AI is already inside many U.S. hospitals, but board oversight often lags behind. In 2024, 71% of non-federal acute-care hospitals said they used predictive AI in their EHRs, and 31.5% said they used generative AI in their EHRs. That means AI risk now touches patient care, PHI, billing, vendors, and board liability at the same time.
If I had to boil the article down to a few points, it would be this:
- Boards need a clear AI inventory. If you don’t know which tools are in use, you can’t oversee them.
- Patient safety is at stake. One hospital review found Epic’s sepsis model had 33% sensitivity and 12% positive predictive value, showing how local performance can fall short.
- Vendor AI adds hidden risk. AI can sit inside EHRs, billing tools, imaging software, and documentation products without much board visibility.
- PHI and cyber risk grow fast. Staff use, vendor data flows, and model training practices can expose patient data in ways older reviews may miss.
- Boards need plain reporting. Directors should see high-risk use cases, validation status, incidents, open gaps, and who owns each issue.
A few numbers make the problem hard to ignore:
- Hospital AI use for billing went from 36% to 61% between 2023 and 2024
- Only 44% of hospitals reported local bias evaluation
- 81.2% of large healthcare breaches in 2024 were tied to hacking and IT incidents
- Clinicians exposed to biased AI predictions saw diagnostic accuracy drop by 11.3 percentage points
The main takeaway: I’d treat AI governance as a standing board issue, not an IT side topic. The article points to three things boards should ask for right away: a single AI inventory, cross-team oversight, and quarterly board reporting tied to safety, privacy, vendor risk, and remediation.
Healthcare AI Risk by the Numbers: What Boards Need to Know
Health Care Corporate Governance: Critical New AI-Related Issues for Health Care Boards
sbb-itb-535baee
The problem: healthcare boards are underestimating AI risk
The main issue isn't AI itself. It's the board's narrow view of how AI is tested, watched, and governed.
Management may say an AI tool was clinically validated, monitored, and assigned to an owner. Or that a vendor is HIPAA-compliant. But boards often don't see the numbers that matter: error rates, bias metrics, hallucination frequency, and clear accountability data. Without that, they can't judge risk in any serious way.[2][3]
AI governance is now a major patient safety issue, and board oversight needs to match AI's clinical role. ECRI ranked weak AI governance as the No. 2 patient safety threat in 2025.[6] That gap gets most dangerous when AI is used in diagnosis, treatment, and escalation decisions.
Weak oversight creates patient safety, compliance, and liability exposure
AI clinical decision support can mirror biased training data, break down outside its intended use, or produce false answers with a confident tone. That includes prompt manipulation that triggers false outputs in clinical decision support settings.[5] In a hospital or clinic, those failures don't stay abstract. They can shape diagnosis and escalation decisions on the spot.
The legal risk is plain. If an AI tool plays a part in a misdiagnosis or a missed deterioration alert, and the board never required validation, monitoring, or human review, then the organization has allowed clinical risk to sit unmanaged.
Hidden AI in third-party tools expands enterprise risk
This visibility gap goes beyond direct patient care. It also runs through vendor platforms and data flows.
Vendor AI can slip into the enterprise through EHRs and billing tools without clear disclosure or board review.[2][3] Those features may send PHI to outside model providers, depend on subcontracted AI services, or log patient data for model retraining in ways older risk reviews never accounted for.[2][3] If the board can't see where the data goes, who touches it, and which tools depend on which vendors, it can't judge the full privacy or cyber risk.
A few gaps sit at the center of the problem:
- No local validation means more accuracy risk
- No visibility into vendor AI means more privacy and subcontracted-service exposure
- No incident reporting means AI-related events go untracked
Those are the blind spots boards need to see plainly before governance has any shot at working.
The AI risks boards need to see clearly
These blind spots fall into three board-level risk buckets.
Clinical decision risk from bias, model error, and local performance gaps
The first and most immediate risk is clinical error. A model that looks good in one setting can miss the mark in another. If it was trained on one patient population, it may not hold up when used somewhere else. For example, a cardiology-heavy model may underpredict risk in an oncology-heavy center.
That gap isn't just theoretical. An independent evaluation of Epic's Sepsis Model at Michigan Medicine found 33% sensitivity and 12% positive predictive value, which led to both missed cases and alert fatigue.[8][9][10][11][12]
Then there's automation bias, which makes the problem worse. Research shows that AI assistance can lead to a roughly 7% rate of users overturning correct judgments to match an incorrect AI recommendation.[18] If the AI output is hard to interpret, clinicians may be less likely to push back.
Boards should insist that high-stakes clinical AI tools include documented human-in-the-loop workflows. That should also include override tracking, so teams can see when staff disagree with the model and what happened next.
