Health care organizations are racing to deploy artificial intelligence across clinical and administrative workflows, but the vast majority lack the governance frameworks needed to manage the risks. AI adoption in the health care sector reached 85 percent by the end of 2024, with the industry adopting AI 2.2 times faster than the broader economy. Yet this rapid expansion has created a dangerous gap: 63 percent of organizations have no AI governance policies in place, and 40 percent of hospitals are dealing with "shadow AI" systems that operate without oversight.

The consequences are already visible. Patients are filing lawsuits over AI-powered ambient scribes that recorded their visits without consent. Pennsylvania became the first state to take enforcement action against an AI chatbot company after a system falsely claimed to be a licensed psychiatrist and provided a fabricated license number. In clinical documentation, AI models produce errors at meaningful rates, while clinicians often fail to catch them due to "automation bias," a cognitive tendency to over-trust automated systems.

What Are the Real-World Risks of Unmanaged AI in Hospitals?

The risks extend across multiple dimensions of patient care and organizational liability. Ambient documentation alone, a technology that automatically transcribes clinical conversations, commanded $600 million in spending in 2025. Meanwhile, 66 percent of physicians reported using health AI in 2024, a 78 percent increase from 2023. Yet only 29 percent of providers are even aware of their organization's main AI policies.

Real incidents illustrate the stakes. Putative class-action lawsuits now allege that health care providers illegally recorded patient visits using AI-powered ambient scribes without proper consent, asserting claims under state wiretap, invasion-of-privacy, and medical-confidentiality statutes. Statutory damages assessed per encounter mean exposure can scale quickly. The Pennsylvania enforcement action against Character.AI signals that states are actively using existing professional-licensing and consumer-protection laws to police AI conduct, even in the absence of comprehensive federal AI legislation.

The documented risks include hallucinations in AI-generated clinical notes, miscommunication to patients, clinician deskilling, privacy breaches, algorithmic bias, and data-security vulnerabilities. For organizations without governance infrastructure, the risk profile grows exponentially as AI use expands without corresponding oversight and clear communication to workforce members.

How to Build an AI Governance Framework for Health Care Organizations

• Establish Human-in-the-Loop Review: Implement mandatory clinician review of AI-generated outputs that impact patient care, particularly for clinical documentation and decision-support tools. This baseline control mitigates automation bias and catches errors before they reach patients.
• Develop Robust Consent Infrastructure: Create clear, transparent consent processes for patients whose visits may be recorded or analyzed by AI systems. Ensure all workforce members understand and communicate these policies to patients and families.
• Align with NIST and CHAI Standards: Use the National Institute of Standards and Technology (NIST) AI Risk Management Framework as an enterprise-wide governance foundation, then apply the Coalition for Health AI (CHAI) and Joint Commission playbooks to address clinical-workflow integration and health care-specific regulatory requirements.
• Map Regulatory Obligations: Audit existing federal and state laws that apply to AI use, including HIPAA (Health Insurance Portability and Accountability Act), Section 1557 of the Affordable Care Act, state wiretapping statutes, consumer-protection laws, and professional-licensing regulations.
• Assess Liability Exposure: Review emerging products-liability frameworks, including the federal AI LEAD Act and the Trump America AI Act discussion draft, which may treat health systems that develop or substantially customize AI tools as "developers" subject to heightened liability. Ensure vendor contracts appropriately allocate liability for AI-related claims.

What New Standards Are Changing Health Care AI Governance?

In September 2025, the Coalition for Health AI and The Joint Commission published joint guidance on the Responsible Use of AI in Healthcare (RUAIH), marking the first formal framework from a U.S. health care accreditation body designed to assist organizations with integrating AI safely and ethically. The RUAIH draws directly on the NIST AI Risk Management Framework, translating sector-neutral principles into health care-specific best practices.

