The strategic shift from pilots to regulated infrastructure

Two developments are pulling healthcare AI out of experimental status.

The first is the normalization of AI in the administrative core of health systems. The OECD report’s claim of universal administrative use across member countries points to a pragmatic reality: organizations adopt technologies first where workflows are repeatable, outcomes are measurable in operational terms, and regulatory exposure is lower.

The second is the rise of foundation-model-era capabilities in clinical and near-clinical contexts. WHO’s guidance describes large multi-modal models as capable of ingesting and generating multiple data types, and notes both the rapid public adoption of prominent generative AI platforms and the implications for healthcare use—particularly the risks of false, inaccurate, biased, or incomplete statements and the tendency toward automation bias when humans over-rely on model outputs.

What is changing in 2026 is not simply that AI can perform more tasks. It is that the organization must increasingly account for AI as an ongoing actor in the system: embedded in documentation pipelines; shaping prioritization and triage; influencing the order of clinical attention; and introducing new failure modes whose detection is not always intuitive to clinicians. WHO explicitly links these dynamics to system-level risks, including cybersecurity threats that can endanger patient information or undermine trust in care delivery.

On the demand side, the market signals are consistent with a transition from opportunistic experimentation to institutional engagement. McKinsey’s survey of healthcare leaders reports that a large majority were either exploring or already adopting generative AI, and that partnerships—rather than pure in-house buildouts—were most common, reflecting the complexity of deploying models in regulated, data-sensitive workflows.

The implication is that “AI strategy” in healthcare increasingly resembles an infrastructure decision: it affects procurement, vendor selection, liability posture, workforce interactions, and regulatory documentation. This is the logic of regulated infrastructure: once embedded, AI becomes difficult to treat as a reversible pilot.

Where the economics are real and where they are premature

The near-term economic gravity in healthcare AI is concentrated in work that is high-volume, information-dense, and administratively burdensome—precisely the category that WHO includes as a core application area for large multi-modal models: clerical and administrative tasks such as documenting and summarizing patient visits inside electronic health records. The OECD’s observation that administrative use is already universal across member countries reinforces that this is the easiest domain for adoption to outpace the public narrative.

In this administrative layer, value can be real while still being fragile. It can hinge on workflow integration, accuracy thresholds, and downstream rework, not on model performance in isolation. McKinsey’s healthcare-leader survey reports self-reported returns on investment among some respondents, but it is also a reminder that early ROI claims frequently come from limited-scoped deployments and may not generalize across sites, specialties, or patient complexity.

In life sciences, the economic discussion is broader but equally contingent on execution. McKinsey cites estimates from the McKinsey Global Institute that generative AI could unlock substantial annual economic value for the pharmaceutical and medical products industries, tied to productivity and innovation across the value chain. Yet McKinsey’s own survey of pharma and medtech leaders points to an implementation gap: while all surveyed organizations had experimented with generative AI and a minority had taken steps to scale, only a small fraction described generative AI as a competitive differentiator producing consistent and significant financial value.

This pattern—large theoretical value, smaller realized value—often reflects the same bottlenecks: data readiness, governance, and the institutional cost of changing workflows. McKinsey’s life-sciences survey describes these challenges as systemic rather than purely technical, spanning strategy, talent, governance, change management, and risk.

A useful way to interpret the economics is through time horizons. Administrative AI can produce earlier productivity effects but invites measurement disputes about what gains are retained versus displaced. Clinical AI can produce defensible value primarily when it is supported by evidence that regulators, clinicians, and payers accept—and that evidence accumulation tends to move slowly.

Evidence is becoming a competitive advantage

Healthcare AI has a credibility challenge that does not exist in most other enterprise contexts. In medicine, the cost of being wrong is not merely operational; it can be clinical.

The current distribution of regulated AI devices reveals why this problem is persistent. A 2025 analysis in npj Digital Medicine reviewed FDA authorizations of AI/ML-enabled medical devices listed as of December 20, 2024 and found that most devices used images as core inputs, with radiology dominating review panels for image-based devices. The same study found that most devices served assessment functions rather than interventions, and it reported no evidence of large language models in the studied FDA device list at that time.

This concentration matters because the evidentiary norms of imaging AI—benchmarks, sensitivity/specificity in defined settings, and controlled validation datasets—do not automatically transfer to generative AI used for clinical documentation, patient messaging, or dynamic decision support.

Evidence gaps also show up postmarket. A 2025 cross-sectional study in JAMA Health Forum matched FDA-cleared AI-enabled medical devices to recall entries and found that recalls were uncommon but clustered early after clearance; it also reported associations between lack of reported clinical validation and higher odds of recall, as well as an association between publicly traded manufacturer status and higher odds of recall. The methodological point is important for business leaders: even if overall recall rates are not high, the observed pattern suggests that early-market failure risk can concentrate in devices with weaker public validation narratives.

