Healthcare organizations no longer have the luxury of treating AI as an experimental side project. Ambient documentation, coding automation, referral workflows, patient messaging, and agentic back-office operations are already moving from pilots into production. For health systems, the challenge is no longer whether AI will be used. It is how to govern it safely, prove value quickly, and earn clinical trust without creating another layer of bureaucracy.

That tension was a central theme in a recent discussion featuring Dr. Stacy Johnston, CIO and Digital Execution Officer at Beacon Health System. Her perspective is especially useful because it bridges both sides of the problem: clinician workflow and enterprise technology. Rather than presenting AI as a futuristic concept, she described it as an operational discipline - one that requires governance, training, defined ROI, and careful alignment with care delivery.

This article distills the most important lessons from that conversation and expands on what they mean for healthcare IT, cybersecurity, compliance, and executive leadership teams.

Key Takeaways

  • Start governance before scaling AI. An AI council, clear approval paths, and written permitted/prohibited use policies should come before widespread deployment.
  • Treat AI as a workflow redesign effort, not a software rollout. Failed implementations usually reflect poor change management, unclear goals, or weak training.
  • Prioritize use cases with measurable ROI. In tight-margin environments, AI projects need defined financial, operational, or clinical value.
  • Use augmentation before autonomy in clinical settings. Clinicians are more likely to trust AI that assists rather than replaces judgment.
  • Centralize oversight, but consider federated adoption. Local departments should help shape use and monitor fit, while enterprise teams maintain standards and controls.
  • Require vendor transparency. Ask how models work, where data is stored, what LLMs are used, and how drift and bias are monitored.
  • Invest in AI literacy for leaders and managers. Governance fails when users do not understand what AI is allowed to do - or what it should never do.
  • Monitor production AI continuously. Drift, bias, overreliance, and PHI handling risks do not end at go-live.
  • Focus early on burden reduction. Messaging, refill workflows, coding, scheduling, and documentation often yield faster wins than ambitious clinical autonomy.
  • Build trust incrementally. Health systems do not need to leap to "autopilot." They need a series of safe, visible wins.

AI Governance in Healthcare Is Really About Operational Discipline

One of the clearest messages from the discussion was that AI governance is not just a risk program. It is an operating model.

In many organizations, governance is treated as a gate: a checklist, a legal review, a security signoff, and then deployment. That approach is too shallow for healthcare AI. Clinical and operational AI systems do not simply process transactions; they influence prioritization, documentation, communication, triage, and potentially patient outcomes.

Dr. Johnston described Beacon’s approach as beginning with broader IS governance, then expanding into dedicated AI governance. That sequence matters. AI cannot be well governed if the underlying intake, prioritization, and ownership model for technology is already fragmented.

For executives, this suggests a practical truth: if your organization’s general digital governance is weak, your AI governance will be weaker.

The First Principle: Solve a Real Problem, Not an AI Problem

A recurring idea throughout the conversation was that organizations often misframe AI work. The question should not be, "Where can we use AI?" It should be, "What problem are we trying to solve?"

That distinction matters because healthcare enterprises often have multiple stakeholders defining "value" differently:

  • Operations may want throughput or reduced labor costs
  • Clinicians may want fewer clicks and less after-hours work
  • Revenue cycle leaders may want faster, cleaner reimbursement
  • Compliance teams may want standardized, auditable workflows
  • Security teams may want better control over data movement and vendor exposure

Those goals can overlap, but they are not identical. An AI implementation launched without shared problem definition can succeed technically and still fail organizationally.

This is especially relevant in health systems where tool sprawl is already a problem. If every department buys AI to address its own pain points without system alignment, the organization ends up with fragmented oversight, inconsistent risk posture, and unclear accountability.

Where AI Appears to Be Working Today

Despite the hype cycle, the conversation offered a grounded picture of where AI is producing value now. The most mature use cases were not science-fiction diagnostics. They were high-friction, repetitive workflows with measurable operational burden.