The Joint Commission subsequently launched a voluntary RUAIH Certification program focused on organizational governance rather than individual AI products. Health care organizations obtaining certification would be able to provide documented, third-party-validated evidence of responsible AI practices that may be relevant in litigation, regulatory, or accreditation contexts. In May 2026, CHAI enhanced the RUAIH by releasing governance playbooks that translate RUAIH principles into actionable implementation steps with baseline controls tailored by organizational size.

The RUAIH framework builds on four core NIST risk-management principles: governance, risk mapping, measurement, and ongoing management. As industry norms consolidate around these standards, organizations without comparable frameworks may face heightened scrutiny from regulators, accreditors, and plaintiffs' attorneys.

How Is the Regulatory Landscape Shaping AI Governance Requirements?

Although no comprehensive federal AI legislation exists, health care organizations remain subject to a growing body of federal and state laws that apply to AI use. The Trump administration has prioritized AI dominance largely through deregulation, including executive orders removing bureaucratic constraints in January 2025, targeting state-law barriers in December 2025, and ordering the strengthening of critical infrastructure, specifically including rural hospitals, against AI-related cyber threats in June 2026.

However, state consumer-protection and licensing laws remain in place and may not be subject to preemption under draft legislation. Existing federal laws and regulations, including HIPAA and Section 1557 of the Affordable Care Act, remain in effect, creating a complex state and federal landscape.

At the federal level, the bipartisan AI LEAD Act (S. 2937), introduced in September 2025 by Senators Durbin and Hawley, would establish federal causes of action for design defects, failure to warn, and breach of express warranty against AI developers. The March 2026 Trump America AI Act discussion draft goes further, imposing a duty of care on AI developers to prevent foreseeable harm and establishing that deployers who "substantially modify" an AI system or "intentionally misuse" it may be treated as developers for liability purposes, with joint and several liability where both contribute to harm.

For academic medical centers and health systems that develop, fine-tune, or substantially customize AI tools for clinical use, these frameworks raise threshold questions about whether the organization may be considered a "developer" subject to heightened liability exposure. The Food and Drug Administration has authorized more than 1,400 AI-enabled medical devices as of March 2026, and January 2026 Clinical Decision Support Software Guidance clarifies when software qualifies for exemption from device regulation.

Why Is Global Collaboration on AI Ethics Important?

Beyond the U.S. health care context, international efforts are advancing ethical AI governance frameworks. The 2nd Global Forum on the Ethics of Artificial Intelligence, held in February 2024 in Slovenia, brought together policy-makers, researchers, and industry leaders to discuss and address the ethical challenges posed by AI. One of the primary outcomes emphasized reinforcing national regulatory frameworks and institutions, with discussions highlighting the need for effective governance at the national level to ensure that AI technologies are developed and used ethically.

UNESCO adopted an ambitious global standard, the Recommendation on the Ethics of AI, in 2021, and has been spearheading its implementation by member states through innovative tools and methodologies, such as Readiness and Ethical Impact Assessments. Through the application of these tools, UNESCO is changing the business model that drives AI development and going beyond principles to develop concrete and practical solutions to ensure that AI outcomes are fair, inclusive, sustainable, and non-discriminatory.

The forum underscored the importance of global collaboration in implementing ethical AI practices. Digital ministers from various regions discussed the opportunities and challenges of promoting AI technologies globally, with parallel sessions dedicated to exploring specific aspects of AI ethics, including gender equality, environmental protection, transparency, and non-discrimination. UNESCO launched several initiatives, including the Global AI Ethics Observatory and the UNESCO AI Ethics Experts without Borders Network, to support member states in implementing ethical AI governance.

As health care organizations navigate this evolving landscape, the message is clear: governance frameworks are no longer optional. The combination of litigation, regulatory enforcement, accreditation standards, and emerging liability frameworks means that organizations without documented, third-party-validated AI governance practices face escalating legal and reputational risk. The NIST AI RMF, CHAI's RUAIH, and emerging federal and state regulations provide a roadmap, but implementation requires sustained commitment from legal, compliance, clinical, and operational leadership.