When AI spreads faster than strategy: what NHS leaders need to get under control now

In our previous article, we looked at one of the earliest decisions that shapes AI risk — whether a tool is a medical device or not.

The reality many NHS organisations are now facing is broader than that.

AI is no longer entering the NHS through one front door.
It is arriving through multiple routes at once, often without a single, coordinated approach.

A clinician tries a productivity tool. A team pilots a documentation solution. A department explores triage.

None of that is surprising. The opportunity is obvious. NHS England is already publishing practical guidance on specific use cases such as AI-enabled ambient scribing, and national bodies are putting more support in place for adopters.

But this is exactly where the pressure is building for digital leaders.

The challenge is no longer simply whether AI has value. It is whether the organisation has a clear enough strategy, governance model and assurance process to adopt it safely, lawfully and consistently. That matters because AI in healthcare does not sit under one simple rulebook. Depending on the use case, multiple regulatory and safety considerations may apply — often at the same time.

The real risk is not AI itself.

It is an uncoordinated adoption.

Most NHS organisations are not short of AI ideas.

What they are short of is a single, coordinated model for deciding:

• which use cases matter most
• which risks sit where
• what evidence is good enough
• who is accountable when something goes wrong
• and how one team’s decision affects the wider organisation

That is where AI proliferation becomes a leadership issue.

A tool adopted by an individual or a speciality may look low-risk at first glance. But if it handles patient data, influences decisions, creates documentation for the record, or changes how patients access care, it very quickly becomes more than a local experiment. CQC guidance for GP services is explicit that AI use must align with regulatory requirements and good clinical governance to be safe and compliant.

In other words, decentralised adoption does not remove organisational accountability.

It increases the need for it.

Why this feels harder than other digital decisions

Part of the difficulty is that not every AI tool carries the same level of risk.

Some tools support administration. Some support workflow. Some influence diagnosis, monitoring, triage or treatment decisions. And that distinction is critical for making the right decisions. MHRA guidance is clear that many software and AI applications in health and social care are likely to fall within medical device regulation, depending on its intended use.

That means a digital leadership team cannot treat AI as one broad category. It needs a way to separate:

• simple productivity tools from clinically significant tools
• local experimentation from organisation-wide deployment
• interesting demonstrations from technologies that are safe to scale

Without that discipline, organisations risk treating all AI as broadly similar when in reality the assurance requirements are very different.

Strategy matters because governance cannot start at procurement

One of the most common mistakes organisations make with AI is waiting too long to establish governance, safety and assurance processes.

A product reaches procurement before the use case is clear. Clinical safety is considered after enthusiasm has built. Information governance is brought in once a team is already attached to the tool. At that point, governance feels like friction, when it should have been built in from the start.

The stronger approach is to decide early how the organisation will govern AI before tools start appearing in large numbers.

NHS DTAC already provides a useful structure for this. It brings together the standards and best practice digital health technologies must meet across five areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility.

That does not remove the need for judgment. But it does give leaders a practical framework for asking better questions earlier.

Clinical safety and data protection are not optional add-ons

Where AI touches care, clinical safety has to be taken seriously.

NHS England defines digital clinical safety assurance as the process by which health IT used by care professionals is assured as safe and meets required national standards. Standards such as DCB0129 and DCB0160 provide a structured approach to digital clinical safety. Where they apply, compliance is mandatory, and NHS guidance is available to help organisations determine applicability.

That matters because many AI tools are being positioned as “assistive” rather than decisive. But even assistive tools can create risk if they shape documentation, influence action, or introduce new failure points into real workflows.

The regulatory landscape is also continuously evolving in response to the pace of AI development. In 2025, MHRA launched its AI Airlock programme, a regulatory sandbox designed to support the safe testing of AI-powered medical devices in real-world healthcare environments before wider adoption.

The same goes for data.

If a tool uses patient information, leaders need confidence not only in security, but in lawful use, transparency and accountability. The ICO notes that its automated decision-making guidance is under review because of changes introduced by the Data (Use and Access) Act 2025, while GOV.UK states that those changes are being commenced in stages over time.

The legal environment is still evolving — another reason why a reactive approach to AI governance is unlikely to hold.

And where confidential patient information is used beyond individual care and treatment, organisations may also need to consider whether the National Data Opt-Out applies. NHS England states that the opt-out allows individuals, in specified circumstances, to choose whether data from their health records is shared for research and planning.

A good AI strategy should make three things clear

For NHS leaders, an AI strategy does not need to be over-engineered. But it does need to answer three practical questions.

1. What problems are we actually trying to solve?

AI should not be governed as a generic innovation agenda. It should be linked to defined operational or clinical problems.

2. What route does each type of tool need to follow?

That includes proportionate review for medical device implications, DTAC, clinical safety, procurement, information governance and local approval. National support now exists through the AI and Digital Regulations Service precisely because this landscape is complex for both developers and adopters.

Alongside this, NHS organisations are not navigating AI adoption in isolation. National bodies including MHRA, NICE, CQC and NHS England already play significant roles in shaping the safe adoption of digital technologies through regulation, standards, assurance and guidance. NHS England also continues to set technical and commercial standards that digital tools must meet before wider deployment.

3. How will we know if it is working safely here?

NICE’s Evidence Standards Framework exists to help evaluators and decision makers identify digital health technologies likely to offer benefit, and to support more informed and consistent decisions when evaluating, commissioning or purchasing them.

That last point is especially important. NHS leaders do not just need confidence that a tool worked somewhere. They need confidence that it is safe, useful and governable in their own setting.

This is now a maturity question

The NHS does not need to slow AI down for the sake of it.

But it does need to stop treating widespread AI adoption as if it will somehow organise itself.

The organisations that will benefit most from AI will not be the ones that say yes to the most tools. They will be the ones who create enough clarity for good tools to move forward safely, and enough discipline for weak ones to stop early.

That is what mature leadership looks like now.

Not resisting innovation.

Governing it well enough to deserve trust.