Compliance-Native Analytics: How Microsoft Fabric + Purview Make AI Auditable for Regulated Industries

In regulated industries, every analytics decision becomes a compliance decision. The right partner is not "the firm that can build a Fabric lakehouse" — it is "the firm that can build a Fabric lakehouse a HIPAA auditor will sign off on without a remediation plan." That distinction is the central spine of EPC Group's practice and the reason 11,000+ engagements have closed with zero governance audit failures. This guide documents the compliance-native analytics reference architecture: a Microsoft Fabric medallion model (Bronze ingestion, Silver business rules, Gold dimensional) with Purview lineage tracking every transformation, sensitivity labels propagated from source systems through OneLake into Power BI semantic models, role-level security enforced by Entra ID groups (no manual workspace ACLs), customer-managed keys for PHI workloads, audit log retention at 10 years, and a control library mapped to HIPAA Security Rule §164.312, SOC 2 CC6/CC7, FedRAMP Moderate baseline, and NIST 800-171 R2 / CMMC L2 controls. Every architectural decision is justified against a control. Every Power BI dataset has documented data-element classification. Every Copilot prompt that touches PHI is logged. The output is a platform an auditor can walk through in two days, not two months. EPC Group has shipped this pattern to 14 healthcare systems (4M+ patient records under management), 9 financial firms (SOC 2 Type II in 6 months from kickoff), 11 federal/state agencies (FedRAMP Moderate authorization on Azure Government), and 6 defense contractors (CMMC L2 certification). Compliance-native is not a marketing label — it is the architecture pattern. This is "AI with Guardrails" expressed in Microsoft technology.