Skip to main content

AI Governance That Doesn’t Suck: Operationalizing Guardrails in Clinical Tech

May 1, 2025
Image: [image credit]
ID 354316818 © Retrosesos | Dreamstime.com

Mark Hait
Mark Hait, Contributing Editor

“Responsible AI” is now the default tagline for every healthcare vendor with a model, a dashboard, or an ambient companion. But behind the polished press releases and patient-facing chatbots, governance remains an afterthought—especially when AI moves from the lab to the live EHR. If clinical IT leaders don’t seize control of the governance conversation, they’ll end up responding to policy shaped by PR departments and vendor sales decks instead of operational reality.

Let’s start with what we’ve learned the hard way. In 2024, Air Canada’s AI chatbot fabricated a refund policy for bereaved travelers. When the company refused to honor it, claiming the bot was “a separate legal entity,” a Canadian tribunal ruled that yes, companies are liable for their AI agents (CTV News, 2024).

Earlier this year, software company Cursor faced a smaller but reputationally costly crisis. Their AI email support bot, “Sam,” confidently told users they could no longer use the platform on more than one device—a policy that didn’t exist. Reddit exploded. Users canceled subscriptions. The company had to publicly walk it back and issue refunds. A productivity tool built on AI had been kneecapped by its own AI support layer (Ars Technica, 2025).

These failures aren’t technical bugs—they’re governance failures. They happened because well-resourced organizations trusted AI systems with customer-facing authority but failed to implement basic oversight protocols. And in healthcare, where mistakes don’t cost subscriptions but lives, this kind of misalignment is inexcusable.

The problem is that most health systems still treat governance as a checkbox—a risk mitigation process delegated to compliance officers. But real governance has to be operational. It has to live in the same spaces where deployment, retraining, and integration decisions are made. It must be owned not just by legal or ethics teams, but by multidisciplinary groups that include clinicians, data scientists, UI designers, and informatics leaders.

Leading institutions are starting to take this seriously. UCSF Health has built a cross-functional AI Governance Committee with formalized review procedures, escalation pathways, and guidance for algorithm lifecycle management (UCSF Health Hub, 2023). Stanford Health has published a framework they call “algorithm stewardship,” which emphasizes transparency, accountability, and continuous evaluation across AI systems that impact care delivery (JAMA, 2022).

Meanwhile, the FDA’s 2021 Action Plan on AI/ML-based Software as a Medical Device (SaMD) outlined a vision for “good machine learning practices,” including post-market monitoring, real-world performance assessment, and a total product lifecycle approach (FDA, 2021). But the onus to build these safeguards into organizational workflows still falls on the healthcare institutions implementing the tools—not just the vendors developing them.

In an era where ambient intelligence, AI scribes, and predictive models are increasingly embedded into the clinical experience, guardrails must be part of the infrastructure. They can’t be retrofitted. They must address questions like:

  • Who approves and maintains models in production?
  • How are decisions made about retraining and decommissioning?
  • What’s the plan when a model fails silently?
  • Is the user aware that the recommendation they’re seeing came from an AI?

AI governance that actually works isn’t about preventing every hallucination. It’s about building resilient, transparent systems that can detect, explain, and recover from failure. It’s about tracking provenance, enforcing auditability, and aligning technology with clinical intent—not marketing goals.

If you’re deploying AI in a hospital and still think of governance as something handled by the legal department, you’re already behind. Governance must be embedded in the deployment pipeline, tested like code, and treated like a clinical protocol. The cost of getting this wrong is not just operational—it’s moral, reputational, and soon, regulatory.

It’s time we stop confusing guidance with governance and ethics with infrastructure. Because until we build AI systems that are not only intelligent but also accountable, we’re not deploying clinical tools. We’re rolling out liabilities.