David Talby, PhD, MBA, CEO at John Snow Labs. Solving real-world problems in healthcare, life sciences and related fields with AI.getty​A new institutional fixture has emerged across healthcare: the AI governance committee. From academic medical centers to regional health systems and pharmaceutical firms, these bodies have been set up as the ultimate gatekeepers—diverse, knowledgeable panels that review every AI proposal before it starts and every system before it goes live.The promise is real, and the reality is setting in differently. As these committees proliferate, many have become bureaucratic hurdles that produce governance theater rather than meaningful risk mitigation. If health systems, payers and pharma companies want to move from dozens of AI pilots to hundreds of production systems, the manual committee model has to change.​The Mandate Versus The Reality​In theory, an AI governance committee operates like an institutional review bard or a pharmacy and therapeutics committee. A project team submits an impact analysis and a risk assessment. The committee of clinicians, attorneys, ethicists and IT leaders reviews it against the NIST AI Risk Management Framework, Coalition for Health AI (CHAI) guidance, HHS HTI-1, ACA Section 1557, ISO/IEC 42001 and a growing list of state-level rules. In practice, the model collapses under three weights.​The Expertise Gap In Project TeamsWe expect the people building or buying AI to perform their own risk assessments. A person running a revenue-cycle optimization project is rarely an expert in the hundreds of laws and standards governing AI. To produce a quality assessment, they need to understand Section 1557’s nondiscrimination requirements, HTI-1’s transparency obligations and the FAVES principles (fairness, appropriateness, validity, effectiveness, safety) that CHAI and HHS now expect. The investment is beyond the scope of the role. Submission quality varies wildly, and committees end up correcting basic misunderstandings instead of debating strategy.​Knowledge Dilution On The CommitteeOrganizations recruit leaders from across the enterprise to achieve breadth, but these members are part-time volunteers in AI governance. Ninety minutes every other week is not enough to stay current on the FAVES methodology, ISO/IEC 42001 controls or the pace of state legislation. Because committee members often do not know the technical frameworks deeply, the conversation drifts toward what they do know: business value and ROI. Business value is not governance. A project can be highly profitable and still carry serious bias, safety and liability risk.​The Scaling ProblemA modern health enterprise wants to deploy dozens or hundreds of AI use cases a year. A 2024 Scottsdale Institute survey of 67 health systems found that large systems like Advocate Health were evaluating more than 225 AI solutions to select roughly 40 for production. A central committee cannot meaningfully review 200-plus projects a year. When review takes months, the result is shadow AI: teams routing around the committee, framing AI projects as standard software updates or accepting vendor assurances at face value. Governance has to be as agile as the technology it oversees.​From Manual Gatekeeping To Automated AssuranceThe fix is not a bigger committee or more consultants. The fix is automating the parts of governance that should never have been manual: document analysis, regulatory mapping, risk-tier classification and control selection. Human attention is reserved for the decisions that genuinely require it.A modern automated workflow looks like this. Project or procurement teams upload the documents they already have: statements of work, technical specs, security questionnaires, vendor contracts, model cards. The system maps the project against the relevant regulations and frameworks, produces an impact assessment and identifies specific risks: algorithmic bias in protected categories, prompt injection, drift, training-data leakage. It proposes mitigating controls (human-in-the-loop requirements, drift monitoring, red-team cadence) and classifies the project into a risk tier on objective criteria. Where information is missing, it flags gaps and queries the project team. A human reviewer inspects the draft, adjusts and approves.The committee still approves. But it is now reviewing a high-quality first draft produced by a system that has actually read the documents, not a blank template handed to a busy clinician.​Three Principles For The Next Era​Automate The Low-Stakes And The Highly TechnicalRisk assessment should be a continuous service, not a meeting. Automated review verifies data management, safety controls and de-identification standards in minutes. It also functions as a real-time coach, educating teams on AI regulation as they work. The committee gets back the time it was spending on SOC 2 reports and data-flow diagrams.​Reserve The Committee For Strategic DecisionsWhen an organization is deploying hundreds of AI systems, most will be low-risk automations or administrative tools that meet automated safety thresholds. Those should pass through a verified automation lane. Committee time is better spent on decisions that define the organization’s ethical posture: autonomous diagnostic triage and high-stakes clinical decision support for health systems; the strategic logic of automated underwriting, prior authorization and claim adjudication for payers; and AI-driven drug discovery, digital-twin trial simulation and automated regulatory submissions for pharma. These need human judgment and organizational values, not a manual review of a vendor’s security attestation.​Shift To Continuous Life Cycle ManagementGovernance cannot be one-and-done. Models drift, vendors update, regulations change. An automated platform monitors deployed systems continuously and flags when a new federal or state rule, a CHAI update or a performance regression has changed the risk picture. Nobody should be relying on a project team to remember to call the committee two years after launch.​The Honest ConstraintGovernance must be fast and cheap. Hiring large teams of consultants to do this work manually is too expensive, too slow and incompatible with the rate at which AI is being deployed. A realistic alternative is to use AI to govern AI, so that evidence-based evaluation at each stage of each project becomes the default rather than the exception. But that requires careful implementation and monitoring, as well as constant auditing. That is how healthcare leaders focus on the strategic questions that define the future of medicine, while keeping every system in their estate safe and defensible.​Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?