Healthcare AI Is Uninsurable. This Paper Shows How to Fix That.

Today our CMO Jennifer Shannon, MD and Sarah Gebauer, MD published “The Insurability Problem in Healthcare AI” — the first Standards-Based Framework for Underwriting Risk Assessment in healthcare AI. I want to explain why I think this paper matters, and what it means for GLACIS.

The conversation that started this

Every healthcare AI company I’ve spoken to in the past year has the same problem. Not the technology — most of them have built something genuinely useful. The problem is that the moment their product touches a patient, they enter a liability landscape that nobody has figured out how to underwrite.

A single AI failure in a clinical setting can simultaneously generate product liability claims against the vendor, malpractice claims against the supervising physician, and enterprise liability claims against the health system. Three separate legal domains. Three separate insurance products. Zero coordination between them.

Insurers are trying to price this risk with actuarial models built for a world where software doesn’t make clinical decisions. The data doesn’t exist yet. The claims history is too thin. And so the market does what it always does when it can’t price something: it either refuses coverage, prices in massive uncertainty premiums, or writes exclusions so broad they make the policy meaningless.

Jennifer and Sarah asked a different question: What if we don’t need to wait for the claims data?

What the paper proposes

The core insight is elegant. Healthcare AI companies already implement rigorous international standards for regulatory clearance — ISO 14971 for risk management, IEC 62304 for software lifecycle, ISO 13485 for quality management. That compliance work already generates evidence about product quality. The Standards-Proof framework repurposes it as underwriting evidence.

Three layers, each mapping to a distinct liability domain:

• Layer 1: Foundation. Product liability. How deeply has the vendor implemented risk management standards — not binary pass/fail, but scored implementation depth across ISO 14971, IEC 62304, and ISO 13485.
• Layer 2: Healthcare-specific validation. Professional liability. Validation stratified by risk tier — clinical decision support gets prospective studies with subgroup analysis; prior authorisation and documentation tools get harm-pathway-matched validation.
• Layer 3: Continuous operational assurance. All liability domains at runtime. Pre-deployment adversarial stress testing plus post-deployment tamper-evident monitoring, with attestation that safety controls actually executed.

That third layer is where GLACIS lives. And it’s where the paper gets most interesting.

The numbers that keep me up at night

The paper includes four case studies. I want to highlight the findings because they illustrate something critical about the gap between how AI is marketed and how it actually performs in practice.

A patient-facing triage chatbot that reported 91% appropriate routing. When Jennifer and Sarah stratified by time-sensitive conditions, the undertriage rate was 14%. Prompt injection overrode scope boundaries in 7% of attempts. This is a system making real-time clinical escalation decisions.

A prior authorisation AI classified as “administrative” — because it processes paperwork, not patients. But it directly affects patient access to care. Assessment found a 6% racial disparity in authorisation rates, embedded in decades of training data. The classification as administrative had shielded it from the scrutiny that a clinical tool would receive.

A clinical documentation AI with “95% accuracy” across 40,000 encounters per month. Sounds excellent. But stratified analysis showed roughly 120 notes per month containing hallucinated allergies, invented symptoms, or omitted findings — concentrated in the most complex patients, the ones where getting the note right matters most.

None of these systems are failures. They’re genuinely useful tools doing real work in real clinical settings. The point is that aggregate accuracy metrics don’t tell you where the risk concentrates. And if you can’t see where the risk concentrates, you can’t insure it.

Why this matters for what we’re building

When I read the paper in draft, the thing that struck me was how precisely the three-layer framework maps to what we’ve built at GLACIS. Not because we designed it that way — we didn’t have the paper when we started — but because the same structural analysis leads to the same conclusions.

autoredteam gives you Layer 3’s pre-deployment adversarial stress testing. Arbiter gives you continuous post-deployment monitoring and enforcement. OVERT gives you the tamper-evident attestation that everything actually ran. The paper gives all of that a clinical and actuarial context we couldn’t have written ourselves.

What Jennifer and Sarah have done is connect the technical infrastructure we’ve built to the insurance and legal frameworks that will ultimately determine whether healthcare AI scales or stalls. The Standards-Proof framework isn’t just an academic exercise. It’s a bridge between the people building AI governance tools and the people who need to price the risk those tools are designed to manage.

The path forward

I think this paper will age well. The healthcare AI insurance market is going to develop fast over the next two years — Colorado’s AI Act takes effect in June 2026, the EU AI Act’s high-risk obligations land in August, and state-level regulations are proliferating across the US. Every one of these creates new liability exposure. Insurers will need frameworks, and this one is grounded in standards that already exist.

The paper also proposes parametric coverage mechanisms — insurance products where claims are triggered by measurable deviations from validated baselines rather than by litigation outcomes. That’s a fundamentally different approach to AI insurance, and it only works if you have the continuous monitoring and attestation infrastructure to detect those deviations in real time.

If you’re building healthcare AI, underwriting AI risk, running a health system that’s deploying AI tools, or advising on clinical AI liability — read this paper. It’s 36 pages, four case studies, and a concrete framework. The executive summary is available without sign-up if you want to start there.

I’m proud to work with Jennifer and Sarah. This is the kind of work that makes hard problems tractable.