Back-office and revenue cycle automation

Dr. Johnston pointed to coding automation, benefits verification, and agentic call-return workflows as meaningful opportunities. This aligns with a broader pattern across healthcare: back-office functions tend to be the first place AI scales because they involve:

  • Repeatable processes
  • Structured inputs
  • Clear productivity metrics
  • Lower immediate clinical risk

These use cases also offer a more straightforward path to ROI. For boards and CFOs, they are easier to defend than tools framed around "innovation" alone.

Scheduling and system conversion workflows

One especially useful example involved a multi-hospital acquisition and the need to load roughly 100,000 appointments into a new system in a compressed timeframe. Rather than staffing up manually, Beacon used an autonomous agent to handle ambulatory scheduling migration.

The larger lesson is not just that AI can save labor. It is that AI can help organizations absorb major transformation events - acquisitions, EHR transitions, backlog cleanup, and large-scale data rework - where traditional staffing models are too slow or too expensive.

Clinical augmentation

In clinical settings, AI appears most accepted when it acts as a co-pilot:

  • Ambient documentation
  • Message drafting
  • Radiology prioritization
  • Summarization
  • Refill support
  • Referral workflow assistance

These are not trivial wins. In many health systems, clinician burnout is driven less by core diagnosis and treatment than by inbox volume, documentation burden, and administrative fragmentation. AI that removes friction from those tasks can improve both workforce sustainability and care continuity.

Why Ambient AI Is Gaining Traction Faster Than Other Clinical Use Cases

The strongest clinical adoption example in the discussion involved ambient documentation. According to Dr. Johnston, clinicians using the tool saw note creation time drop substantially, and Beacon observed revenue improvement through better capture of documentation.

That combination is powerful. Ambient AI is succeeding not because it is flashy, but because it hits several executive priorities at once:

  • It reduces cognitive load
  • It shortens documentation time
  • It improves provider experience
  • It may improve coding specificity
  • It fits into existing workflows more naturally than standalone tools

This also explains why ambient AI may be one of the most important "gateway" technologies in healthcare. It builds trust. A physician who sees documentation burden drop without sacrificing note quality becomes more open to adjacent AI capabilities.

That trust-building sequence may be one of the most important strategic lessons for health systems. AI adoption in healthcare is cumulative. Confidence in one low-risk, high-value use case creates room for the next.

Underappreciated Use Cases: The Inbox, Refills, and Referral Management

One of the most practical parts of the discussion was the emphasis on inbox and communication burden. Patient portal volume has surged since the pandemic, especially in primary care. That trend creates uncompensated clinical work and raises cognitive fatigue.

AI support for in-basket messaging may still feel mundane compared with diagnostic AI, but it is likely one of the highest-leverage opportunities in ambulatory medicine.

Why?

Because even modest efficiency gains compound quickly when message volume is rising faster than staffing. If AI can draft responses, improve routing, and keep non-clinical questions away from physicians, it can reduce one of the fastest-growing sources of invisible provider overload.

The same logic applies to:

  • Medication refills
  • Referral management
  • Care-gap outreach
  • Routine follow-up communication

These are good examples of where healthcare AI strategy should be more conservative and more ambitious at the same time: conservative in risk, ambitious in scale.

AI Governance Must Be Policy, Process, and Runtime Control

The governance model described by Dr. Johnston included several important elements:

  • An AI advisory council
  • Executive steering involvement
  • Written AI usage policies
  • Defined permitted and prohibited use
  • Vendor-submitted AI risk questionnaires
  • AI literacy training
  • Ongoing AI monitoring for issues such as drift and bias

For security and compliance leaders, this is a useful framework because it recognizes that governance is multi-layered.

Policy governance

At the policy level, organizations need clear rules on:

  • Whether workforce members may use public LLMs
  • What kinds of data may enter AI tools
  • Which uses are allowed only through approved platforms
  • What clinical autonomy is acceptable

The discussion specifically highlighted the need to prohibit placing PHI into unauthorized tools. That seems obvious, yet it remains one of the most common weak points in enterprise AI adoption. Shadow AI is often a policy failure before it becomes a technical one.