Cybersecurity and PHI risk from insecure AI use and data leakage
AI can send PHI outside the organization without anyone noticing right away. A staff member might paste patient details into a generative AI tool that has no business associate agreement. Or an EHR integration may be set up poorly and expose PHI to unauthorized users or third parties.[7]
Generative AI adds another layer of risk. Training data extraction attacks can expose sensitive information and make it possible to re-identify patients, even when the data was thought to be de-identified.[19]
That means boards should treat any AI system that touches PHI as a critical asset. In plain terms, it needs the same level of scrutiny as the EHR itself, including:
- EHR-level security assessments
- Access controls
- Audit logging
Vendor, operational, and regulatory risk from weak AI governance
Beyond direct patient and data risk, third-party AI creates a governance problem that can be hard to spot. Vendors may change model performance without giving clear notice. They can push updates that shift outputs quietly, with little or no detailed changelog.
That matters more than it may seem at first glance. AI used in scheduling, capacity planning, and revenue cycle work can produce errors that spill into staffing decisions or financial reporting. And if AI recommendations are not logged alongside clinician responses, the organization may not be able to reconstruct the decision path during an adverse event review or litigation.
Regulatory pressure is climbing too. HTI-1 added transparency and risk-management requirements for predictive AI in certified EHR technology, including training data sources, fairness metrics, and update cadence.[13][14][15][16][17] Boards should make sure AI governance lines up with those requirements.
Boards need one clear view of these risks before they can assign controls, owners, and reporting. Once each bucket is visible, accountability gets much easier to set.
The solution: what board-ready AI governance should include
Once those risks are on the table, boards need three controls: an AI inventory, cross-functional oversight, and board reporting. Start with the inventory. Everything else rests on it.
Build an AI inventory with ownership, risk tiering, and review triggers
An AI inventory is the base layer. Every AI system - whether built in-house or bought from a vendor - that affects patient care, PHI, operations, or financial decisions should have a record. That record should spell out what the system does, what data it uses, who owns it, and what risk tier it falls into.
Use a four-level tier: low, medium, high, and critical. Assign the tier based on patient safety, PHI sensitivity, cyber exposure, and regulatory impact. If one area stands out as the highest risk, that should set the tier and the amount of oversight required.[23][28]
Reassessment triggers also need to be clear. That includes model updates, expansion into new patient groups, new EHR integrations, incidents, and regulatory changes. When you build those triggers into existing change management workflows, risk review becomes automatic whenever a major change gets approved.[23][28]
Set up cross-functional governance with human oversight and escalation paths
No single team can handle AI risk alone. Clinical leaders own safety. The CISO owns security. Legal, compliance, and privacy teams handle regulatory and HIPAA review. Procurement builds contract controls into vendor deals. Enterprise risk keeps the issue inside ERM.
A chartered AI governance committee should review high-risk use cases, document exceptions, and escalate issues that stay unresolved. That gives directors a clean path to review high-risk tools and incidents. Joint Commission guidance calls for formal governance and board updates on AI use, outcomes, and adverse events.[1][21]
Any AI-related incident tied to patient harm, PHI exposure, or material cyber risk should have a set path to board notification, with plain thresholds for escalation.
Give the board reporting that shows exposure, exceptions, and remediation status
Once ownership and escalation are set, the board needs reporting that shows exposure, exceptions, and remediation status. A quarterly board AI risk report should focus on what directors need to make decisions - not a pile of technical detail.[20][22][24][25][26][27]
| Report Element | What It Shows |
|---|---|
| AI inventory overview | Total systems in use, split by internal vs. vendor and by domain |
| High-risk use cases | Systems classified high or critical, with function and key controls |
| Validation and monitoring status | Clinical validation, bias testing, and local performance findings |
| Control gaps and exceptions | Open gaps, approved exceptions, and their documented rationales |
| Third-party exposure | Vendor AI tools, data flows, and any material changes or incidents |
| Incidents and near-misses | Summary of safety, privacy, or cyber events with remediation actions |
| Overdue remediation | Past-due items with risk ratings and named accountable owners |
This format helps boards ask sharper questions, check whether management’s controls are working, and document oversight in board minutes. That matters for regulatory and legal defensibility.
With governance in place, the next step is to standardize assessments across enterprise and vendor workflows.
How healthcare organizations can improve AI visibility and control
Standardize AI assessments across enterprise and third-party risk workflows
Once the inventory and reporting setup is in place, the next move is simple: build AI checks into the risk workflows teams already use.
That means adding third-party AI risk assessment steps to vendor risk and ERM reviews so the organization can close the visibility gap. If a new clinical decision support tool or imaging AI comes up for review, the standard vendor questionnaire should go beyond the usual basics. It should ask about algorithm transparency, training data sources, local performance validation, bias testing, PHI handling, and how the vendor manages model updates.
