The Regulated Envelope

: Why Building AI Governance Must Account for the Regulatory Frameworks That Don’t Know It Exists

By James Waddell | President, Cognitive Corp | IFMA ITC Board Member

February 2026

The Decision Nobody Regulated

At 2:47 AM on a Tuesday, the HVAC optimization system in a biopharmaceutical campus makes a routine decision. It shifts chiller load from Building 7 to Building 12 to balance energy consumption across the campus. The decision saves $340 in energy costs over the next four hours.

Building 7 houses a cleanroom manufacturing line producing a biologic drug that will treat 40,000 patients this year. The temperature requirement is 20°C ±2°C. The humidity requirement is 45% ±5%. The chiller load shift causes a 1.8°C temperature excursion that lasts 23 minutes before the system self-corrects.

The batch in production during those 23 minutes must now be investigated under FDA guidelines. The investigation will take 6-8 weeks. If the batch fails, the cost is $12 million in lost product and a supply disruption affecting thousands of patients.

The AI made a correct energy optimization decision. But it made it inside a regulated envelope it didn’t know existed.

What Is the Regulated Envelope?

Every building exists inside one or more regulatory frameworks. Fire codes. Health and safety standards. Environmental regulations. Industry-specific compliance requirements. ADA. OSHA. And increasingly, AI-specific regulations like the EU AI Act.

These frameworks share a common assumption: a human made the decision. A human adjusted the thermostat. A human opened the security gates. A human managed the crowd flow. A human can explain what happened and why.

Autonomous building AI operates outside this assumption. It makes thousands of decisions per hour. It optimizes across systems that regulations treat as separate. It creates consequences that cross regulatory boundaries. And when regulators ask “who decided?” the answer is a model that may not be able to explain its reasoning in terms a regulator understands.

This is the regulated envelope problem: building AI making decisions inside regulatory frameworks that were never designed for autonomous systems.

Three Buildings, Three Regulated Envelopes

The Biotech Campus: FDA Doesn’t Know Your AI Exists

A major biopharmaceutical company is expanding its South San Francisco campus from 4.7 million to 9 million square feet under a $5 billion master plan. The expansion will double the number of buildings sharing utility infrastructure — chillers, power, water systems.

FDA regulates the manufacturing processes inside these buildings under 21 CFR Part 11. Every manufacturing system must be validated. Every decision must be traceable. Every deviation must be investigated.

But the building AI controlling the environment those processes depend on? The HVAC optimization that maintains cleanroom conditions? The energy management system that allocates chiller capacity across buildings? FDA doesn’t validate those. They exist in a regulatory gray zone — making decisions that directly impact GMP compliance without being subject to GMP governance.

As this campus doubles in size, every new building adds autonomous systems that share infrastructure with validated manufacturing environments. One building’s optimization can compromise another building’s compliance. The regulated envelope for manufacturing is clear. The regulated envelope for the building AI that supports manufacturing doesn’t exist.

The Entertainment Complex: Fire Code Meets Autonomous Crowd Flow

A 19,000-seat arena sits directly above one of the busiest transit hubs in the world — 1,200 trains and 600,000 passengers per day passing beneath it. The arena hosts 320 events annually, each requiring a 60-minute guest intake window through security checkpoints.

Autonomous systems manage crowd flow, HVAC (adjusting for 2,800 to 19,000 occupants), security checkpoint optimization, and lighting across the venue and adjacent theaters running simultaneous events.

NYC Fire Code governs egress capacity, stairwell widths, and emergency evacuation procedures. These regulations were written for human-operated buildings. They assume a fire marshal can override any system. They assume crowd movement follows predictable patterns based on posted signage and trained personnel.

But when an AI system optimizes security checkpoint throughput, it changes crowd distribution patterns in ways the fire code never anticipated. When HVAC adjusts for a sold-out event in the arena while a 2,800-person show runs next door, the thermal and air pressure dynamics between venues create conditions the fire suppression system wasn’t calibrated for.

The regulatory envelope for crowd safety is clear. The AI making decisions inside that envelope has no governance framework.

The Railroad: FRA Doesn’t Audit Your Movement Planner

A Class I railroad operates 28,000 miles of track across 22 states with an AI-powered Movement Planner that autonomously calculates routing, meet-pass plans, and crew positioning. Digital Train Inspection systems use computer vision to identify railcar defects at speed. Predictive maintenance models flag bearing failures hundreds of miles before they occur.

FRA regulates rail safety. PHMSA regulates hazardous materials movement. Together, they create one of the most stringent regulatory environments in transportation. Post-East Palestine, scrutiny has intensified.

But neither FRA nor PHMSA currently audits the AI governance behind autonomous dispatch decisions. The Movement Planner routes trains based on models that optimize for efficiency, not regulatory compliance transparency. If an autonomous routing decision contributes to a safety incident, the railroad cannot currently demonstrate to FRA that the AI system was governed — that there were human oversight points, that safety constraints were embedded, that the decision was explainable.

