Most health systems have an AI governance committee. Far fewer have AI governance. This report is about the difference, and how to build the second one.
The wrong half: standing up a committee, writing a policy, and stopping there, while the AI runs unsupervised between meetings and accountability stays undefined.
The half that controls anything: an operating model that defines who decides, who reviews, who owns the data and the risk, and how those decisions get enforced in the system and evidenced automatically.
Effective governance does not pile everything on one committee that meets monthly.
This is the move that separates governance that works from governance that does not, and it is the lesson regulated DevOps learned the hard way.
The regulatory ground has shifted from HIPAA and good intentions to specific, enforceable requirements.
Stand up the four pillars with real mandates and the right composition, including ethics.
Inventory every AI system and tier it by risk. The tier drives oversight, validation, and human-in-the-loop.
Turn Model Review Board requirements into deployment gates, capture HTI-1 source attributes automatically, and enforce risk-tier controls in the system.
Make sure clinicians know the policies, the accountability model, and the disclosure obligations.
The organizations that get this right will not be the ones with the most impressive committee.
Usually the operating model around it: distinct review bodies, explicit accountability, and most of all enforcement in the system with automatic evidence. Committees are common; operational control is rare.
HITRUST and healthcare-specific AI governance standards are becoming the practical bar, with the NIST AI Risk Management Framework and ISO/IEC 42001 as cross-sector anchors. Pick one and map your controls and evidence to it.
Because the AI runs unsupervised between meetings. When governance is built into the pipeline, oversight becomes continuous instead of monthly.
The obligations center on predictive decision support supplied by developers and integrated into certified health IT, and third-party treatment differs. Your governance has to track which tools fall where.
Stop relying on a document. Enforce policy in the systems clinicians use, make accountability explicit, and communicate the disclosure rules directly. Awareness barely moved precisely because policy stayed on paper.
