A clinical desk scene with a stethoscope and tablet surrounded by translucent shadowy AI icons and chat bubbles, representing unapproved shadow AI tools, with faint cracked governance pillars in the background.
Shadow AI tools are proliferating in clinical settings without formal institutional oversight, creating a governance gap that health systems are only now beginning to address.

The Shadow AI Problem: Clinicians Adopting Unapproved Tools Outside Institutional Oversight

In 2025, a quiet but consequential shift occurred inside U.S. health systems: clinicians began using generative AI tools — ChatGPT for clinical documentation, ambient scribes for note generation, large language models for differential diagnosis — without waiting for IT department approval, compliance sign-off, or institutional policy. This phenomenon, now widely referred to as "shadow AI," represents one of the most significant operational governance challenges facing healthcare organizations in 2026.

According to Wolters Kluwer expert analysis, shadow AI surged across healthcare organizations in 2025, driven by a combination of factors that any clinician will recognize: the burden of electronic health record documentation, the availability of free or low-cost GenAI tools, and the absence of approved institutional alternatives that match the speed and convenience of consumer-grade AI. Physicians facing 90-minute daily documentation burdens did not wait for their CMIO to evaluate a vendor's ambient scribe product — they opened ChatGPT on their phone.

The scale of the problem is difficult to quantify precisely because shadow AI is, by definition, invisible to institutional monitoring. But the consequences are not. When a clinician enters a patient's protected health information into a public LLM, that data leaves the organization's security perimeter. When a diagnostic recommendation from an unvalidated model influences a treatment decision, the health system bears the liability. And when dozens or hundreds of clinicians independently adopt different AI tools, the organization loses any ability to monitor performance, track errors, or ensure equitable outcomes across patient populations.

The governance crisis is compounded by the fact that clinicians are not acting irresponsibly. They are responding rationally to systemic pressures: understaffed clinics, demanding documentation requirements, and a genuine desire to improve patient care. The problem is not the motivation — it is the absence of institutional infrastructure to channel that motivation into safe, approved, and monitored AI use.

Governance Catch-Up: Why 2026 Is the 'Year of Governance'

Health system C-suites are now in a position few executives enjoy: playing catch-up to their own workforce. Wolters Kluwer experts have declared that 2026 will be the year of governance, marking a decisive shift from the reactive, permissive posture that characterized 2024 and 2025 toward formalized, organization-wide AI governance frameworks.

This shift is visible across multiple dimensions of health system operations:

  • Formal AI review boards are being established, modeled on existing institutional review board (IRB) structures, with authority to approve or reject AI tools for clinical use.
  • Compliance policies are being rewritten to explicitly address AI-generated content, including protocols for reviewing and validating AI outputs before they enter the medical record.
  • Training requirements are being developed for clinicians who use AI tools, covering appropriate use cases, limitations, and documentation obligations.
  • Quality assurance audits are being designed to monitor AI tool performance over time, detect model drift, and identify disparities in outcomes across patient demographics.

The urgency of this governance pivot is underscored by the fact that the industry conversation itself has shifted. As noted in ClinicalMind's coverage of how 2026 AI in healthcare summits are pivoting to governance, regulation, and real-world ROI, the dominant themes at major industry events have moved from "what's possible" to "how do we govern this safely."

The governance catch-up is not optional. It is being forced by three converging pressures: the clinical risk data that demonstrates the real harm potential of ungoverned AI, the regulatory patchwork that imposes legal obligations on health systems, and the equity imperative that demands AI tools serve all patients, not just those in well-represented demographic groups.

The Regulatory Patchwork: All 50 States Act While the Federal Government Steps Back

An abstract stylized outline map of the United States filled with different colored puzzle pieces and quilt patches in blue, teal, orange, and gray, representing the fragmented patchwork of state-level AI laws and regulations, with some pieces overlapping and gaps between them.
The U.S. regulatory landscape for AI in healthcare is a patchwork of state-level laws, with nearly 40 states enacting approximately 100 measures in 2025 alone.

While health systems scramble to build internal governance frameworks, the external regulatory environment is becoming more complex — not less. In 2025, all 50 U.S. states, plus Puerto Rico, the Virgin Islands, and Washington, D.C., introduced AI legislation, and nearly 40 states adopted or enacted approximately 100 measures, according to reporting by Healthcare Dive. This represents an unprecedented surge in state-level AI regulation, and it creates a compliance challenge for health systems that operate across multiple states.

The federal picture is markedly different. The Trump administration has pursued a deregulatory posture, including an executive order that could challenge state AI laws and calls for a federal framework that would preempt state regulations. One lawyer quoted by Healthcare Dive described the regulatory environment as a "perfect storm" — driven by the economic necessity of AI adoption combined with the absence of clear federal guidelines.

For health systems, this creates a difficult operational reality: they must comply with multiple, sometimes conflicting state requirements while lacking a unified federal standard to guide their compliance programs. The result is legal uncertainty, increased compliance costs, and the risk of inadvertently violating a state law in one jurisdiction while following the rules in another.