Intake and approval governance

Beacon’s reported use of a vendor-completed AI review form is especially notable. This is a smart move because many traditional vendor risk questionnaires do not go deep enough on AI-specific issues.

A strong AI review process should ask:

  • What model or models are being used?
  • Is the solution using a third-party LLM?
  • How is customer data isolated?
  • Where is data stored and retained?
  • Is model training performed on customer data?
  • What bias testing is performed?
  • How is drift detected?
  • What human review exists?
  • What auditability is available?

These questions matter not only for safety, but for contracting, indemnification, breach response, and regulatory defensibility.

Runtime governance

Perhaps the most important governance insight was the idea that monitoring cannot stop at implementation. Production AI systems need oversight analogous to cybersecurity telemetry.

That includes monitoring for:

  • Model drift
  • Bias patterns
  • Unexpected output changes
  • Inappropriate escalation behavior
  • Usage outside approved contexts
  • PHI exposure risks
  • Operational degradation

This is where healthcare cybersecurity leaders should pay close attention. AI governance and cyber governance are converging. A model that mishandles data, behaves unpredictably, or influences workflow in opaque ways is not just an innovation concern; it is a resilience concern.

The Governance Challenge: Don’t Become a Bottleneck

Every health system faces the same tension: if governance is too loose, risk escalates; if it is too rigid, innovation moves around it.

Dr. Johnston’s answer was not to abandon governance, but to make it more agile and more capacity-aware. That is an important distinction. Many "slow governance" complaints are really resource complaints. A review process staffed for occasional software requests will break under AI demand.

This creates a practical strategic requirement: if leadership wants AI speed, it must fund AI operating capacity.

That means dedicated people for:

  • Evaluation
  • Vendor review
  • Solution design
  • Clinical partnership
  • Model oversight
  • Training
  • Change management
  • Measurement

Without that capacity, organizations either slow down or allow unsafe decentralization.

Centralized Governance, Federated Ownership

One of the most mature ideas in the discussion was the distinction between centralized monitoring and federated adoption.

That model makes sense for large health systems because AI value is often local while AI risk is enterprise-wide.

A workable pattern looks like this:

Centralized functions

  • Policy
  • Security standards
  • Vendor review
  • Data governance
  • Monitoring standards
  • Enterprise reporting
  • Escalation protocols

Federated functions

  • Departmental prioritization
  • Workflow design
  • Day-to-day performance review
  • Adoption coaching
  • Local success metrics
  • Retirement decisions for low-value tools

This hybrid model is likely where many health systems will land. It preserves enterprise control without disconnecting AI from operational realities.

Why AI Literacy Is Now a Management Competency

A particularly strong point from the conversation was the role of AI literacy training, especially for managers and above.

That is a crucial insight. AI literacy is often discussed as a broad workforce skill, but in healthcare the highest-risk failures may come from leaders who approve, deploy, or tolerate AI use without understanding its limits.

Managers do not need to become model engineers. But they do need to understand:

  • The difference between augmentation and autonomy
  • Why hallucinations matter differently in different workflows
  • What drift looks like in practice
  • What data can and cannot be used
  • When to escalate concerns
  • How to supervise AI-enabled workflows

This is comparable to how cybersecurity awareness evolved. Basic employee training mattered, but leadership accountability mattered more.

ROI Should Be a Gate, Not a Postscript

One of the most disciplined parts of Beacon’s reported approach is the requirement that AI proposals include defined ROI. Where value is softer - such as clinician experience - it may require executive review rather than routine approval.

That approach is especially relevant now. Many health systems are operating under margin pressure, labor constraints, and competing digital priorities. AI enthusiasm alone is not enough.

Still, ROI in healthcare AI should be broader than simple headcount reduction. Dr. Johnston made an important point: in many cases, the issue is not eliminating staff, but filling chronic vacancies or reducing contractor dependence.