Evidence is not only about whether a model “works.” It is also about how humans change when AI is present. A study published in The Lancet Gastroenterology & Hepatology examined colonoscopy performance before and after AI introduction and reported that, after routine exposure to AI-assisted colonoscopy, adenoma detection rates in standard non-AI-assisted colonoscopies declined compared to the pre-AI period; the authors interpreted this as consistent with a potential behavioral effect of continuous AI exposure. This aligns with WHO’s warning about automation bias: errors can be overlooked or difficult decisions improperly delegated when humans treat AI output as a substitute for judgment rather than an input to judgment.

These realities are pushing the field toward more rigorous reporting norms. The SPIRIT-AI and CONSORT-AI guidelines were developed as extensions to traditional trial reporting standards to address AI-specific sources of bias and reporting needs, including items such as algorithm versioning and procedures for acquiring input data—features that are directly relevant to reproducibility and accountability in deployed clinical AI. The TRIPOD+AI statement similarly updates reporting expectations for prediction models using regression or machine learning methods in clinical contexts.

The direction of travel is clear: in healthcare AI, evidence quality is increasingly a market differentiator because it shapes regulatory risk, procurement friction, and the durability of clinician trust.

Regulation is shifting from clearance to lifecycle control

Regulation is becoming less about a one-time gate and more about continuous control across the model lifecycle.

In the European Union, the AI Act establishes a harmonized framework with phased applicability. The European Commission summarizes the timeline as follows: the act entered into force in August 2024; certain provisions apply earlier (including prohibited practices and AI literacy), obligations for general-purpose AI begin in August 2025, and the act becomes fully applicable in August 2026, with an extended timeline for high-risk AI systems embedded into regulated products that benefit from a longer transition. The legal instrument is Regulation (EU) 2024/1689, adopted in June 2024 and published in the Official Journal in July 2024.

In the United States, the U.S. Food and Drug Administration has been explicit about the growth and complexity of AI-enabled medical devices. A January 2025 FDA announcement stated that the agency had authorized more than 1,000 AI-enabled medical devices and described the growing scaling challenges, while also noting limits of the agency’s published list as a comprehensive inventory. An earlier FDA device-list page explains that the list is based on AI-related terms in authorization summaries and is updated periodically; it also states that the agency intends to add a separate identification for device functions that use “foundation models,” acknowledging that model architecture itself is becoming a regulatory-relevant feature.

A key regulatory innovation for machine-learning devices is planned change management. FDA-hosted guiding principles for predetermined change control plans describe the concept as a manufacturer’s plan specifying certain planned modifications, protocols to implement and control them, and assessment of impacts—an attempt to reconcile iterative model development with regulatory oversight in a total product lifecycle frame.

Transparency is increasingly treated as safety infrastructure rather than marketing. FDA’s transparency guiding principles define transparency as appropriate communication about a machine-learning-enabled medical device’s intended use, development, performance, and when available, its logic and explainability. The same guidance emphasizes communicating limitations such as known biases or failure modes, confidence intervals, and gaps in data characterization, and it links transparency to detection of errors or performance degradation over time. These principles were jointly established with Health Canada and the Medicines and Healthcare products Regulatory Agency, reinforcing an international convergence around transparency as a baseline expectation for machine-learning medical devices.

International alignment is also visible in the work of International Medical Device Regulators Forum. Its 2025 final document on good machine learning practice presents guiding principles intended to apply across the medical device lifecycle and explicitly highlights that generative AI and foundation-model use can introduce unique risks when foundation models are not under a medical device manufacturer’s provenance, complicating demonstration of performance and error detection.

Regulation is expanding beyond devices. FDA issued a draft guidance in January 2025 addressing the use of AI to support regulatory decision-making for drug and biological products, describing a risk-based credibility assessment framework for establishing and evaluating an AI model’s credibility for a particular context of use. This signals that regulators are preparing for AI not only as a marketed product, but also as evidence infrastructure inside regulated submissions.

Data privacy and cybersecurity are now product features

Healthcare AI is constrained less by model capability than by the control plane around data—who can access it, how it is protected, and what obligations attach to its use.

Privacy governance is tightening in parallel with AI adoption. The European Data Protection Board published a report in April 2025 that presents a risk management methodology and mitigation measures for privacy and data protection risks in large language model systems, intended to support systematic identification, assessment, and mitigation of risks. Even when healthcare AI deployments are not explicitly regulated as medical devices, privacy regimes can function as de facto product requirements because they shape training data strategies, vendor contracts, and operational safeguards.

