Healthcare AI Is Moving Fast, But Data Governance Is Struggling To Keep Up

By Kate O'Flaherty • 19 May 2026 • 6 min read

How can healthcare organisations resolve gaps in trust and data governance to realise the full benefits of AI?

By Kate O’Flaherty

The healthcare sector is innovating using AI, with huge potential for the technology across areas including diagnostics, triage and administration.

In the UK, the NHS is already embracing AI beyond basic tasks. NHS England has started pilots for AI lung cancer screenings, where the technology can identify smaller issues than the human eye can see.

Meanwhile, the US Food and Drug Administration (FDA) has authorised over 1,000 AI-incorporating devices, the majority of which are used in radiology.

Over the past two years, healthcare leaders have shifted from questioning whether AI is relevant to focusing on how it can be used responsibly and at scale, according to a recent McKinsey report.

The figures show that half of US healthcare organisations have already implemented generative AI, while more than 80% had deployed their first use cases to end users. The next stage, according to McKinsey, is seeing organisations move from using generative AI to create content and support individual tasks towards agentic AI to take action and coordinate more complex processes.

Yet significant barriers are delaying healthcare AI innovation, including security risks and compliance issues from the vast amounts of sensitive data needed to train systems. How can healthcare organisations resolve gaps in trust and data governance to realise the full benefits of AI?

Highly-Sensitive Data

Healthcare data is among the most sensitive and multifaceted of any sector, combining medical records, personal identity data and financial information from multiple providers and systems.

“A patient’s information can sit across hospitals, GP practices, specialists, laboratories, pharmacies, insurers and technology platforms — often in incompatible formats with no unified record tying it together,” Craig Gravina, CTO of Semarchy explains.

The result is that no single system holds a complete picture of a patient. “Building that picture — the longitudinal patient record — is what is required to make AI work safely and effectively in a clinical setting,” Gravina tells IO. “Without it, AI is working from an incomplete and unreliable picture. In healthcare, this goes beyond being a data problem and it becomes a patient safety issue.”

As AI becomes embedded in clinical workflows, organisations face increasing pressure to answer fundamental questions: Where did this data originate, has it been validated, who can access it, and can AI-assisted decisions be audited? “When systems begin to influence clinical decisions at scale, weak data foundations expose serious gaps in trust and accountability,” says Gravina.

The introduction of AI technology creates issues in three areas: Accountability, explainability, and consent, says Mike Macauley, general manager at Liferay. “No one knows who to blame when AI gives medical advice. If a system makes a recommendation, the law cannot say who is responsible for the outcome.”

Many AI models are effectively “black boxes” that do not explain how they reach a conclusion, according to Macauley. It creates a legal problem under the UK’s General Data Protection Regulation (GDPR), because patients have a right to know why a computer made a specific decision about their health, says Macauley.

Meanwhile, companies train their AI using data they collected for one particular purpose, but it is often also used for other reasons. “This means they cannot prove they have the legal right to use the original data that taught the system,” Macauley tells IO.

The Hidden Issue

As AI is introduced into healthcare, an often-overlooked risk is what happens as data passes through a complex chain of third parties such as legacy platforms and external partners.

“Responsibility gets diluted at every handoff,” according to Semarchy’s Gravina. “It is not always clear who owns the data at each stage, who is accountable for its quality, or who is responsible when something goes wrong. When no single party has a complete, end-to-end view of the data lifecycle, governance breaks down.”

Adding to complexity, traditional healthcare governance frameworks were designed for static systems with relatively stable data flows and fixed rules. For example, Cyber Essentials and NHS Information Governance, only work for rigid systems. “AI breaks these rules because it constantly evolves,” says Liferay’s Macauley.

At the same time, a standard Data Protection Impact Assessment as outlined by the GDPR only looks at a system once. However, an AI that learns as it goes can change its behaviour without anyone checking if it is still safe or legal, according to Macauley.

Innovation Bottlenecks

A lack of governance confidence undermines the progress of AI in healthcare by increasing the risk of innovation bottlenecks. When organisations lack confidence in their data foundations, AI adoption stalls.

“Leaders will hesitate to deploy AI in clinical settings if they cannot guarantee data quality and lineage, or demonstrate auditability to regulators,” says Semarchy’s Gravina. “The irony is that the governance infrastructure needed to scale AI safely is the same that delivers the longitudinal patient data view that makes AI more effective in the first place.”

Good governance is the enabler for effective healthcare AI, he explains. “Critically, exposing data to AI does not have to mean losing the governance value built around it — lineage, access controls, and data quality should travel with the data, not be left behind when it enters an AI pipeline.”

International Standards

Two international standards provide the framework for managing AI. ISO 27001 provides the foundation for strong information security and governance, helping to establish structured approaches to risk management, access control, incident response, asset management and accountability. This helps build “more defensible governance”, says Gravina.

ISO 42001 builds on this by introducing governance specifically designed for AI systems. It focuses on oversight, AI-specific risk management, transparency, and the responsible development and use of AI.

Together, these standards enable healthcare organisations to “move beyond ad hoc AI adoption towards a more structured governance model”, explains Gravina.

It’s clear AI offers huge potential in healthcare, if governance structures can be adapted to fit this innovative new era.

Patient trust should underpin everything, according to experts. Dr Loyhd Terrier, associate professor of organisational behaviour at EHL Hospitality Business School, advocates treating AI as an explicit service for the patient. “It should be traceable, explainable and can be declined – rather than an invisible back-office function.”

The starting point must be the data itself. Leaders need to understand whether their organisation has the foundations in place to build “a unified, longitudinal view of patient data across all systems and providers”, says Semarchy’s Gravina. “Without that, AI governance is built on sand.”

He recommends mapping where AI is already in use, identifying critical data flows and third-party dependencies, clarifying ownership and stewardship, and strengthening access controls, audit trails, and data quality end-to-end. “Privacy, security and AI governance must be aligned into a single cohesive approach, rather than managed in isolation.”