This shifts AI review into procurement instead of treating it like a side task. Each review should also assign:
- a clear owner
- a risk tier
- a next action
The level of review should match the level of risk. High-risk clinical AI needs a full assessment. Lower-risk automation may only need a lighter review. That tiered approach gives teams exposure data they can actually act on, and it feeds straight into board oversight.
When findings are high-risk, they should move automatically to the right people across clinical, security, and compliance teams. Censinet RiskOps™ can pull questionnaires, evidence requests, approvals, and reassessment triggers into one workflow. If a vendor pushes a major model update, the platform can automatically launch a reassessment task, notify the right reviewers, and keep a full audit trail of findings and sign-offs.
That automated trigger matters. It turns AI risk management from a one-off review into something teams can run again and again, even across a large health system.
Use dashboards and governance workflows to support board decisions
AI findings need to get to the right reviewers fast, with due dates and clear escalation rules.
If a new AI tool is marked high-risk, the workflow should automatically assign review tasks to clinical leadership, IT security, and compliance. And if issues sit unresolved, the process should escalate them without waiting for someone to chase people down manually.
Censinet RiskOps™ can act as the dashboard for this kind of coordinated oversight. It can route key assessment findings and tasks to named stakeholders, including members of the AI governance committee, for review and approval. An AI risk dashboard can pull together live data on AI tools, open findings, and remediation status so boards and executives can see exposure in one place.
Censinet AI Telemetry continuously classifies products as AI-enabled, non-AI, or unknown, replacing one-time discovery snapshots with continuous monitoring.[29] That keeps board reporting current without manual compilation.
Those live findings should feed the board dashboard in real time, showing current exposure, named owners, and visible remediation status.
Conclusion: clearer AI risk visibility leads to better board decisions
AI now shapes clinical decisions, vendor relationships, daily operations, and patient data handling. And the risk isn’t boxed inside IT. It reaches into bias, PHI leakage, weak vendor controls, and gaps in oversight.
The evidence is hard to ignore. Research published in JAMA found that clinicians exposed to systematically biased AI predictions saw their diagnostic accuracy drop by 11.3 percentage points, and explanations alone did not fix the problem.[31][32] At the same time, 81.2% of large-scale healthcare breaches in 2024 were tied to hacking and IT incidents, with each breach affecting an average of 439,796 records.[30] Risks like these become easier to handle only when boards can see them plainly and follow them over time.
What boards need is steady visibility, not a pile of technical jargon. They need to know:
- which AI tools are in use
- what decisions those tools influence
- who is accountable for each one
- whether performance is being checked after deployment
That also includes AI built into third-party platforms, such as EHRs and revenue-cycle tools, where risk can build in the background without board review.
That’s why the inventory, oversight, and reporting described above matter. The Joint Commission's guidance on responsible AI use places AI oversight with the governing body, calling for formal governance structures and mechanisms to keep boards updated on AI uses, outcomes, and adverse events.[1][4] In plain English, AI governance belongs on the board’s standing agenda: regular reporting, clear ownership, escalation criteria, and documented remediation.
Clear AI risk visibility doesn’t put the brakes on innovation. It gives boards a firmer footing. When they can see exposure trends, open findings, and remediation progress, they’re in a much better position to back AI adoption without giving up patient safety, privacy, or compliance.
FAQs
How should a board prioritize AI risks?
Boards should begin with a full, enterprise-wide AI inventory. That means listing not just stand-alone AI tools, but also AI features tucked inside vendor platforms and internal EHR workflows. If it uses AI in any form, it should be on the list.
From there, group those tools by risk. Put the most attention on AI tied to patient safety, clinical decision-making, PHI, or revenue-cycle operations. That way, validation, human review, and continuous monitoring stay focused on the systems where a failure could do the most clinical or regulatory damage.
What makes vendor AI harder for boards to oversee?
Vendor AI is tougher for boards to oversee because it often shows up through opaque channels. That can mean quiet platform updates or tool rollouts inside a single department, with no stop at the usual procurement or security checkpoints.
When a health system doesn't have one shared inventory, clear ownership, audit rights, or standard monitoring, blind spots pile up fast. Teams can miss model drift, biased outputs, data leakage, and even fourth-party dependencies. The result is a serious accountability gap.
How often should boards review AI risk reports?
Healthcare boards should get AI risk reports every quarter. Those reports should make it easy to spot where risk is going up, and they should include named owners, open issues, and clear review dates.
Boards should also make sure AI governance is written into a committee charter. That charter should spell out when issues need to be escalated, including safety events, bias, model drift, data leaks, and system outages.