Validating healthcare AI
The WHO's Governance Frame for Generative AI in Health: Who Is Responsible for Each Safeguard
The WHO's 2024 guidance on large multi-modal models sets out more than 40 recommendations and assigns each safeguard to a named actor: governments set standards, license, and require independent post-release audits; developers build for defined tasks and engage users early; providers and patients stay in the loop rather than defer to the model.
The World Health Organization's January 2024 guidance on large multi-modal models does something most AI-ethics documents avoid: it names who is accountable for each safeguard. Governments are told to set standards, license applications, and require independent audits after deployment. Developers are told to build systems for well-defined tasks and to engage users early. Providers and patients are told to stay in the loop rather than defer to the output. The guidance carries more than 40 recommendations, and its organizing idea is that a safeguard without an owner is not a safeguard.
What the guidance actually covers
A large multi-modal model, in the WHO's usage, accepts more than one kind of input, such as text, images, or video, and can generate outputs beyond the type of data it received. These are the systems behind the current wave of generative AI, and the WHO document, titled "Ethics and governance of artificial intelligence for health: Guidance on large multi-modal models," was released on 18 January 2024. It extends the agency's earlier work on AI ethics to the specific behavior of models that mimic human communication and perform tasks they were never explicitly programmed to do.
The guidance groups health uses into five broad categories: diagnosis and clinical care, such as responding to a patient's written queries; patient-guided use, such as investigating symptoms or treatment options; clerical and administrative work, such as documenting and summarizing visits inside electronic health records; medical and nursing education, including simulated patient encounters for trainees; and scientific research and drug development. That range matters because the risk profile is not uniform. A model drafting a discharge summary and a model suggesting a diagnosis carry different stakes, and the WHO's frame asks each deployer to match the safeguard to the setting.
The risks the WHO names
The document is direct about failure modes. LMMs can produce statements that are, in the WHO's words, "false, inaccurate, biased, or incomplete," and a person acting on that output in a health decision can be harmed. Bias enters through training data that under-represents populations by race, ethnicity, sex, gender identity, or age, so the model performs worse for exactly the groups already underserved.
A subtler risk is what the guidance calls automation bias: the tendency of a clinician or patient to trust a confident-sounding machine output over their own judgment, even when the output is wrong. There is also cybersecurity exposure, since these systems touch sensitive patient information, and questions of accessibility and affordability, since a tool available only to well-resourced systems can widen gaps rather than close them. Naming these risks is the easy part. The harder move, and the one the guidance makes, is attaching each to an actor who has to manage it.
Who owns each safeguard
Governments carry what the WHO calls the primary responsibility to set standards for how LMMs are developed, deployed, and integrated into health systems. The guidance asks them to assign an existing or new regulatory agency to assess and approve LMM applications intended for health care. One recommendation stands out for its structural ambition: governments should "introduce mandatory post-release auditing and impact assessments, including for data protection and human rights, by independent third parties when an LMM is deployed on a large scale." That is a shift away from one-time pre-market clearance toward continuous, external scrutiny. The guidance also encourages governments to invest in or provide "not-for-profit or public infrastructure, including computing power and public data sets," so that development is not concentrated entirely in a few private hands.
Developers are asked to design LMMs to perform well-defined tasks with the accuracy and reliability those tasks require, rather than releasing a general system and hoping clinicians will use it sensibly. Crucially, the guidance says potential users and stakeholders, including "medical providers, scientific researchers, health care professionals and patients, should be engaged from the early stages of AI development" in a structured and transparent design process. Engagement is treated as a design input, not a public-relations step after the model is built.
Providers, patients, and civil society are written into the governance itself. The WHO calls for the engagement of governments, technology companies, health care providers, patients, and civil society across all stages of development and deployment. For a clinician at the point of care, the operational takeaway is that an LMM output is a draft to be verified, not a verdict to be transcribed, and the guidance frames that human check as a safeguard the provider owns.
Why the accountability map is the point
Read as a checklist, the more-than-40 recommendations can feel like a lot. Read as an accountability map, they cohere. Bias is a developer-and-government problem addressed through representative data and pre-market assessment. Automation bias is a provider problem addressed through training and workflow design. Large-scale harm is a government problem addressed through independent post-release audits. The same risk often appears under two owners, which is the intended redundancy: no single actor is asked to carry a safeguard alone, and no safeguard is left unassigned.
This is guidance, not binding law, and it does not resolve every hard question, including how liability for a model-influenced error should ultimately be allocated. But its contribution is the discipline of the assignment. In my read of the healthcare-AI evidence base, the recurring failure is not a shortage of principles; it is that principles float free of any party obligated to enforce them. The WHO's frame is useful precisely because it refuses that drift and keeps asking, for every safeguard, who is responsible.
This article is educational and is not medical advice.
References and sources
How this was researched. This explainer is built from the primary sources listed above and reflects Dr. Tojjar's own critical appraisal of that evidence. It explains and evaluates research and does not provide medical care.
This article is for general education and is not medical or professional advice. For guidance about your own health, talk with a qualified clinician.
Cite this article
Tojjar, D. (2024). The WHO's Governance Frame for Generative AI in Health: Who Is Responsible for Each Safeguard. Dr. Damon Tojjar. https://readingtheevidence.org/articles/who-guidance-large-multimodal-models-health/
This article is part of Dr. Tojjar's guide to Validating healthcare AI.