Cybersecurity has moved from best practice to explicit regulatory expectation in device contexts. FDA’s February 2026 final guidance on cybersecurity in medical devices describes recommendations for cybersecurity device design, labeling, and documentation in premarket submissions, and it states that it addresses the agency’s recommendations regarding section 524B of the Federal Food, Drug, and Cosmetic Act for “cyber devices.” The practical effect is to formalize cybersecurity resilience as part of the evidentiary footprint expected at submission, not merely as a postmarket IT concern.

Across sectors, governance frameworks are converging on lifecycle risk management as the organizing principle. The National Institute of Standards and Technology AI Risk Management Framework defines core risk management functions—govern, map, measure, manage—and emphasizes that AI risk and trustworthiness arise from socio-technical interactions, not solely from model accuracy. In healthcare, this is not an abstract framing: it maps onto clinical workflow realities where a correct model output can still produce harm if it changes human behavior, creates overreliance, or fails silently during data drift.

The combined result is that “data strategy” in healthcare AI increasingly resembles a compliance architecture. It includes privacy-impact thinking, cybersecurity controls, documentation for regulators, and mechanisms for monitoring behavior and performance after deployment. These requirements tend to advantage organizations that can sustain ongoing governance and monitoring costs rather than treating deployment as a one-time event.

The investment cycle is consolidating around workflow and data rights

Capital allocation in health AI is becoming more selective and more concentrated around a narrow set of theses: workflow ownership, integration leverage, and defensible data access.

In the United States, Rock Health reported that venture funding for U.S. digital health startups rose in 2025 compared with 2024, and that AI-enabled companies captured a majority share of total funding. The same analysis highlights concentration dynamics: large funding totals can mask that fewer companies capture capital, driven by mega-rounds and a “winner” class formation.

This funding pattern is consistent with a market that increasingly prices “ability to scale in healthcare” rather than “ability to build a model.” Scaling in healthcare is expensive: it demands integration into complex workflows, compliance readiness, evidence generation, and postmarket operations. The investment logic therefore tilts toward companies that can bundle AI into the workflow layer where switching costs and buyer lock-in exist—yet that advantage often requires credible rights to data and clear governance of how models are trained, updated, and monitored.

Postmarket evidence is also shaping investment narratives. The JAMA Health Forum study of recalls found associations between lack of reported clinical validation and recall likelihood, and it reported that publicly traded manufacturers were associated with higher odds of recall after adjusting for other variables. While these are associations rather than proof of causation, they introduce a material finance-and-governance question: in a market where speed is rewarded, the cost of weak validation may surface later as recall risk, reputational damage, and procurement resistance.

A parallel dynamic is visible in life sciences. McKinsey’s survey of pharma and medtech leaders reports widespread experimentation but limited claims of sustained financial differentiation from generative AI, implying that the market is still sorting “real enterprise value” from tool-level adoption. This tends to accelerate consolidation around platforms and operating models that can consistently absorb regulatory, privacy, and validation requirements across geographies.

In short, the funding environment is not only financing innovation. It is financing the governance and integration layer that determines whether innovation becomes infrastructure.

The shape of the next health AI market

The next phase of AI in healthcare is likely to be defined less by model breakthroughs and more by institutional convergence: common evidentiary norms, interoperable governance, and clearer cross-border compatibility.

The OECD’s 2026 report argues that coherent, cross-border compatible policies are essential to balance innovation with safety and economic opportunity with public trust. This framing aligns with the reality that health AI markets are fragmented by differing regulatory regimes, data protection rules, reimbursement systems, and procurement practices, which collectively act as friction against scale.

International standardization efforts are explicitly aimed at narrowing that gap. An ITU and WHO focus group final report describes its work from 2018 to 2023 to develop a standardized assessment framework for AI in health and to produce deliverables spanning ethical, regulatory, technical, and clinical evaluation dimensions, while also announcing a successor global initiative to continue the work.

At the same time, regulators are signaling that the “static model” assumption is eroding. FDA’s emphasis on predetermined change control planning and lifecycle transparency reflects an acknowledgment that AI systems evolve, and governance must track that evolution rather than assume stability. Academic work is also adapting: the concept of “dynamic deployment” has been proposed as a clinical trial framework tailored to adaptive systems and large language model dynamics, enabling continuous monitoring and validation in situ.

For executives and investors, the key market insight is that healthcare AI is converging on a new baseline definition of product quality. It includes not only performance metrics, but also transparency artifacts, change control discipline, cybersecurity resilience, privacy risk management, and evidence that accounts for human-AI interaction effects like automation bias and potential deskilling.

As these expectations harden, competitive advantage is less likely to come from having access to a general model and more likely to come from building defensible systems around it: validated use cases, auditable lifecycle controls, credible data governance, and the operational capacity to monitor performance once the model meets the real world.