Every board is asking about AI. Most public guidance focuses on model risk. That's not the risk most likely to bite you. Here's what is.
May 2026 · 8 minute read · Healthcare · AI
Every healthcare board is being asked, in some form: "What's our AI strategy?" Most of the public-domain risk guidance — from regulators, industry bodies, even most consultants — focuses on model risk. Are your models fair, are they accurate, are they validated, do they drift. Model risk is real, and it matters. But it's not the AI risk most likely to surface as a serious issue at a healthcare institution in the next 24 months.
Clinicians are using ChatGPT, Claude, and a dozen other tools — pasted into the browser, on their own devices, with PHI in the prompts. Nearly every healthcare CIO we've worked with in the past year has discovered this is happening; almost none of them have a defensible policy or a viable technical control. The first HIPAA breach attributed to clinician shadow-AI use will be a case study.
What to do: at minimum, a policy plus a sanctioned, HIPAA-compliant alternative. Banning without offering an alternative is the policy version of telling clinicians to use paper charts. They will route around you.
Your EHR, your scheduling system, your billing platform, your patient-engagement tool — all of them are rolling out AI features. Most of those rollouts are happening under existing contracts, with no separate risk review. Often the AI features depend on data flows that weren't in scope when the original BAA was signed. Many of them route data to third-party model providers that aren't named in your sub-processor inventory.
What to do: an AI rider for your BAA template, and a backward audit of existing critical vendors to capture AI feature rollouts that have happened since contract signing.
Your organization has (probably) mature clinical decision-support governance — committee review, validation, post-deployment monitoring. AI tools are being adopted clinically that don't get routed through that governance because they're framed as "productivity" tools (note generation, prior-auth drafting, patient communication). When one of those tools introduces a clinical error, your existing governance won't have a record of approving its use.
What to do: extend clinical-AI governance to cover any AI tool that touches a clinical workflow, regardless of how it's marketed.
Most healthcare AI systems aren't audited for differential performance across patient demographics. The ones that are tend to be tested at deployment and then never again. The first time you find out your scheduling AI is systematically under-prioritizing a protected class is when a journalist or a regulator tells you.
What to do: ongoing differential-performance monitoring built into the AI governance cadence, not as a launch-time gate.
Formal model validation following SR 11-7-style governance is a heavy lift, and most healthcare organizations aren't ready for it. It's worth getting to, but the four risks above will surface as actual incidents earlier than model-validation gaps will. Sequence accordingly.
— Drawn from healthcare AI program reviews across mid-market and enterprise systems in 2025–2026.
A 60-minute conversation with someone who's done this at Pfizer scale.