This dynamic is explored in greater depth in ClinicalMind's analysis of how U.S. federal and state governments are regulating AI in public health in 2026. The current article focuses specifically on what this regulatory fragmentation means for health system operations: the need to build governance frameworks that are flexible enough to accommodate multiple state regimes while maintaining a consistent standard of patient safety and clinical quality.

Contrasting federal and state regulatory approaches to AI in healthcare and their operational implications for health systems.
Regulatory DimensionFederal ApproachState ApproachHealth System Impact
AI legislationDeregulatory; no comprehensive federal AI lawAll 50 states introduced legislation in 2025; ~100 measures enactedMust track and comply with multiple state regimes simultaneously
PreemptionCalls for federal framework to preempt state lawsStates assert right to regulate AI within their jurisdictionsLegal uncertainty about which rules apply in which contexts
Enforcement postureLimited enforcement; focus on innovationActive enforcement; state AGs pursuing AI-related actionsRisk of enforcement actions in states with active regulatory regimes
Guidance for health systemsMinimal sector-specific guidanceVaries by state; some have healthcare-specific AI provisionsHealth systems must develop their own compliance interpretations

State Laws That Directly Affect Health Systems: Colorado, New York, and Patient Disclosure

Among the dozens of state AI laws enacted in 2025, several have direct and immediate implications for health system operations. Understanding these laws is essential for compliance officers, legal counsel, and health system executives building governance frameworks.

Colorado's AI Act: Risk-Based Regulation and Impact Assessments

Colorado's AI Act establishes a risk-based regulatory framework that requires developers and deployers of "high-risk" AI systems to conduct impact assessments. For health systems, this means that any AI tool used in clinical decision-making, patient triage, diagnosis, or treatment planning could be classified as high-risk, triggering obligations to document the tool's intended use, assess potential biases, and implement risk mitigation measures. The law's requirements for transparency and accountability align closely with the governance frameworks that forward-thinking health systems are already building — but they also impose specific compliance deadlines and documentation standards that must be met.

New York's AI Safety Bill: Signed Into Law in December 2025

New York's AI safety bill, signed into law in December 2025, represents another significant regulatory development for health systems. The bill imposes requirements for testing, transparency, and accountability that directly affect how AI tools can be deployed in clinical settings. Health systems operating in New York must ensure that their AI governance frameworks comply with the bill's provisions, including requirements for independent auditing of high-risk AI systems and disclosure to affected individuals.

Patient Disclosure Requirements: An Emerging Standard

A growing number of states are enacting or considering laws that require health systems to disclose to patients when AI is being used in their care. These disclosure requirements vary in scope — some apply only to diagnostic AI, others to any AI tool that influences clinical decisions — but they share a common implication: health systems must know which AI tools are being used, where, and for what purposes. This is impossible without a comprehensive governance framework that tracks AI deployment across the organization.

The compliance challenge is compounded by the fact that state laws are not static. New legislation is being introduced and enacted continuously, and health systems must monitor developments across all states where they operate. This is not a one-time compliance exercise — it is an ongoing operational requirement that demands dedicated resources and expertise.

The Clinical Risk Data: Why Governance Is Not Optional

A medical clipboard or tablet showing AI diagnostic output with sections highlighted in warning red and amber with subtle caution symbols, a stethoscope partially visible, and faint patient figure silhouettes in the background representing the scale of clinical impact.
Research from Stanford and Harvard found that AI medical models produce severely harmful clinical recommendations in up to 22.2% of cases.

The urgency of building AI governance frameworks is not theoretical. It is grounded in peer-reviewed research that documents the real clinical risks of ungoverned AI deployment. Research from Stanford and Harvard found that AI medical models produce severely harmful clinical recommendations in up to 22.2% of cases, and even top-performing models make between 12 and 15 severe errors per 100 clinical cases. These are not edge cases or hypothetical failure modes — they are documented outcomes from systematic evaluation of AI models in clinical contexts.

What does "severely harmful" mean in practice? It means recommendations that, if followed, could lead to patient harm — missed diagnoses, incorrect treatments, delayed interventions, or inappropriate medication choices. In a clinical environment where AI tools are being used without institutional oversight, these errors can occur without any mechanism for detection, reporting, or correction.

The implications for health system governance are clear:

  • Every ungoverned AI tool in clinical use represents an unmanaged patient safety risk.
  • Without centralized monitoring, health systems cannot detect when an AI tool is producing harmful recommendations.
  • The liability exposure for harm caused by unapproved AI tools is significant and growing.
  • The 12-15 severe errors per 100 cases rate means that even "good" AI models require human oversight and validation.

This data also underscores why the shadow AI problem is so dangerous. When clinicians adopt AI tools outside institutional oversight, there is no mechanism to track error rates, no process for reporting adverse events, and no way to identify which tools are performing poorly in which clinical contexts. The health system is flying blind — and the research suggests that the risks are substantial.