That distinction matters because healthcare labor economics are different from other industries. Health systems may justify AI through:

  • Reduced contractor spend
  • Better documentation capture
  • Throughput improvement
  • Lower burnout-related turnover risk
  • Faster task completion
  • Better access performance
  • More consistent screening and follow-up
  • Avoided leakage or avoidable utilization

A mature AI business case should account for both hard-dollar and capacity-based returns.

Trust in Clinical AI Must Be Earned in Stages

The discussion made clear that hospitals are not ready to hand clinical decisions fully to AI, and that caution is appropriate. Trust grows by stages.

A sensible maturity path may look like this:

  1. Administrative automation
  2. Clinical augmentation
  3. Guided recommendations
  4. Queued actions requiring human signoff
  5. Selective autonomy in narrow, low-risk domains

This sequence fits both safety logic and adoption psychology. Clinicians are unlikely to trust autonomous systems if earlier tools were poorly integrated, unreliable, or difficult to validate.

Dr. Johnston’s framing was especially practical: clinicians may accept AI-generated notes they can review, but not notes submitted without their review. That is a useful reminder that trust is not binary. It is contextual.

What Healthcare Leaders Should Watch Next

Several future-facing ideas from the conversation deserve attention, even if they remain unevenly deployed today.

AI plus wearables and remote monitoring

The issue is no longer whether data can flow in from devices. The issue is who owns the response workflow. Continuous monitoring without operational accountability simply creates more alerts and liability.

AI plus genomics

This may become one of the most consequential long-term areas for clinical decision support. The challenge is not only data integration, but presenting actionable guidance without overwhelming clinicians.

AI-driven patient interaction

Agentic phone calls, empathy-driven outreach, and in-room AI support are emerging. These raise important questions around consent, disclosure, escalation, and trust. For cybersecurity and compliance leaders, they also raise concerns about identity assurance, call integrity, and documentation.

The semantic EHR layer

The idea of rebuilding EHR interaction around summarization, ambient capture, and intelligent order support points toward a more conversational interface for care delivery. Whether vendors can deliver this safely at scale remains to be seen, but the direction is clear: the user interface of clinical work is being reimagined.

A Practical Blueprint for Health Systems Starting Now

For leaders building or tightening AI governance, the conversation points to a usable roadmap.

1. Establish a formal AI governance body

Include clinical, compliance, ethics, risk, security, IT, and operational representation.

2. Define permitted and prohibited use immediately

Do not wait for perfect maturity. Set clear boundaries now, especially around PHI and public AI tools.

3. Create an AI-specific vendor intake process

Traditional software review is not enough.

4. Choose a few high-confidence use cases

Favor burden reduction, measurable outcomes, and low-to-moderate risk.

5. Require explicit ROI or executive sponsorship

Do not allow AI projects to move forward on novelty alone.

6. Train managers, not just end users

Supervision is part of governance.

7. Monitor post-deployment behavior

Bias, drift, and misuse emerge after implementation, not before.

8. Separate AI capacity from routine IT maintenance where possible

If AI is everyone’s side job, it will not scale safely.

9. Build for integration, not app sprawl

Tools that sit outside core workflows will struggle to gain trust.

10. Move from co-pilot to autonomy only where risk justifies it

Not every domain should aim for autopilot.

Conclusion

The most valuable insight from this discussion is that healthcare AI governance is not mainly about saying no. It is about making safe, scalable adoption possible.

Health systems do not need to choose between innovation and control. But they do need structure: clear policies, interdisciplinary review, runtime monitoring, strong vendor scrutiny, and a realistic view of ROI. They also need humility. Many of the highest-value AI wins are not glamorous; they are the daily frictions that wear down clinicians and operations teams alike.

The organizations that succeed will likely be the ones that treat AI less like a moonshot and more like a managed clinical-operational capability. In that model, governance is not an obstacle to transformation. It is what makes transformation durable.

Source: "AI Explained: Lessons from a Physician-CIO on AI Governance" - Fiddler AI, YouTube, Apr 23, 2026 - https://www.youtube.com/watch?v=0hIMsbjsV_g

Related Blog Posts