Thought leadership from Anal Dharamshi
As AI transforms diagnostics and clinical decision-making, the frameworks governing its use are evolving fast. Regulation of artificial intelligence in healthcare follows a fragmented, multi-layered approach, with oversight split between medical device rules, new state-level statutes, and international frameworks like the EU AI Act. Regulating AI involves balancing the need for innovation with patient safety and data privacy, emphasizing transparency and equitable access. Here is what every medtech and digital health professional needs to understand right now.
We have all seen the headlines: AI algorithms detecting cancer earlier than radiologists, identifying stroke patterns in seconds, flagging urgent cases before a clinician even opens the file. The potential is extraordinary – and well documented.
Here is the reality that does not make the headlines: none of that potential reaches a patient without navigating one of the most complex and rapidly evolving regulatory landscapes in the history of health care technology.
In 2025, the regulatory environment for AI-enabled medical devices—particularly Software as a Medical Device (SaMD)—has reached a genuine inflection point. The rules are being written in real-time, and the organizations that understand them will lead. Those that don’t, will face serious delays, rework, and compliance risk.
The Regulatory Landscape
For global medtech and digital health teams, the regulatory picture is now genuinely multi-layered. Major frameworks are moving in the same direction, but at varying speeds and with differing requirements. Here is an overview of the FDA – Food and Drug Administration, EU MDR – European Union Medical Device Regulation, and UK MHRA – United Kingdom Medicines and Healthcare products Regulatory Agency directions:
- FDA / United States – “Total Product Lifecycle (TPLC)”
In January 2021, the FDA published the ‘Artificial Intelligence and Machine Learning Software as a Medical Device Action Plan,’ a strategic document outlining their framework and future steps for regulating AI/ML-based medical devices. The FDA also released a discussion paper proposing a regulatory approach to AI/ML modifications, shaping policy and guiding industry practices. January 2025 draft guidance mandates documentation across model design, data lineage, bias analysis, and post-market monitoring, plus a Predetermined Change Control Plan (PCCP) for adaptive AI. Since August 2025, the FDA has allowed manufacturers to include PCCPs in their submissions, enabling AI algorithms to learn and update automatically after they are on the market without requiring a new approval for every change. The FDA’s traditional medical device regulation framework was not designed for adaptive AI and ML technologies, necessitating a risk-based approach for premarket review of modifications to these devices. The FDA treats many AI tools as Software as a Medical Device (SaMD) and categorizes devices into Class I (low), II (moderate), or III (high risk). For example, most AI tools fall into Class II, requiring either a 510(k) clearance or a De Novo request. As of December 20, 2024, the FDA’s list of AI/ML-enabled devices includes over 1,000 devices that have been authorized for marketing, demonstrating the rapid integration of AI technologies in medical devices. In many instances, a given device may have multiple entries over time or across different versions, and these groupings are used to analyze device-related data using various methods such as trend analysis and validation processes. AI technologies in medical devices can learn from real-world use and experience, allowing them to improve their performance over time, which is a significant advantage in clinical settings.
- EU MDR + AI Act – “High-risk AI, double compliance”
The European Union’s EU AI Act, which entered into force in August 2024, is the world’s first comprehensive AI law, designating software used for healthcare triage as ‘high-risk.’ The EU AI Act classifies most healthcare AI applications as high-risk, requiring stricter conformity assessments starting from February 2025. High-risk healthcare AI must have robust risk management, high-quality training datasets, and mandatory human oversight starting in August 2026. AI-based SaMD is classified as high-risk under the EU AI Act, triggering requirements on top of existing MDR obligations, including QMS, technical documentation, transparency, and human oversight.
- IMDRF / Global – “Harmonization in progress”
The International Medical Device Regulators Forum is developing SaMD and PCCP guidance to align frameworks globally, though significant jurisdictional variation remains in review of timelines and classification.
- UK MHRA – “Principles-based, innovation-first”
UK’s post-Brexit approach is deliberately non-legislative, applying existing MHRA medical device guidance to AI, with a stated priority of avoiding barriers to innovation.
Verification and Validation
Verification and validation are essential pillars in the development and deployment of AI-enabled medical devices. The FDA has established clear guidance documents to assist AI developers in ensuring that enabled medical devices are both safe and effective for their intended use. Verification is the process of confirming that the AI algorithm functions as designed, while validation ensures that the algorithm produces accurate and reliable results in real-world clinical settings.
For AI developers, these steps are not optional—they are crucial for gaining FDA approval and bringing new devices to market. The approval process involves a comprehensive review of the device’s safety profile, intended functions, and supporting documentation. This rigorous process helps to identify and mitigate potential risks, ensuring that only thoroughly vetted AI-enabled medical devices reach healthcare providers and patients. By adhering to these verification and validation requirements, organizations can demonstrate regulatory compliance and build trust in the safety and effectiveness of their AI solutions.
