Skip to content

AI governance for healthcare

Your board owns the safety of every clinical judgement AI touches.

AI is moving into triage, note-taking, monitoring and administration across independent providers, care groups and NHS-adjacent organisations, often inside supplier systems the board cannot independently test. CQC holds the registered provider accountable for safe care and good governance, and where a tool informs diagnosis or treatment the MHRA may regulate it as a medical device. Governance AI gives boards the literacy, controls and evidence to govern AI against the duties they are inspected on.

A clinical decision informed by AI is still a clinical decision the provider answers for.

Health and care serves people who are often unwell, vulnerable or without an alternative, so any AI that touches triage, monitoring or clinical documentation carries an elevated safety burden. CQC regulates providers under Regulation 12 on safe care and treatment and Regulation 17 on good governance, and its published position is that a provider using AI must still meet those outcomes and evidence effective oversight of it. AI deployed without board-level assurance or safety testing is a direct gap that an inspection can act on.

The accountability does not move to the vendor. Where a tool is intended to inform diagnosis, prognosis or treatment it may be a medical device regulated by the MHRA, whose Software and AI as a Medical Device programme tightened post-market surveillance expectations in 2025. Registered clinicians remain personally accountable to the GMC or NMC for decisions they make with AI support, and special category health data sits under UK GDPR. Most AI governance is performance, not protection.

The standards health and care providers are held to.

AI does not create a separate rulebook. It runs through the duties and regulators you already answer to.

  • Care Quality Commission (CQC)

    Regulates providers under Regulation 12 (safe care and treatment) and Regulation 17 (good governance). Its position is that AI in regulated care must still meet those outcomes with evidenced board oversight and risk management.

  • Medicines and Healthcare products Regulatory Agency (MHRA)

    Where a tool is intended to inform diagnosis, prognosis or treatment it may be Software as a Medical Device. The MHRA's programme tightened post-market surveillance duties in 2025, so confirm a tool's classification before deployment.

  • ICO, UK GDPR and Data Protection Act 2018

    Health records are special category data. Processing them through AI needs a lawful basis, a completed Data Protection Impact Assessment and Article 22 safeguards where a decision is solely automated.

  • NHS DSPT and DTAC

    Where you connect to NHS systems or contract with the NHS, the Data Security and Protection Toolkit and the Digital Technology Assessment Criteria set the data security, clinical safety and interoperability bar an AI tool must clear.

  • GMC and NMC professional duties

    Where AI assists a clinical decision, the registered doctor or nurse remains personally accountable for it. The board must ensure clinicians can exercise, and evidence, meaningful professional judgement over any AI output.

What good AI governance looks like for health and care providers.

The Board AI Scorecard measures five areas. Here is what each means in your sector.

Accountability & board oversight

Name who at board level owns each AI system that touches a patient or service user, so an inspector can see accountability sits with the registered provider and the responsible clinician, not the supplier.

AI policy & controls

Set a board-approved AI policy that maps to CQC Regulations 12 and 17, states which clinical and care tasks AI may support, and requires a documented human clinical decision before any AI output affects care.

Risk, transparency & assurance

Register every AI tool, confirm whether it is a regulated medical device, and test it for safety, bias and failure modes against vulnerable groups, with a clinical safety case where a tool touches diagnosis, monitoring or treatment.

Data & security

Hold a completed Data Protection Impact Assessment, DSPT compliance and clear limits on whether patient data leaves your control before special category health data feeds any AI tool or third-party model.

Board literacy & capability

Equip a board recruited for clinical, care and finance expertise to interrogate model safety, evidence base and vendor claims, rather than rely on assurance it cannot independently test.

Questions your board should be asking.

  • Where is AI already supporting care across triage, monitoring, clinical documentation and administration, and for each, has anyone confirmed whether it is a medical device the MHRA regulates?
  • For any AI touching a clinical or care decision, can we evidence a documented human clinical judgement, a clear accountable clinician, and a safety case proportionate to the risk?
  • Have we completed a Data Protection Impact Assessment and satisfied DSPT and UK GDPR before special category health data goes near an AI tool or third-party model?
  • How have we tested these tools for safety and bias against the vulnerable groups we serve, and who is accountable for that testing at board level?
  • Can we explain to CQC, to a clinician and to a patient how an AI-supported decision was reached, including inside third-party vendor systems?
  • What board-level oversight, policy and risk reporting do we hold for AI, and how does it map to CQC Regulations 12 and 17 and our clinical governance framework?

Taking these to a meeting? Print the one-page board pack.

We govern the AI and we build the controls that keep care safe.

Start with the free Board AI Scorecard to see where your board stands in about two minutes. The AI Wake-Up Call is a board session that gets members fluent in the AI decisions in front of them, and the GovernIQ™ Diagnostic gives a scored read of your AI governance against the duties you are inspected on. Our work is grounded in the practice of our founder, Karl George MBE, creator of the tgf Governance Code, and aligned to ISO/IEC 42001, the NIST AI Risk Management Framework and UK GDPR. We help you prepare for certification against ISO/IEC 42001. We do not issue it.

See where your board stands before an inspector asks.

Take the free Board AI Scorecard, or book a short conversation about where your AI exposure sits across triage, monitoring, documentation and patient data.