In two weeks, healthcare’s biggest annual gathering kicks off in San Francisco. JPM 2026 isn’t just another conference year—it’s the starting gun for the most consequential twelve months in healthcare AI compliance.
The conversations at JPM will be different this year. Not “are you using AI?” but “can you prove your AI is safe?” Not “what’s your AI strategy?” but “what happens when Colorado asks for your risk assessment?”
The shift is real, and it’s happening fast.
What’s Coming in 2026
Let’s be honest about the landscape:
- June 30: Colorado’s AI Act is scheduled to take effect. Coverage turns on high-risk systems making or substantially influencing consequential decisions, including some healthcare access, cost, and coverage decisions.
- August 2: The EU AI Act’s Annex III high-risk obligations begin to apply, while many product-safety systems under Article 6(1) follow on August 2, 2027.
- All year: State-level AI requirements and enforcement theories keep expanding, which makes jurisdiction-by-jurisdiction tracking part of the job.
And that’s just regulation. Litigation pressure is mounting too. The Sharp HealthCare lawsuit over ambient AI scribes is a reminder that consent and recording theories are active, and California’s wiretapping statute carries statutory damages that can scale quickly when plaintiffs plead per-encounter violations.
The Question Governance Committees Are Asking
Here’s what I’m hearing from health system CISOs and CMIOs: “We’ve approved dozens of AI vendors based on attestation letters and SOC 2 reports. Now the board is asking what happens if one of them hallucinates in a clinical setting. And we don’t have a good answer.”
The old playbook—trust the vendor, check the boxes, move on—doesn’t work anymore. Governance committees want proof. Not “we have guardrails” but “here’s evidence the guardrail executed on this patient’s data at this timestamp.”
That’s the gap. And it’s why we’ve been heads-down building resources to help.
What We’ve Built
Over the past few months, we’ve put together a library of practical guides for navigating what’s ahead. Not theoretical frameworks—actionable resources for real compliance challenges.
Healthcare AI Compliance Briefing
The essential pre-read for JPM. State laws, consent litigation, HIPAA gaps, and what governance committees are asking.
RegulationColorado AI Act Compliance Guide
SB 24-205 requirements, timeline, and implementation checklist. What healthcare AI vendors need before June 30.
TrackerUS State AI Laws Tracker
The patchwork is forming. Track which states are regulating AI and what their requirements mean for healthcare.
Risk AlertAmbient AI Scribe Privacy Guide
CIPA liability, consent requirements, and lessons from the Sharp HealthCare lawsuit.
InternationalEU AI Act Compliance Guide
Complete guide to the EU’s AI regulation. Risk classifications, timelines, and implementation.
Plus deep-dives on HIPAA-compliant AI, NIST AI RMF implementation, ISO 42001 certification, and role-specific guides for CISOs, CMIOs, and General Counsel.
See You at JPM
We were in San Francisco January 12–15. If you’re navigating the same AI compliance questions now—whether you’re a health system trying to vet vendors, or a vendor trying to satisfy enterprise security reviews—the conversation is still open.
The shift from “trust us” to “prove it” is happening. The organizations that figure it out early will have a real advantage. The ones that don’t will spend 2026 playing catch-up.
Happy New Year. It’s going to be an interesting one.
Meeting at JPM?
Missed us at JPM? Use the general scheduling link and we can pick up the same AI compliance conversation now.
Schedule a Meeting