The regulatory envelope for rail safety is clear and stringent. The AI making operational decisions inside that envelope operates without formal governance.

Why Current Approaches Fail

Most building AI governance today falls into one of four categories, none of which adequately address the regulated envelope:

Compliance-focused approaches treat AI governance as a checkbox exercise — meeting minimum regulatory requirements without understanding how autonomous decisions interact with regulatory boundaries.

IT governance frameworks (COBIT, NIST) were designed for information systems, not physical building systems. They don’t account for the real-time, safety-critical nature of building operations.

Vendor self-governance lets the AI vendor define what “governed” means. But vendors optimize for feature adoption, not regulatory alignment. Their governance language (when it exists) describes capability levels, not compliance boundaries.

Post-hoc audit approaches wait for incidents and then investigate. By definition, they discover governance gaps only after consequences have occurred.

None of these approaches answer the fundamental question: when your building AI makes an autonomous decision inside a regulatory framework that doesn’t know the AI exists, who is accountable?

Five Governance Requirements for the Regulated Envelope

Effective governance for autonomous building AI operating inside regulated environments requires five capabilities:

1. Regulatory Mapping. Every autonomous system must be mapped to every regulatory framework it operates within. The HVAC AI in a biotech cleanroom operates inside FDA, OSHA, EPA, and local building code frameworks simultaneously. The crowd management AI in an arena operates inside fire code, ADA, security, and transit frameworks. The dispatch AI at a railroad operates inside FRA, PHMSA, and hours-of-service frameworks. Each regulatory boundary creates constraints that the AI must respect — and that governance must enforce.

2. Decision Explainability by Regulatory Context. When a regulator asks “why did this happen?” the answer must be in their language. FDA doesn’t want to see a machine learning confidence score. They want to see a deviation investigation trail. FRA doesn’t want a routing optimization report. They want to see safety constraint verification. The AI’s decision logic must be translatable into the regulatory vocabulary of every framework it operates within.

3. Cross-Regulatory Conflict Resolution. When optimization for one regulatory framework conflicts with compliance in another — energy efficiency vs. cleanroom temperature stability, crowd throughput vs. fire code egress capacity, dispatch efficiency vs. hours-of-service rules — governance must define which framework takes priority and how conflicts are escalated to human decision-makers.

4. Regulatory Boundary Monitoring. Continuous monitoring of autonomous decisions against regulatory boundaries, with automatic escalation when a decision approaches or crosses a compliance threshold. This is not post-hoc auditing. This is real-time governance that prevents violations before they occur.

5. Proactive Regulatory Engagement. The organizations that define governance frameworks before regulators require them shape the regulatory landscape rather than react to it. Proactive engagement with FRA, FDA, NIST, and local code authorities on how autonomous building systems should be governed positions the organization as an industry leader rather than a compliance target.

The Building Constitution Approach

The Building Constitution framework addresses the regulated envelope through three pillars:

Explainable AI (XAI): Every autonomous decision is logged with reasoning that maps to the regulatory framework(s) it operates within. When FDA asks about a temperature excursion, the audit trail shows the AI’s decision logic in GMP-compatible terms. When FRA asks about a routing decision, the audit trail shows safety constraint verification in FRA-compatible terms.

Human-in-the-Loop: Safety-critical decisions that cross regulatory boundaries are escalated to human decision-makers before execution. The AI recommends. The human approves. The governance framework defines which decisions require approval and which can proceed autonomously based on regulatory risk.

Bias Mitigation: Autonomous optimization that disproportionately impacts regulated outcomes — energy savings that compromise GMP compliance, efficiency gains that reduce safety margins, throughput optimization that disadvantages certain populations — is identified and corrected before deployment.

The Window Is Open. It Won’t Stay Open.

The EU AI Act takes effect for high-risk systems in August 2026. Building AI in critical infrastructure will likely be classified as high-risk. The compliance deadline for explainability, human oversight, and risk management is less than six months away for organizations operating in the EU.

In the US, the regulatory landscape is fragmented but accelerating. Colorado, California, and Texas have state-level AI acts. The federal AI LEAD Act is pending. Industry-specific regulators (FDA, FRA, FERC) are all exploring how to govern AI in their domains.

The organizations that build governance frameworks now will shape these standards. The organizations that wait will retrofit governance under regulatory pressure — at five times the cost and with zero competitive advantage.

The regulated envelope is catching up to your building AI. The question is not whether governance will be required. The question is whether you’ll be the one who defined it, or the one who scrambled to comply.

—

James Waddell is President of Cognitive Corp, an AI enablement company focused on governed autonomy for the built environment. He serves on the IFMA International Technology Council Board and has spent two decades at the intersection of buildings, technology, and organizational strategy.