Decision support and digital health
What a Hospital's AI Governance Program Is Supposed to Do
A hospital AI governance program is meant to keep clinical AI tools safe after purchase: a named oversight body, local validation, ongoing monitoring for drift, bias and risk assessment, data protections, patient transparency, staff training, and blinded safety reporting. The Joint Commission and CHAI set that baseline in September 2025.
A hospital's AI governance program is supposed to make clinical artificial intelligence safe to use after it is purchased, not merely impressive in a sales demo. That means a named body inside the organization that decides which tools are allowed, checks that each one works on the local patient population, watches for performance drift over time, screens for bias and risk, protects patient data, tells patients when AI touches their care, trains the staff who rely on it, and reports safety problems so others can learn. In September 2025 the Joint Commission and the Coalition for Health AI (CHAI) published the first shared baseline for what that program should contain. This is an educational overview, not medical advice.
Where this guidance came from
On September 17, 2025, the Joint Commission and CHAI released joint guidance titled Responsible Use of AI in Healthcare, described by both organizations as a first-of-its-kind framework for how U.S. health systems should adopt AI at scale. The Joint Commission is the body that accredits most American hospitals, so its interest in a subject tends to signal where oversight is heading. CHAI is a nonprofit coalition of nearly 3,000 member organizations, including health systems, patient advocacy groups, technology companies, and startups, formed to build consensus guidelines for trustworthy health AI.
The pairing matters. One organization brings the accreditation machinery hospitals already answer to; the other brings a broad technical membership. Together they framed AI oversight as something that should live inside an organization's existing governance and compliance systems rather than as a separate novelty.
The elements a program should contain
The 2025 guidance lays out a set of foundational elements. Stripped of jargon, they describe the parts a credible program needs.
A governance structure and written policies. There should be a formal committee with real authority and mixed membership, drawing on compliance, information technology, clinical leadership, operations, and data privacy. A single enthusiast in one department is not governance. The policies should say plainly what AI may and may not be used for.
Patient privacy and transparency. The organization should have rules on how patient data is accessed and used, and should be willing to tell patients when AI plays a role in their care.
Data security and data use protections. Every use of patient data with an AI tool has to comply with HIPAA, supported by protections such as encryption, limited data access, and written agreements that spell out permitted uses.
Ongoing quality monitoring. This is one of the most important and most neglected parts. An AI model that performed well at launch can degrade as patient populations, documentation habits, or upstream software change. The guidance expects organizations to validate tools before deployment and to keep watching for changes in performance afterward.
Risk and bias assessment. The organization should have a process to document AI risk and to check whether a tool was actually validated on a population resembling its own. A model developed mostly on one demographic can be quietly wrong for the patients in front of it.
Education and training. Clinicians and staff should be taught not only how to use a tool but where it fails and what its limits are.
Voluntary, blinded safety reporting. The guidance encourages confidential reporting of AI-related safety events to independent entities, so that a failure in one hospital can warn the rest of the field. This borrows the logic that made aviation and medication-error reporting work.
What changed in 2026
The 2025 guidance was voluntary and carried no immediate accreditation weight. That began to shift. On June 1, 2026, the Joint Commission launched a voluntary Responsible Use of AI in Healthcare certification, built to recognize organizations that can show they have governance, safeguards, monitoring, and education actually in place. Its standards are organized around governance, data management, risk and bias reduction, monitoring and validation of safety and performance, and transparency with education and training. The certification recognizes how an organization uses AI; it does not validate or certify individual AI products. An organization does not have to be Joint Commission accredited to apply. A voluntary certification is a signal, not a mandate, and it is reasonable to expect its themes to migrate into future accreditation expectations over time.
How to tell whether an organization really follows it
Guidance is easy to endorse and hard to live. A few questions separate a functioning program from a paper one.
Ask who owns AI oversight and whether that body has ever said no. A governance committee that has approved every tool it has ever reviewed is probably a rubber stamp. Ask whether tools were validated on the local population, not merely on the vendor's original dataset, because a model's accuracy does not transfer automatically. Ask what happens after deployment: is anyone measuring whether the tool still performs as claimed, and how would they notice if it drifted. Ask whether frontline staff can describe a tool's known failure modes, since training that produces no such knowledge did not happen. Ask whether the organization reports safety events, or only collects them internally. And ask whether patients are ever told that AI is involved.
None of these questions require technical fluency to pose. They test whether the described elements exist as behavior rather than as a policy binder. The pattern to watch for is a marketing claim of being AI-powered or AI-governed that thins out the moment you ask who monitors the tool and what they would do if it started failing. In evaluating any AI claim, the useful discipline is the same one that governs drug development: the assertion has to match verifiable evidence, and the burden sits with the party making the claim.
Why this framing helps patients and clinicians
The value of a governance standard is that it turns a vague reassurance into a checklist a non-specialist can use. When a health system says it uses AI responsibly, that sentence now has a public reference point. You can ask which of the described elements are in place and expect a specific answer. The 2025 guidance and the 2026 certification will not, on their own, make every deployment safe. What they do is give patients, clinicians, and administrators a shared language for asking whether the safeguards are real, which is the necessary first step before any of them can be trusted.
References and sources
How this was researched. This explainer is built from the primary sources listed above and reflects Dr. Tojjar's own critical appraisal of that evidence. It explains and evaluates research and does not provide medical care.
This article is for general education and is not medical or professional advice. For guidance about your own health, talk with a qualified clinician.
Cite this article
Tojjar, D. (2026). What a Hospital's AI Governance Program Is Supposed to Do. Dr. Damon Tojjar. https://readingtheevidence.org/articles/joint-commission-chai-responsible-ai-governance/
This article is part of Dr. Tojjar's guide to Decision support and digital health.