From Principles to Proof: How 2025 Made AI Governance Real in Health Care

Abstract

Regulation of artificial intelligence moved from concept to compliance in 2025. The European Union’s AI Act entered its first operational phase, the United States advanced federal guidance and state legislation, the United Kingdom expanded regulator-led oversight, and China codified labeling and ethics obligations. Together, these global developments signal the emergence of auditable AI governance frameworks across major jurisdictions. This commentary distills the most consequential legal and regulatory actions of 2025 and offers a practical playbook for clinicians and AI-governance leaders within health systems preparing for 2026 implementation milestones.

Keywords

artificial intelligence regulation health care data governance global regulatory frameworks

Introduction: Why 2025 Matters

Across every major market, 2025 marked the transition from policy dialogue to enforceable AI regulation. For health care and precision oncology—where machine learning already informs imaging, diagnostics, and treatment optimization—these legal and regulatory frameworks redefine what constitutes “responsible” AI. Understanding jurisdictional nuances is essential for compliance, clinical validation, and ethical practice.

European Union: The EU AI Act Moves from Concept to Compliance

The European Union Artificial Intelligence Act (EU AI Act), adopted in 2024, entered its first operational phase in 2025.¹ Beginning February 2, 2025, the EU AI Act’s regulations on prohibited AI practices (i.e., “unacceptable risk” AI systems and practices) took effect, alongside obligations for AI literacy and governance. From August 2, 2025, rules for General-Purpose AI (GPAI) models introduced documentation and transparency duties for providers of GPAI. Obligations for certain high-risk AI systems—including medical devices and in vitro diagnostic medical devices—take effect in August 2026, but manufacturers must begin conformity-assessment planning now.

Some key developments include the establishment of the European Commission AI Office, the GPAI Code of Practice, oversight of national market surveillance authorities, and the requirement for AI literacy among personnel operating and using AI systems.

United States: Sectoral Regulation and State-Level Acceleration

The United States continued its sector-based regulatory model in 2025. The Office of Management and Budget (OMB) released memoranda M-25-21 and M-25-22, mandating AI risk management, transparency, and acquisition controls across federal agencies—standards now influencing private-sector contracting.² In August 2025, the Food and Drug Administration (FDA) finalized its guidance on Predetermined Change Control Plans (PCCPs) for AI/ML-enabled medical devices, allowing pre-authorized algorithm updates within defined safety parameters.³ Meanwhile, the Office of the National Coordinator for Health IT (ONC) implemented its HTI-2 Rule (January 2025), strengthening interoperability and data-exchange standards critical to AI deployment in clinical systems.⁴ At the state level, California’s SB 53 (2025) established disclosure and incident-reporting obligations for frontier-model developers, while Colorado’s 2024 AI Act was deferred to June 2026 for refinement.⁵ The result is an expanding patchwork—federal sectoral oversight underpinned by dynamic state experimentation.

United Kingdom: Regulator-Led, Sector-Aware Oversight

The United Kingdom maintained its “pro-innovation” stance on AI, relying on existing regulators rather than a single statute. In April 2025, the Competition and Markets Authority (CMA) and Information Commissioner’s Office (ICO) issued a joint statement clarifying expectations for foundation model (FM) providers—developers of large, GPAI systems—emphasizing transparency, privacy, and competition fairness.⁶ The Digital Markets, Competition and Consumers Act (DMCCA), effective January 1, 2025, expanded CMA powers over entities with “strategic market status,” including major AI infrastructure providers.⁷ For health care organizations, this regulator-led approach means applying data protection, consumer, and medical device rules in concert—requiring multidisciplinary governance and documentation of model provenance, data use, and bias mitigation.

