Skip to content

What Happens Without Governance

The risks of ungoverned generative AI in healthcare are specific, real, and increasingly visible to regulators.

Patient Data Enters Third-Party AI Systems

When clinical staff paste patient information into ChatGPT, Copilot, or other AI tools, that data may be used for model training, stored in third-party infrastructure, or accessible to the provider. Under GDPR Article 28, this requires a Data Processing Agreement. Under DSPT, it requires documented controls. Most organisations have neither.

Hallucination in Clinical Contexts

Generative AI hallucinates — it produces confident, plausible, incorrect outputs. In administrative contexts this is an inconvenience. In clinical contexts, it's a patient safety risk. Without governance, there's no systematic way to ensure AI-generated clinical content is reviewed before use. DCB0129 requires this risk to be formally assessed.

EU AI Act GPAI Obligations (Article 53)

The EU AI Act's General Purpose AI (GPAI) provisions (Article 53) impose obligations on organisations deploying GPAI models in high-risk contexts. Healthcare is explicitly high-risk under Annex III. Organisations using GPT-4, Claude, or Gemini in clinical workflows may already be in scope — and the August 2026 deadline is approaching.

Shadow AI and Ungoverned Adoption

Staff find ways to use tools that make their work easier. Without a governance framework, AI adoption goes underground — ungoverned, unmonitored, and invisible to your security and compliance teams. Shadow AI creates data governance gaps that are extremely difficult to remediate after the fact.

CONTENTS

AI ACCEPTABLE USE
TOOL ASSESSMENT
RUNTIME CONTROLS
TRAINING

AI Acceptable Use Policy

A meaningful AI acceptable use policy goes beyond "don't put patient data in ChatGPT." It defines which tools are approved for which use cases, what data classifications can be used with which tools, who can approve exceptions, and how incidents are reported. We help organisations build policies that are practical enough for staff to actually follow — and specific enough to provide real protection.

AI Tool Assessment & Approval

Before any AI tool is used with sensitive data, it should be assessed: What data does it process? Where is it stored? Is a DPA in place? What are the terms of service? Does it train on your data? We build structured assessment processes so new AI tools go through the right checks before reaching clinical staff — not after a data incident.

Runtime Policy Enforcement

Policy documents don't stop data from leaving the organisation. Runtime controls do. We implement technical governance layers — including the open-source Raigo standard — that enforce your AI policies at the point of use. Every AI interaction is evaluated against your rules before it executes. Violations are logged, blocked, or flagged for human review.

Staff Awareness & Training

The most sophisticated technical controls fail if staff don't understand the risks. We design healthcare-specific AI awareness programmes that explain the real risks in terms clinical and operational staff understand — not abstract compliance language. Training covers: what not to put in AI tools, how to spot hallucinated content, and how to report concerns.

Why Choose Our Approach?

PRACTICAL GOVERNANCE

We build governance that staff actually follow — not a policy document that sits in a drawer. Proportionate, clear, and operationally realistic.

RUNTIME CONTROLS

Technical governance enforced at the point of use via the open-source Raigo standard. Policies that work even when staff don't remember them.

REGULATORY MAPPED

Everything maps to DSPT, DTAC, GDPR, and EU AI Act obligations. Evidence your compliance team and commissioners can rely on.

OPEN SOURCE STANDARD

Built on Raigo — our open-source AI governance standard. Transparent, auditable, and freely available. No vendor lock-in.

Frequently Asked Questions

We already have a data protection policy. Does that cover AI? minus-icon

Almost certainly not in sufficient detail. Most existing data protection policies were written before generative AI existed and don't address the specific risks — third-party model training, hallucination, GPAI obligations, or the difference between using an AI tool as a data processor versus a controller. A gap analysis is the right starting point.

Do we need to tell patients when AI is used in their care? plus-icon
What is Raigo and how does it help with Gen AI governance? plus-icon
Where do we start? plus-icon

Latest Insights

How to Get Cyber Essentials Plus Certified as an NHS Supplier

How to Get Cyber Essentials Plus Certified as...

The Periculo Process for NHS Suppliers Cyber Essentials Plus (CE+) is the audited tier of the Cyber Essentials scheme, a...

The Cyber Resilience Pledge

The Cyber Resilience Pledge

On 7 July 2026, more than 60 UK businesses, including M&S, Nationwide, ITV, Microsoft UK, Cloudflare, Deloitte, Acce...

What Do You Actually Need to Supply to the NHS? The Cyber Essentials Requirements Explained

What Do You Actually Need to Supply to the NH...

If you supply products or services to the NHS, cyber security is no longer something you can address after winning a con...

Do You Need Cyber Essentials to Work with the NHS?

Do You Need Cyber Essentials to Work with the...

Cyber Essentials has been a baseline requirement for NHS suppliers for several years, embedded across frameworks includi...

Threat Report 182

Threat Report 182

In this week’s report: Russian intelligence services have escalated their long-running campaign against Signal users, no...

NHS Supply Chain Cyber Security Requirements June 2026: What Suppliers Must Do Now

NHS Supply Chain Cyber Security Requirements ...

NHS Supply Chain (NHSSC) has issued its latest cyber security guidance for suppliers in June, and the message is clear: ...

The EU AI Act's: Article 15

The EU AI Act's: Article 15

Most organisations think about AI risk in terms of bias, explainability, or data governance. Cybersecurity is treated as...

The EU AI Act Deadline

The EU AI Act Deadline

On 2 August 2026, the EU AI Act (Regulation (EU) 2024/1689) becomes fully applicable for the vast majority of organisati...