Year Ahead

What JPM 2026 signaled for healthcare AI compliance

State AI laws are taking effect, consent litigation is accelerating, and healthcare governance committees want proof — not attestation letters.

3 min read
Joe Braidwood
Joe Braidwood
Co-founder & CEO
3 min read

When healthcare’s biggest annual gathering convened in San Francisco this January, JPM 2026 made one thing clear: healthcare AI compliance had moved from theory to obligation.

The conversations at JPM have changed. Not “are you using AI?” but “can you prove your AI is safe?” Not “what’s your AI strategy?” but “when a patient asks how an AI system shaped a decision, can you explain it?”

The shift is real, and it’s happening fast.

What’s ahead on AI regulation

Let’s be honest about the landscape:

  • Colorado: The state reset its AI law. SB 24-205 was repealed and replaced by SB 26-189 (“Automated Decision-Making Technology”), signed May 14, 2026, with substantive compliance commencing January 1, 2027. It now turns on covered automated decision-making technology (ADMT) used to materially influence a consequential decision, including some healthcare access, cost, and coverage decisions.
  • European Union: The EU AI Act’s standalone high-risk (Annex III) obligations carry an original date of August 2, 2026, but a “Digital Omnibus” provisional agreement would push them to no later than December 2, 2027 (and embedded Annex I systems to August 2, 2028)—pending formal adoption.
  • All year: State-level AI requirements and enforcement theories keep expanding, which makes jurisdiction-by-jurisdiction tracking part of the job.

And that’s just regulation. Litigation pressure is mounting too. The Sharp HealthCare lawsuit over ambient AI scribes is a reminder that consent and recording theories are active, and California’s wiretapping statute carries statutory damages that can scale quickly when plaintiffs plead per-encounter violations.

The question governance committees are asking

Here’s what I’m hearing from health system CISOs and CMIOs: “We’ve approved dozens of AI vendors based on attestation letters and SOC 2 reports. Now the board is asking what happens if one of them hallucinates in a clinical setting. And we don’t have a good answer.”

The old playbook—trust the vendor, check the boxes, move on—doesn’t work anymore. Governance committees want proof. Not “we have guardrails” but “here’s evidence the guardrail executed on this patient’s data at this timestamp.”

That’s the gap. And it’s why we’ve been heads-down building resources to help.

What we’ve built

Over the past few months, we’ve put together a library of practical guides for navigating what’s ahead. Not theoretical frameworks—actionable resources for real compliance challenges.

Plus deep-dives on HIPAA-compliant AI, NIST AI RMF implementation, ISO 42001 certification, and role-specific guides for CISOs, CMIOs, and General Counsel.

See you at JPM

We were in San Francisco January 12–15. If you’re navigating the same AI compliance questions now—whether you’re a health system trying to vet vendors, or a vendor trying to satisfy enterprise security reviews—the conversation is still open.

The shift from “trust us” to “prove it” is happening. The organizations that figure it out early will have a real advantage. The ones that wait will be answering the same questions under far more pressure.

It’s shaping up to be a consequential year for healthcare AI — and we’re ready for the conversation.

Meeting at JPM?

Missed us at JPM? Use the general scheduling link and we can pick up the same AI compliance conversation now.

Schedule a Meeting