AI adoption in health care: Why governance and cybersecurity matter now 

In many instances, artificial intelligence is moving faster through U.S. health care systems than the controls designed to govern it. Recent research indicates 86% of medical organizations, including hospitals and health systems, are using at least one AI platform. What was once confined to pilot programs and innovation labs is now embedded in core clinical and administrative operations, from revenue cycle management to clinical decision support.

The pace of adoption reflects mounting economic pressure across the sector. Health systems are turning to AI solutions to address workforce shortages, rising costs and growing volumes of data that challenge human capacity to manage efficiently. By mid 2025, AI tools were operating across finance, scheduling, imaging and documentation workflows at most large providers. For executives, AI has become less a question of whether to deploy and more a question of where and how.

That speed, however, is creating a widening gap between innovation and risk management.

Expansion at scale and at risk 

As AI integrates deeper into electronic health records, billing platforms and cloud-based analytics environments, it is also expanding the health care cyber-attack surface. Each new AI model, interface and data connection introduces additional access points, often with privileged credentials.

Our Cybersecurity 2026 Special Report underscores the risk backdrop against which this expansion is occurring. Nearly one in five midmarket organizations experienced a data breach in the past year, and almost one quarter faced a ransomware incident, even before factoring in AI-specific exposures. The report warns that AI does not simply add another application to the environment—it can amplify the impact of existing weaknesses, accelerating misuse once attackers gain access.

In health care, the stakes are unusually high. AI systems frequently handle protected health information, influence clinical workflows and affect revenue integrity. A compromised AI-enabled process can enable attacks or data loss at machine speed, creating operational, regulatory and patient safety consequences simultaneously.

The third-party dependency problem 

One of the defining features of AI adoption in health care is how little of it is built in-house. Most health systems rely on established technology vendors for AI capabilities, embedding third-party tools directly into mission-critical workflows. Research indicates that nearly 80% of health systems prefer to deploy AI through existing vendors, and a majority are comfortable sharing data to support those tools.

From a business perspective, this makes sense. Most health care organizations can’t match hyper-scalers’ pace of innovation. Vendor solutions reduce time to value and ease integration burdens. From a risk perspective, it complicates accountability.

Each AI vendor introduces new data flows, identity pathways and contractual dependencies. Breaches increasingly originate through third parties, not internal systems, and AI accelerates that exposure by automating access to large datasets. However, health systems remain accountable for privacy, compliance and patient outcomes, even when AI models and infrastructure sit outside their direct control.

This reality places pressure on vendor risk management programs that were not designed for the rapid pace of AI innovation.

Governance lagging behind adoption 

Despite widespread AI use, formal governance has not kept pace. Fewer than one in five health systems report having a mature AI governance structure, even as AI influences operational and clinical decision-making. Across industries, only about one-third of organizations have adopted formal AI governance frameworks, such as the NIST AI Risk Management Framework.

This governance gap matters because AI risk is not confined to cybersecurity alone. It spans data privacy, model reliability, regulatory compliance, clinical safety and reputational exposure. Without a centralized governance structure, responsibility for AI risk is often fragmented across IT, compliance, clinical leadership and operations, leaving no single line of accountability.

Like cybersecurity, AI should be treated as an enterprise risk management issue, not a technology project. That shift reframes AI from an innovation asset to a core business risk that demands executive ownership and board-level visibility.

The board’s expanding role

Regulators and industry bodies are signaling that AI oversight belongs at the top of the organization. Boards are being asked—implicitly and explicitly—to understand how AI is used, what data it touches, how vendors are governed, and how incidents would be detected and managed. 

This expectation mirrors earlier shifts in cybersecurity governance, where boards moved from passive awareness to active oversight. AI now sits at the intersection of cyber risk, patient safety, financial integrity and regulatory compliance, making it difficult to delegate oversight without losing strategic control.

Investment patterns suggest organizations are beginning to recognize this reality. Our cybersecurity report notes that more than 80% of organizations plan to increase cybersecurity spending, reflecting an understanding that digital expansion without security investment is unsustainable. For health systems, that investment must extend beyond perimeter defenses to include identity management, third-party controls, AI monitoring and governance infrastructure.

Innovation with guardrails 

AI will continue to expand across health care. The economic and operational incentives are too strong to reverse. But the same characteristics that make AI attractive—speed, scale, automation—also magnify downside risk when governance is weak.

The organizations best positioned for longterm success will be those that embed AI governance and cybersecurity into enterprise risk management, align leadership accountability and ensure boards have clear visibility into AI-related risk. In health care, responsible AI adoption is no longer just a technology conversation. It is a business resilience imperative.

Rebekuh Eley
Rebekuh Eley
Health Care Senior Analyst at RSM US LLP |  + posts

Rebekuh Eley is a health care senior analyst with RSM US LLP.

Lanny Levy
Lenny Levy
North American Healthcare Cybersecurity Leader at RSM US LLP |  + posts

As the leader of RSM’s U.S. healthcare cybersecurity practice, Lenny Levy advises C-suite leaders and boards on strengthening cyber resilience, meeting regulatory expectations, and enabling secure digital transformation. He helps organizations take a risk-driven approach to cybersecurity and privacy, guiding strategy and execution across program design, governance, and complex initiatives—particularly as healthcare organizations modernize technology, move to cloud, and adopt AI and GenAI capabilities.

Previously, Lenny served as a chief information security officer for healthcare organizations, aligning security strategy with enterprise priorities to protect patient and business information while supporting growth and innovation. In these roles, he led security program transformations, advanced compliance efforts, developed security talent, and partnered closely with business and technology leaders to translate cybersecurity risk into practical, executive-level decisions.

Lenny’s leadership in industry initiatives, including Health Industries Cybersecurity Practices (HICP), Health Sector Coordinating Council (HSCC), and Health & Human Services (HHS) 405(d) Task Group demonstrates his commitment to advancing the field. He holds a BS in Decision and Information Sciences from the University of Florida and an MBA from Duke University Fuqua School of Business. He holds Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) certifications.