AI in Healthcare: Board Obligations, Clinical Governance, and the Regulatory Framework Executives Need to Understand

The regulatory framework healthcare executives often miss

Healthcare AI operates at the intersection of medical device regulation, data protection law, clinical governance standards, and professional accountability frameworks. Each of these is a distinct regulatory domain, enforced by different regulators, with different standards and different consequences for non-compliance. Healthcare executives who understand one of these domains — typically either data protection or medical device regulation — often have significant gaps in the others.

The most common gap is the medical device dimension. Executives leading clinical AI deployments are frequently unaware that the AI system is a regulated medical device — not just a software tool, but a product subject to regulatory approval, post-market surveillance obligations, incident reporting requirements, and in some cases mandatory registration before deployment. In Australia, the TGA regulates software that qualifies as a medical device. In the EU, the MDR applies to software intended for medical purposes. In the US, the FDA has a specific framework for Software as a Medical Device (SaMD). Deploying AI that qualifies as a medical device without the appropriate regulatory clearance is deploying an unapproved medical device — a serious regulatory breach regardless of the AI's clinical benefit.

Clinical governance and AI: the board's specific obligations

Healthcare boards have well-established clinical governance obligations — ensuring safe, effective, and person-centred care. When AI is deployed in clinical settings, these obligations do not change; they require specific application to the AI context. A board that approves AI deployment in radiology, pathology, or clinical decision support without ensuring that clinical governance structures have been applied to that AI is failing its clinical governance obligations.

Specific clinical governance questions boards should require answers to before approving AI deployment: What is the evidence base for this AI system's clinical effectiveness in our specific patient population? How does this AI system interact with clinical accountability — who is responsible if the AI contributes to a misdiagnosis or adverse outcome? What training are clinicians receiving, and does it address automation bias? What monitoring is in place for adverse events potentially associated with AI outputs? These are not technology questions — they are clinical governance questions that boards are equipped and obligated to ask.