Healthcare AI Policy Index Exposes Governance Fragmentation

The new Health & AI Policy Index from researchers at the Icahn School of Medicine at Mount Sinai offers a timely warning for healthcare leaders: artificial intelligence policy is growing rapidly, but not coherently enough to give hospitals a simple governance path.

The Health & AI Policy Index was created to track laws, regulations, standards, and policy guidance shaping artificial intelligence in healthcare. In a study published in npj Digital Medicine, researchers analyzed a January 2026 snapshot of 240 healthcare AI policies spanning 2016 through 2025. The finding was not that policy is absent. The finding was more operationally difficult: policy is everywhere, but fragmented across agencies, jurisdictions, standards bodies, and advisory frameworks.

That fragmentation matters because AI adoption inside hospitals is no longer theoretical. Health systems are using AI for imaging support, clinical decision support, documentation, triage, patient communication, revenue cycle work, operations, cybersecurity, and population health analytics. Each use case may fall under different expectations for safety, transparency, privacy, equity, validation, monitoring, and accountability.

The governance challenge is no longer whether healthcare AI needs oversight. The challenge is determining which oversight applies, who owns it internally, and how it is proven after deployment.

Policy Growth Does Not Equal Clarity

The expansion of healthcare AI policy reflects legitimate concern. AI tools can influence diagnosis, treatment planning, staffing, claims processing, documentation, and patient engagement. Poor implementation can introduce bias, automation error, unsafe recommendations, privacy exposure, and clinician overreliance.

Yet more policy does not automatically create clearer compliance. Health systems may need to account for federal guidance, state laws, medical device rules, privacy regulations, payer requirements, professional standards, procurement obligations, and internal ethics review. The result is a governance environment where responsibility can scatter across legal, compliance, clinical leadership, informatics, IT, data science, cybersecurity, and vendor management.

The Mount Sinai Health System study underscores the need for structured tracking because healthcare organizations cannot govern AI responsibly through informal awareness of headlines. A policy index can help leaders identify relevant requirements and trends, but it cannot replace enterprise decision-making.

Hospitals need an internal translation layer. That layer must convert policy signals into operational rules for intake, validation, monitoring, reporting, procurement, clinician training, and patient communication.

Clinical AI Requires Local Accountability

Regulators and standards organizations can define expectations, but patient-facing accountability ultimately lands inside the health system. If an AI tool produces an unsafe recommendation, fails in a specific population, degrades after deployment, or creates workflow confusion, the operational consequences occur at the bedside, in the chart, or in the patient message thread.

That makes local governance essential. AI oversight committees need authority, not just advisory status. They should review intended use, clinical risk, data provenance, model performance, bias testing, explainability, cybersecurity, vendor obligations, and post-deployment monitoring. High-risk tools should require stronger evidence and more frequent review than low-risk administrative tools.

The U.S. Food and Drug Administration has continued to develop policy around AI-enabled medical device software, especially where AI influences clinical diagnosis or treatment. But many healthcare AI tools do not fit neatly into regulated device categories. Some are operational. Some are documentation tools. Some support decision-making without claiming to make decisions.

Those gray zones are where health system governance becomes most important. Absence of a clear regulatory category should not be interpreted as absence of risk.

The Compliance Burden Will Fall Unevenly

Large academic medical centers may have AI governance boards, model evaluation teams, legal support, data scientists, and clinical informatics infrastructure. Community hospitals, physician groups, rural providers, and specialty practices may not.

This creates an uneven compliance environment. Sophisticated organizations may be able to interpret fragmented policy and build internal controls. Smaller organizations may depend heavily on vendor assurances, payer expectations, and professional guidance. That dependency can create risk if AI procurement moves faster than validation.

The National Institute of Standards and Technology provides a broad risk management structure through the AI Risk Management Framework, but frameworks still require local implementation. A hospital cannot claim responsible AI simply because a framework exists. It needs evidence that risks were mapped, measured, managed, and monitored for specific tools in specific workflows.

This is where health systems should avoid generic AI governance language. A chatbot for benefits navigation, an ambient documentation tool, an imaging algorithm, and a sepsis prediction model do not carry the same risks. Governance must operate at the use-case level.

Transparency Needs Practical Definition

Transparency is one of the most common healthcare AI policy themes, but it can mean several different things. Patients may need to know when AI is involved in care communication. Clinicians may need to understand model limitations. Compliance teams may need access to validation records. Procurement teams may need disclosure of training data sources, subcontractors, and performance claims. Regulators may need documentation showing how risks were managed.

A vague promise of transparency is not enough. Health systems need to define transparency by audience and workflow.

For clinicians, transparency should support safe use. That means clear labeling of AI output, confidence limits where appropriate, escalation criteria, and documentation of when human review is required. For patients, transparency should avoid technical overload while making clear how AI affects communication, triage, or decision support. For executives, transparency should mean measurable governance reporting, including tool inventory, risk tier, monitoring status, incident history, and owner accountability.

The Office of the National Coordinator for Health Information Technology has emphasized transparency and predictive decision support through health IT policy, including expectations tied to certified health IT. That direction reinforces a larger shift: AI tools embedded in clinical technology will increasingly need to be explainable, traceable, and monitorable.

Governance Must Include Vendor Discipline

Most healthcare organizations will not build every AI tool internally. Vendors will supply AI through EHRs, imaging platforms, revenue cycle systems, call centers, cybersecurity tools, patient engagement products, and analytics platforms. That makes vendor governance a core AI policy issue.

Contracts should address intended use, data rights, model updates, audit access, performance monitoring, incident notification, bias evaluation, cybersecurity controls, and responsibility when performance changes after deployment. AI tools that learn, update, or behave differently across settings require stronger oversight than static software.

Vendor claims should also be treated carefully. A tool described as “clinician supporting” may still influence decisions if it changes what information is surfaced, prioritized, summarized, or recommended. A tool labeled “administrative” may still affect access if it shapes scheduling, eligibility, claims, referrals, or patient communication.

The Coalition for Health AI has promoted best practices for trustworthy health AI, reflecting industry recognition that responsible deployment requires shared standards among developers, providers, and policymakers. But voluntary standards do not remove the need for health system due diligence.

AI Policy Is Becoming Board Relevant

Healthcare AI governance is no longer a technical subcommittee issue. Boards and executive teams should expect AI policy fragmentation to affect risk management, compliance, insurance, procurement, patient safety, workforce strategy, and reputation.

The financial implications are also real. AI tools may promise efficiency, but weak governance can create downstream costs through failed implementations, clinician distrust, legal exposure, remediation, biased outputs, patient complaints, or regulatory scrutiny. A health system that cannot identify where AI is deployed cannot credibly manage its risk.

Board-level reporting should include an enterprise AI inventory, risk tiering, high-risk tool approvals, monitoring outcomes, adverse event pathways, vendor exposure, regulatory changes, and unresolved governance gaps. The goal is not to slow responsible adoption. The goal is to prevent AI from entering clinical and operational workflows without ownership.

The Health & AI Policy Index is useful because it makes fragmentation visible. That visibility should push healthcare leaders toward stronger internal structure. Policy will continue evolving. State legislatures, federal agencies, international bodies, standards organizations, and professional groups will keep adding requirements and guidance.

Health systems cannot wait for a single unified framework. The practical work has to begin now: know which AI tools are in use, know which policies apply, assign accountability, measure performance, document oversight, and create a process for change as the policy landscape shifts.

Healthcare AI will not be governed safely by policy awareness alone. It will require operational discipline strong enough to turn fragmented external rules into consistent internal control.