the regulated bar by default and pay the cost on every user, which is structurally wrong.

For the studio's perspective on what the price actually buys, see the unregulated band post. Regulated builds add a 15-60% multiplier on top of those numbers depending on the industry, with healthcare at the top end and HR at the bottom.