China: Governance, Labeling, and Ethical Stewardship of Generative AI

China’s framework advanced from principle to enforcement in 2025. New content-labeling measures, effective September 1, 2025, require explicit identification of AI-generated materials across modalities.⁸ The rules intersect with existing algorithm-filing and cross-border data-transfer security assessments administered by the Cyberspace Administration of China. The Global AI Governance Initiative Action Plan (July 2025) reaffirmed China’s emphasis on safety, traceability, and ethical accountability.⁹ For oncology research collaborations, compliance entails approved data transfers, labeled synthetic datasets, and documented algorithmic provenance—operationalizing traceability as a central compliance pillar.

Practical Playbook: Steps for Clinicians and AI-Governance Leaders

Across many jurisdictions, the recurring theme of 2025 has been operational accountability. The legal frameworks now require organizations to demonstrate—not merely assert—control over their AI systems.¹⁰ For oncology programs that rely on predictive analytics, radiomics, or clinical-decision-support algorithms, this means building verifiable processes that connect legal obligations to day-to-day clinical governance. 1.

Inventory and classify AI assets comprehensively.

Move beyond ad hoc lists. Maintain a live “AI asset register” that identifies each tool, its developer, its regulatory pathway (e.g., FDA-cleared, CE-marked, research-use only), and its underlying model type (static, adaptive, or general-purpose). The register should link to key documents—validation reports, version histories, and bias-testing summaries—so that compliance and quality teams can audit on demand. The EU AI Act’s documentation requirements and the US FDA’s real-world monitoring expectations will soon make such inventories necessary.

Establish documented AI literacy.

The EU AI Act and similar initiatives in the UK require “AI literacy” among staff operating and using AI, which involves a basic understanding of how the system functions and its limits. Hospitals and research institutions should treat AI education as a component of continuing clinical education. Training records—modules completed, dates, and responsible departments—should be retained as evidence of compliance and incorporated into annual credentialing reviews.

Integrate change management and update control into clinical workflows.

FDA’s PCCPs create a regulatory safe harbor for algorithmic evolution. Even for non-medical device AI systems, institutions should mirror PCCP logic internally: predefine the range of acceptable model modifications, validation datasets, and performance thresholds that trigger re-review. Include “rollback” procedures for reverting to prior model versions if drift is detected. Oncology applications, where data distributions shift with new treatment protocols or imaging standards, particularly benefit from this discipline.

Strengthen data governance and interoperability safeguards.

ONC’s HTI-2 rule requires certified health-IT systems to support transparent data exchange and prohibits practices that block interoperability. AI systems should therefore be designed to integrate seamlessly with EHRs and image archives, respecting access controls and audit logs. Clinicians and IT administrators should verify that model inputs are sourced from validated datasets and that de-identification or patient-consent obligations are properly implemented before data are exported for algorithm training.

Implement contractual and procurement safeguards.

Vendor agreements should now include: o

Clauses requiring adherence to all applicable AI laws (EUUS, UK, and China).

Obligations to provide technical documentation, model cards, and transparency reports.

Notification duties for significant model changes or incidents.

“Change-of-law” provisions allowing the health care organization to suspend use or demand updates when regulations evolve (e.g., California’s frontier-model safety law or China’s labeling rules). Embedding these requirements in procurement ensures regulatory agility without renegotiating entire contracts.

Assess model risk and provenance for GPAI and foundation models.

Many clinical tools are now built on large foundation models (e.g., multimodal vision-language systems). Deployers should review the underlying model’s training data disclosures, documented biases, and intended-use statements. Where developers provide model cards or system cards, retain them as part of compliance files.

Establish provenance, labeling, and content-authenticity controls.

China’s 2025 labeling regulations make content authenticity a global compliance frontier. Oncology teams using generative AI for patient education, image synthesis, or documentation should consider embed watermarking or metadata identifiers showing when and how AI contributed to the output. Provenance logs should be stored alongside the patient record to ensure traceability during audits or publication review.

Integrate ethics review and risk escalation pathways.

Institutional review boards and clinical ethics committees should explicitly evaluate AI use cases for transparency, fairness, and accountability. Create escalation channels for clinicians to report anomalous or unsafe AI behavior—mirroring device adverse-event systems. Such “AI incident” logs are increasingly expected under both EU and US frameworks.

