AI Risk Management in Healthcare: How to Build a Governance Program Using NIST AI RMF

by Jonathan Elmer and Shaunak Godbole

As we move deeper into 2026, the integration of Artificial Intelligence (AI) into clinical workflows is no longer a “future” trend, it is a present reality. From predictive diagnostics to automated revenue cycle management, AI is transforming patient care. However, these advancements come with significant risks: algorithmic bias, data privacy concerns under HIPAA, and the potential for clinical hallucinations.

To navigate this landscape, healthcare organizations are turning to the National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF). Unlike static checklists, the NIST AI RMF provides a flexible, lifecycle-based approach to building a trustworthy AI ecosystem.

2026 Outlook: The Shift from Innovation to Infrastructure

According to recent industry analysis, including our 2026 Healthcare Security Outlook, this year represents a “stress test” for AI governance. We are seeing a critical shift: AI is moving from experimental pilots into core infrastructure across clinical and administrative functions. However, this rapid adoption has introduced a new, immediate threat: Shadow AI.

For example, staff inadvertently pasting patient records into consumer AI tools like ChatGPT, vendors quietly embedding AI capabilities into platforms after contract execution, or developers integrating unofficial AI APIs into internal workflows. From a regulatory standpoint, submitting PHI to any AI tool without a BAA in place constitutes a potential HIPAA violation regardless of whether a breach occurs.

In addition, an unvalidated AI summarization tool that hallucinates or omits critical clinical detail can directly affect care decisions, with no audit trail or accountability chain. One of the key findings from our 2026 research is that mature healthcare leaders are no longer prioritizing “fast” AI. Instead, they are insisting that governance, policy, and data normalization must precede automation to prevent unauthorized employee use of consumer AI tools.

Why Healthcare Needs a Dedicated AI Governance Program

Healthcare AI is about more than data it’s also about patient safety. A failure in a financial AI model might result in a lost transaction, but a failure in a clinical AI model, such as a sepsis prediction tool or a diagnostic imaging assistant, can have life-altering consequences.

A formal governance program ensures that AI adoption is not just fast, but responsible and compliant.

The Four Pillars of the NIST AI RMF in Healthcare

The NIST AI RMF is structured around four core functions: Govern, Map, Measure, and Manage. Here is how to apply them specifically within a healthcare environment:

Govern: The Foundation of Accountability

Governance is the “culture of risk management.” Governance involves establishing the policies, team structures, and leadership buy-in necessary to oversee AI.

• Establish an AI Governance Committee: Membership should include clinical leadership, IT security, legal, and health equity advocates.
• Define Risk Appetite: Determine which AI applications are “high-risk” (e.g., direct patient triage) versus “low risk” (e.g., scheduling automation).

Map: Understanding the Context

Before you can manage a risk, you must understand where it lives. Mapping involves documenting the AI lifecycle.

• Inventory Your AI Assets: Create an “AI Bill of Materials” (AI-BOM) for every tool, whether developed in-house or purchased from a vendor.
• Assess Impact: Map out how PHI (Protected Health Information) flows through the AI model and identify potential points of data leakage or bias.

Measure: Quantifying Trustworthiness

After you understand your AI landscape, you must test it. This function focuses on technical and qualitative assessment.

• Algorithmic Bias Testing: Regularly audit models to ensure they perform equitably across different patient demographics including race, gender, and age.
• Performance Monitoring: Track “model drift”, the tendency for an AI’s accuracy to degrade as real-world data evolves away from its training set.

Manage: Taking Action

Managing is the operational phase where you apply controls to the risks you’ve measured.

• Vendor Management: Ensure that Business Associate Agreements (BAAs) include specific clauses regarding AI transparency and incident reporting.
  • As AI and ML tools proliferate across healthcare operations, OCR has signaled a sharper focus on how covered entities and their business associates govern AI-driven processing of PHI. OCR's evolving enforcement posture informed by HHS's broader AI strategy and the ONC's framework for responsible AI use in health IT, underscores that standard BAA boilerplate may no longer be sufficient. BAAs must address the transparency, accountability, and incident notification obligations that AI deployments introduce, particularly where a business associate leverages AI or automated decision-making tools that touch PHI.
• Incident Response: Develop a playbook for “AI failures,” such as what to do if a clinical AI begins producing inaccurate recommendations.

Steps to Implementation: From Framework to Practice

1. Conduct a Gap Analysis: Compare your current security policies against the NIST AI RMF to see where AI-specific controls are missing. In addition, include HHS/OCR Guidance, ISO/IEC 42001 (AI Management System Standard), and the emerging HITRUST AI Controls for additional AI governance.
2. Align with HIPAA and NIST CSF: Ensure your AI governance doesn’t exist in a silo. Map your AI RMF activities to your existing NIST Cybersecurity Framework (CSF) and HIPAA Security Rule controls.
3. Prioritize Transparency: For clinical AI, “black box” models are a liability. Demand explainability from vendors so clinicians understand why a model reached a certain conclusion.

Ready to Secure your AI Future?

The NIST AI RMF is not a one-and-done assessment; it is a continuous process of improvement. By building an AI governance program today, healthcare organizations can protect their patients, their data, and their reputations while harnessing the full power of AI innovation.

At Meditology Services, we specialize in helping healthcare organizations navigate the complexities of AI risk. From NIST AI RMF gap assessments to the development of robust AI governance frameworks, our team of experts is here to ensure your innovation is matched by your security.

Contact Meditology today to schedule an AI Risk Readiness Assessment.

About the Authors

Jonathan Elmer

Jonathan Elmer is a seasoned cybersecurity professional and IT risk management consultant with over a decade of experience. Adept at delivering impactful information security solutions aligned with business objectives, with a proven track record in leading regulatory and compliance focused initiatives and spearheading the implementation of technical security programs. Notable roles include Chief Information Security Officer, Technical Services Lead, Medical Device Security Architect and Sr. Manager of IT Risk Management Consulting at Meditology Services, demonstrating leadership and expertise in project delivery, strategic direction, and client engagement. 

Shaunak Godbole

Shaunak Godbole is a Team Lead and a Cloud Security Architect at Meditology Services, LLC, where he architects enterprise-grade security solutions at the intersection of cloud infrastructure, AI-driven risk intelligence, and regulatory compliance. Holding a Master of Science in Computer Science and dual Microsoft Azure certifications- Azure Fundamentals and Azure Solutions Architect Expert, Shaunak brings over six years of deep, hands-on expertise in cloud security and risk management to some of the most complex environments in the healthcare sector.

As a founding contributor to Meditology’s Cloud Security Service Line, Shaunak has led his team in designing and delivering end-to-end cloud security programs for healthcare organizations across North America, including engagements with one of the continent’s largest and most complex health systems. His technical command spans cloud-native security architectures and application of AI risk management framework to accelerate compliance workflows and threat detection at scale.

Shaunak operates as a recognized subject matter expert across the full spectrum of healthcare IT security frameworks, including HIPAA, NIST CSF, SOC 2, and HITRUST- translating regulatory complexity into pragmatic, scalable security controls.