Algorithmic Bias and Equity: The Risk of Excluding 5 Billion People

A globe silhouette in the background with small human figure icons clustered densely on one side representing European-descent populations, while the other side has sparse faded figure icons representing underrepresented populations, divided by a subtle visual gap.
More than 80% of genetics studies include only people of European descent, representing less than 20% of the world's population, creating a risk that AI health tools will fail for the majority of the global population.

The governance gap in healthcare AI is not only a patient safety issue — it is also an equity issue. The World Economic Forum has warned that without corrective action, AI health risks could exclude nearly 5 billion people from life-saving diagnostics. This figure is derived from WHO universal health coverage data and represents the population in low- and middle-income countries who could be left behind if AI health tools are developed and validated primarily on data from high-income populations.

The root cause is well-documented: more than 80% of genetics studies include only people of European descent, representing less than 20% of the world's population, according to a Deutsche Welle report cited by the WEF. Most health data used to train AI models comes from the United States, parts of Europe, and China. The result is AI tools that perform well on the populations they were trained on — and poorly, or dangerously, on everyone else.

Concrete examples of this bias are already documented:

  • Skin cancer detection algorithms perform less accurately on darker skin tones, because training datasets are predominantly composed of images from lighter-skinned patients.
  • Cardiovascular risk calculators built on European and American cohorts may underestimate risks for other populations, leading to missed prevention opportunities.
  • Diagnostic AI models trained on data from well-resourced health systems may fail in settings with different disease prevalence, diagnostic infrastructure, or patient demographics.

For health systems building AI governance frameworks, the equity dimension adds another layer of obligation. Governance is not just about preventing harm — it is about ensuring that the benefits of AI are distributed equitably across all patient populations. This requires:

  • Demographic auditing of AI training data to identify representation gaps.
  • Performance monitoring stratified by race, ethnicity, socioeconomic status, and other demographic variables.
  • Corrective action protocols when disparities are detected, including model retraining or deployment restrictions.
  • Transparency reporting that makes equity data available to regulators, clinicians, and patients.

ClinicalMind's analysis of algorithmic bias in public health AI and the contested regulatory response provides deeper context on how regulators are beginning to address these disparities and what health systems should expect in terms of compliance obligations.

Building 'AI Safe Zones': A Path Forward for Health Systems

The convergence of shadow AI, regulatory fragmentation, clinical risk data, and equity concerns creates a daunting governance challenge. But forward-thinking organizations are already developing a practical solution: AI safe zones — controlled environments for safe AI experimentation with approved tools, validated datasets, and clear guardrails.

An AI safe zone is not a physical space. It is a governance construct that defines the conditions under which AI tools can be tested, validated, and deployed within a health system. The concept, as described by Wolters Kluwer experts, represents a middle ground between the two extremes that have characterized health system AI adoption to date: the "anything goes" approach of shadow AI and the "nothing moves" approach of excessive caution that blocks all innovation.

Key components of an AI safe zone framework include:

  • Approved tool inventory: A curated list of AI tools that have been evaluated by the governance board and approved for specific use cases, with clear documentation of their intended use, limitations, and performance characteristics.
  • Sandboxed testing environments: Isolated technical environments where new AI tools can be evaluated against institutional data without affecting production systems or patient care.
  • Clinician training and certification: Required training for clinicians who use approved AI tools, covering appropriate use cases, interpretation of AI outputs, and documentation requirements.
  • Performance monitoring and escalation: Continuous monitoring of AI tool performance, with defined thresholds for escalation when error rates exceed acceptable levels or when disparities are detected across patient populations.
  • Incident reporting and correction: Clear protocols for reporting AI-related adverse events, investigating root causes, and implementing corrective actions.

The AI safe zone approach offers several advantages for health systems navigating the governance gap:

  • It channels clinician enthusiasm for AI into approved, monitored channels, reducing the shadow AI problem.
  • It provides a framework for complying with multiple state regulatory regimes by establishing a consistent standard of safety and transparency.
  • It creates the institutional infrastructure needed to monitor clinical error rates and detect disparities.
  • It positions the health system to respond quickly to new regulatory requirements as they emerge.

The FDA's evolving approach to AI/ML device regulation, including the Predetermined Change Control Plan guidance, provides a useful model for how health systems can think about governing AI tools that evolve over time. Just as the FDA is developing frameworks for managing AI/ML device modifications, health systems need frameworks for managing the continuous learning and adaptation that characterizes AI tools in clinical use.

The window for building these frameworks is narrowing. Shadow AI adoption continues to accelerate, state regulatory requirements are multiplying, and the clinical risk data makes clear that ungoverned AI deployment is not a sustainable path. Health systems that invest in governance infrastructure now — AI review boards, approved tool inventories, performance monitoring systems, clinician training programs — will be positioned to lead in the era of governed AI. Those that delay will face increasing regulatory exposure, clinical risk, and competitive disadvantage.

The year of governance is 2026. The question for every health system is whether they will be building their framework or scrambling to catch up.