Together, these measures translate emerging law into operational compliance—bridging the divide between legal text and clinical practice. The organizations that build AI compliance systems now will be best positioned to meet future legal enforcement milestones.

Looking Ahead to 2026: The Compliance Horizon

The next 12 months will test whether institutions can move from framework design to measurable execution. Regulators are shifting from rulemaking to supervision and enforcement, and health care is at the center of that pivot.

European Union: By August 2026, the EU AI Act’s rules for high-risk AI systems will become enforceable, introducing conformity assessments, notified-body certification, and incident-reporting duties for most clinical AI applications. The Commission’s AI Office is developing harmonized technical standards for quality-management systems and post-market monitoring. Oncology developers should conduct gap analyses against ISO/IEC 42001 (AI management systems) and related guidance to ensure alignment.

United States: The first generation of PCCP-enabled devices will enter the market, providing real-world test cases for adaptive algorithm oversight. Expect FDA inspections to focus on data management, drift detection, and field-performance reporting. States are also likely to expand AI accountability acts, creating overlapping notification and audit duties. Clinicians should prepare for requests to provide documentation of AI performance metrics within clinical audits or payer reviews.

United Kingdom: The CMA and ICO will operationalize their joint framework for foundation model oversight, potentially initiating test cases under the DMCCA. Health-system AI developers collaborating with large FM providers should anticipate scrutiny of data-use agreements, privacy compliance, and potential anticompetitive exclusivity arrangements.

China: Enforcement of content-labeling and algorithm-filing rules will deepen, including around medical AI content. Multinational oncology collaborations will need to navigate data localization requirements and cross-border review procedures. Maintaining dual data environments—local Chinese hosting plus compliant international mirrors—may become a practical necessity.

Across these regions, regulators share three common expectations: transparency, traceability, and accountability. Organizations that can produce contemporaneous evidence—training logs, validation studies, risk assessments—on demand will be better positioned in 2026. Institutions that treat AI oversight as an extension of their clinical-quality infrastructure, rather than a parallel process, will reduce compliance burden while strengthening trust among patients and regulators alike.

Ultimately, precision oncology’s promise depends on trustworthy data and reproducible algorithms. As legal frameworks converge, the ability to demonstrate responsible AI governance will become a marker of institutional excellence—an ethical imperative as much as a regulatory one.

Footnotes

Author Disclosure Statement

B.H. is an Editorial Board Member for AI in Precision Oncology.

Funding Information

No funding was received for this article.

References

European Commission. Artificial Intelligence Act: Regulation (EU) 2024/1689. Official J Eur Union, 2024.

US Office of Management and Budget. M-25-21: Managing Risks from Artificial Intelligence in Government and M-25-22: Acquiring AI Capabilities. OMB: Washington, DC; 2025.

US Food and Drug Administration. Predetermined Change Control Plans for Machine Learning–Enabled Medical Devices: Final Guidance. FDA: Silver Spring, MD; 2025.

Office of the National Coordinator for Health Information Technology. Health Data, Technology, and Interoperability: HTI-2 Final Rule. Federal Register; 2025.

California Legislature. SB 53 (Artificial Intelligence Safety and Disclosure Act). LegiScan: Sacramento, CA; 2025.

Competition and Markets Authority & Information Commissioner’s Office. Joint Statement on Foundation Models and Data Protection. CMA: London; 2025.

United Kingdom Parliament. Digital Markets, Competition and Consumers Act 2024. The Stationery Office: London; 2025.

Cyberspace Administration of China. Provisions on the Administration of Deep Synthesis and Generative Artificial Intelligence Services. CLT: Beijing; 2025.

Ministry of Science and Technology (China). Global Artificial Intelligence Governance Initiative Action Plan. Beijing; 2025.

10.

White & Case LLP. AI watch: Global regulatory tracker. 2025. Available from: https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-tracker