Data Protection
Data protection stands at the core of responsible AI integration in healthcare. With the increasing use of AI-enabled medical devices, healthcare providers must prioritize the security and privacy of patient data. The Health Insurance Portability and Accountability Act (HIPAA) sets strict standards for data privacy and security, applying to healthcare providers, health plans, and clearinghouses. While AI developers and vendors may not always be directly covered by HIPAA, they often act as business associates, making them subject to the same rigorous requirements for protecting patient information.
To ensure compliance, healthcare providers must work closely with AI developers to implement robust security measures in all enabled medical devices. This includes safeguarding data against unauthorized access, use, or disclosure, and maintaining transparency about how patient data is collected, stored, and processed. Effective data protection not only supports regulatory compliance but also builds patient trust and safeguards the integrity of healthcare delivery in an increasingly digital world.
Core Compliance Challenges
These are not theoretical problems, but friction points that engineers witness on real projects, where compliance gaps emerge frequently.
Adaptive algorithms do not align well with static frameworks, as traditional regulation assumes fixed and unchanging systems. AI models that continue learning post-market challenge every assumption in IEC 62304, FDA 510(k), and MDR conformity assessments alike, especially as regulatory review processes increasingly incorporate feedback from stakeholders to accommodate iterative modifications during development and lifecycle management.
Traceability breaks under change. Maintaining end-to-end traceability from requirements through design, code, and verification, and keeping it current as the model evolves, remains one of the most common audit findings on SaMD projects.
Dual EU compliance adds significant overheads. Products subject to both the EU MDR and the EU AI Act must comply with overlapping yet distinct requirements related to risk management, QMS, and technical documentation, while guidance on harmonization between the two frameworks is still evolving.
Explainability is not optional. Regulators including FDA, EU MDR, and MHRA are actively investigating Explainable AI (XAI) requirements. Deep learning models that cannot surface their decision logic face increasing scrutiny. Algorithmic transparency and explainability are now core regulatory goals to foster trust and informed consent among clinicians and patients.
Data governance is a compliance issue, not just an ethics one. Cross-border data use, training data bias, and GDPR / HIPAA intersection creates compliance exposure that must be addressed in technical documentation, not just in privacy policies. In the absence of a unified federal law, new healthcare-specific AI statutes have been enacted by 21 states as of early 2026.
A 2024 survey of U.S. healthcare compliance professionals identified that nearly 75% were already leveraging or actively considering AI for internal legal compliance functions. AI in healthcare compliance automates compliance checks, monitors for regulatory updates, and verifies provider credentials, helping healthcare teams stay ahead of requirements set by the Department of Health and Human Services and other authorities. Integrating AI in healthcare compliance can also enhance data accuracy by automatically checking records in real time and flagging discrepancies, such as billing code errors, before they escalate into larger compliance issues.
“AI should be viewed as a tool to assist, rather than replace, healthcare professionals — and regulators are now codifying exactly that principle into law through mandatory human oversight requirements.”
What This Means For Medtech Teams
Compliance as a competitive advantage
The organizations that will lead in AI-enabled healthcare are not the ones waiting for the regulatory picture to “settle.” The picture may never fully settle – that is the nature of this dynamic technology. The leaders are building compliance infrastructure that moves with their development processes, not behind them.
Concretely, that means: treating IEC 62304 traceability as a continuous, automated process rather than a documentation exercise at submission; embedding risk management per ISO 14971 into development workflows rather than retrofitting it; aligning health software product safety and quality objectives with IEC 82304‑1 from the outset and developing a PCCP from day one for any model likely to learn or adapt post-market.
AI-powered compliance tooling is now mature enough to support this – platforms purpose-built for SaMD workflows can automate Requirements Traceability Matrix generation, enforce QMS procedures within developer tools, and gate releases against unresolved risk control evidence. The question is no longer whether such tools exist, but whether teams are investing in evaluating and validating them against real project artifacts.
The regulatory frameworks for AI in healthcare are demanding – but they exist for good reason. Patient safety depends on AI that is not just accurate in a lab, but validated, transparent, and accountable in the real world. That standard is worth meeting with rigor.
Anal obtained a M.S. in Bio-Medical Engineering from RWTH Aachen University, Germany. He has 18+ years of diverse experience in the Healthcare domain with focus on medical and life science devices. He started his journey with Phillips Medical B.V., Netherlands and then with Medtronic plc, Netherlands.
Anal has worked with a wide range of medical device products with varied clinical applications, from medical device class I to class III designations. He has hands-on R&D & Marketing experience with Cardiac Devices, Diabetes Management Devices, Neuromodulation Therapy Devices, Hearing-Aid and Audiometry Devices.
Anal is responsible for technical marketing and providing technical solutions to our medical device customers. He is a catalyst to build our medical device and services business and drives our medical segment strategy.