The rapid adoption of AI in healthcare is outpacing governance, leading to a predictable series of challenges with security, compliance, and leadership.
Chris Notaro, Co-Founder and CEO of Untangle Health, explains that friction often begins with accountability sprawl in the C-suite and the rise of unsanctioned shadow AI used by employees.
He provides a framework for leaders to regain control by focusing on visibility as a key metric, properly vetting vendors, and asserting their data rights independent of their EHR vendor.
Healthcare's rush to adopt AI is outpacing its ability to govern the technology, creating a predictable pattern of failures. With an infrastructure already strained by previous technology waves, health systems now face rogue AI adoption by clinicians, accountability sprawl in the C-suite, and a heightened risk of compliance and security breaches.
Working to find solutions to this series of problems is Chris Notaro. He's the Co-Founder and CEO of Untangle Health, a consultancy that helps technology companies scale in the health sector. Notaro draws on more than a decade of experience moving technology through healthcare systems, from his foundational work implementing Epic to an early leadership role at Redox where he was influential in redefining how health data is exchanged. He has a direct view of the friction between technology and its practical adoption in healthcare.
"The infrastructure in healthcare wasn't equipped to handle the previous waves of digital transformation. It's definitely not ready to handle the massive tidal wave of AI," Notaro says. He explains that healthcare has historically lagged in technology adoption, and this latest advance has happened faster than any in the past, compounding the industry's technical debt.
Too many chiefs: According to Notaro, the adoption challenges caused by the AI wave often begin in the C-suite. As organizations scramble to react, they add niche leadership roles that can inadvertently paralyze decision-making and create a vacuum where accountability dissolves. "The addition of C-level specialty roles is important, but it also sprawls accountability for key areas like innovation, compliance, and preventing the misuse of technology. This becomes a huge problem when organizational strategy hasn't caught up to how employees are actually trying to use the tools to do their jobs."
The committee trap: Notaro encourages board-level leaders to tightly define roles and responsibilities around AI governance and policy. "They need to ensure there's a single person who is accountable. It cannot be a committee, because accountability by committee means accountability by nobody." Governance gaps like those Notaro describes can allow unsanctioned shadow AI to thrive, increasing security risks from tools leaders don't even know are in use.
Once the accountability vacuum has been closed, the next step is mapping and addressing specific areas of risk. Notaro highlights a simple but powerful framework for categorizing these distinct threat vectors, separating them into three macro groups.
Shades of risk: "First, there are the sanctioned AI tools you use internally. Second, there are the unsanctioned tools your employees use." He points out that most of the tools in this group are not being used with malice, but rather by practitioners trying to do their jobs with the best technology available. Unfortunately, it massively increases an organization's attack surface. "Third, there's AI you develop for customers, which creates liability for its performance and what it communicates to your patients."
To overcome such diverse and far-reaching threats, Notaro advises leaders to focus on visibility. In his perspective, a clear, quantifiable understanding of every tool and data flow within an organization's ecosystem is a more effective measure of AI governance than traditional ROI.
Flying blind: A compelling case in point is the Log4j crisis from several years ago. Though the event wasn't related to AI, it revealed the profound risks of poor visibility and existing infrastructure gaps. "So many health systems at that time were relegated to calling vendors one by one and asking them if they were impacted by this vulnerability, and then just sort of having to take their word for it," Notaro recalls. "The lack of visibility there was really astounding."
An open door: A focus on visibility represents a critical shift in mindset, moving beyond financial metrics to prioritize operational awareness and security. "When I think of a metric of success on AI governance, the number one thing I'm looking at is the level of visibility in the organization," he says. "Any percentage of visibility you lack is a front or back door being left wide open."
That same lack of visibility often extends to the vendor marketplace. On a trade show floor where hundreds of companies have "AI" in their name, the challenge for healthcare leaders is finding an effective way to cut through the noise. Notaro cautions that even many credible best-in-class lists can be misleading. "There are a select number of companies listed that either directly paid for that spot or there's a business incentive to include them on that list," he reveals. He offers a two-part method to identify viable long-term technology partners.
Tech or service: "The first question I ask is to understand a vendor's core differentiation is, is this a unique, proprietary technology, or is it a service process wrapped up to look like one?" He notes that there's nothing inherently wrong with the latter, but it's important for leaders to understand from the start whether they're evaluating a technology or a process.
The rolodex test: The next factor Notaro evaluates is distribution. A strong client list is a green flag because it suggests the vendor has navigated complex integrations and has a sustainable business model. "I'm trying to pick partners that not only benefit my organization, but have the best chance of being here in five or ten years."
Two to win: Notaro acknowledges that distribution alone isn't enough, because a poor product can still make its way into the market. "That’s why I look for both: real, differentiated technology combined with a distribution model that proves the company can be a sustainable market presence." The two-part test provides a practical shortcut for busy executives looking to cut through the hype of vendor claims.
When it comes to, Notaro says a persistent industry myth is partially to blame. "The biggest myth in AI governance is that you can only do what your EHR vendor allows." He often sees health systems decline to work with a new technology provider because their EHR partner advises against it, viewing the newcomer as competition. "The EHR company holds all the keys to the kingdom," he says. He reminds leaders that legislation prohibits information blocking, which is any practice likely to interfere with the access, exchange, or use of electronic health information. Being willing to act on this knowledge is what sets the field's technological leaders apart. "The top 20%, the destination and most technologically savvy health systems, refuse to wait for their EHR to bless something before they act. They know their operational reality better than the EHR company ever will," he says. "They aren't willing to wait for a vendor to dictate their innovation pathway."
