Health-sector organisations adopting external artificial intelligence tools need governance structures that connect innovation with accountability, security, privacy and human oversight. Health Information Sharing and Analysis Center (Health-ISAC)’s new guidance, Policies and Safeguards for a Safe Use of AI, sets out considerations for creating an AI governance and safeguards framework, including acceptable use, governance committees, risk controls and safeguards for external AI tools. The guidance frames AI governance as part of an organisation’s AI adoption strategy, not as an optional add-on. It links ethical use, transparency, explainability, accountability, regulatory compliance, data protection, security resilience and escalation procedures with business objectives. The central message is practical: AI use needs defined authority, documented processes, clear limits and continuous oversight before tools become embedded in everyday operations.
Governance Must Link Oversight, Ethics and Risk
AI governance provides a structured way to manage business and technical decisions affecting AI development and use. A dedicated governance committee carries responsibility for oversight, while a governance framework translates organisational policies, principles and ethical standards into practical controls for AI adoption. The committee’s composition depends on organisational size, capabilities and AI strategy, but the model requires cross-functional representation from areas such as legal, privacy, data governance, information security, risk, compliance, technology, data science, business units and ethics.
Must Read: AI Assistants Add New Cyber Risk in Healthcare
Governance can sit within an existing oversight committee or board, operate through a standalone AI council or use a multi-layered model. In a multi-layered structure, a steering committee provides strategic direction, an operational group executes the AI strategy and a technology function handles technical implementation, policies and security controls. Periodic reporting to the board or another leadership body covers AI initiatives, alignment with organisational goals, ethical considerations, compliance issues and recommendations for AI strategy and policy.
Measurement also forms part of governance. Example metrics include the proportion of AI systems with completed risk assessments, models tested for bias and fairness, incident rates, time to remediate AI-related incidents and high-risk systems with human oversight. The framework covers legislation, policy, privacy, ethics, use-case governance, model lifecycle governance, contracting, incident response, breach management and education.
Acceptable Use Needs Boundaries and Human Review
An acceptable use policy gives organisations a formal basis for responsible, ethical and secure AI use. Its purpose is to support productivity and innovation while safeguarding privacy, confidentiality, ethics and organisational integrity. Scope matters because AI use can involve employees, contractors, board members, affiliates and representatives. It can also include public platforms, internally developed tools, cloud deployments, on-premises systems and access through personal or company-owned devices.
The policy links AI use with information security and data governance. It requires compliance with applicable laws, regulations and ethical standards in every jurisdiction where the organisation operates. Oversight can sit with a responsible officer and an AI committee, while employees need to exercise sound judgement, maintain transparency and obtain approval before applying AI to business processes or projects.
Clear limits reduce ambiguity. Acceptable uses include generating general or non-confidential documentation, conducting market or academic research, drafting job descriptions, summarising publicly available data and using approved tools for debugging or routine coding assistance. Outputs still require accuracy and compliance checks before external sharing. Prohibited uses include misrepresenting authorship, manipulating data, fabricating results, entering confidential, personal or proprietary information into public AI tools and using unapproved systems in company operations.
Healthcare-related safeguards receive specific attention. AI and large language model systems must follow data protection laws and internal security policies. Confidential company information, trade secrets, protected health information and personal identifiers must not enter public or open AI systems. Generative AI use for electronic protected health information or sensitive personal data requires explicit approval under defined security and contractual conditions.
External AI Risks Require Layered Safeguards
External AI tools create risks that span data privacy, supply chains, outputs, fairness, regulation, security, oversight and unauthorised use. Data entered into external tools may be stored and later used for further model training, which can expose confidential information beyond its intended purpose. External tools may also process personal data in ways that are not transparent to data subjects. Safeguards include data minimisation, anonymisation, encryption, access controls, monitoring of prompts and inputs, incident response plans, browser warnings, browser plug-ins and staff training.
Supply chain and third-party risks arise when external AI tools depend on vendor software, infrastructure, processes, third-party libraries or cloud services. Vendors may not follow the same security, privacy or ethical standards as the organisation using the tool. Service disruption, vendor lock-in and difficult migration can also affect operations. Vendor assessment, supply chain mapping, software bills of materials, contractual security requirements, service-level agreements, regular audits and exit strategies help reduce these risks.
Model and output risks require structured controls because many external AI systems operate as black-box services. Lack of transparency can limit accountability, auditability and explanation. External models may produce inaccurate, misleading or biased outputs, and performance may change if a provider updates or retrains a model without notice. Output validation, provider transparency requirements, independent review and AI red-teaming help identify flaws before deployment.
Regulatory and compliance controls must cover data residency, privacy, sector-specific rules, legal liability, auditability, intellectual property and ownership of outputs. Security safeguards include multi-factor authentication, encryption, access management, secure API practices, integration monitoring, vulnerability scanning and penetration testing. Shadow AI requires an approved tools inventory, detection controls, internal alternatives and ongoing training.
Safe AI adoption depends on governance that joins policy, accountability, technical controls and human oversight. A strong framework defines who approves AI use, how risks are assessed, how tools are monitored and how incidents are escalated. Acceptable use rules reduce uncertainty by separating approved activities from prohibited conduct. External AI safeguards address privacy, security, supply chain, output quality, bias, compliance and shadow AI risks. As AI tools, regulations and organisational needs change, governance requires regular review, updating and education to remain effective.
Source: Health-ISAC
Image Credit: iStock
References:
Health-ISAC Artificial Intelligence Working Group (2026) Policies and Safeguards for the Safe Use of AI. S.l.: Health-ISAC.
