The Pace Problem: Why Clinical AI Is Advancing Faster Than Every System Built to Govern, Insure, or Defend It — and What Exists Right Now to Close the Most Dangerous Gaps
WHITE PAPER
Michael Tekely, AAI
Founder, Malpractice Insurance & Clinical Risk Management Academy, LLC
Developer, CARAF V3.2 — Clinical AI Reasoning and Accountability Framework
Developer, CAFRE V10 — Clinical AI Forensic Reconstruction Engine
June 2026
Executive Summary
Clinical artificial intelligence is not arriving. It has arrived. Seventy-five percent of United States health systems are now using at least one AI application, up from fifty-nine percent a year earlier.[1] Half of those health systems are running three or more AI tools simultaneously.[1] The buying cycle for clinical AI has compressed from eight months to under seven.[2]
The governance, insurance, legal, and documentation systems that were supposed to accompany this deployment have not kept pace. They are not close to keeping pace. And the institutions that are deploying AI at this speed — the health systems, the Epic implementations, the Wolters Kluwer integrations, the ambient scribe deployments, the diagnostic AI tools — are doing so in an environment where no policy form was designed for them, no defense attorney has a structured protocol for what to request in discovery, and no claims examiner has a reliable method for reconstructing what the AI did in a specific clinical encounter.
This white paper makes three arguments:
The pace of clinical AI adoption has structurally outrun every system built to govern, insure, and defend it — and that gap is not closing on its own
The institutions most exposed to this gap — health systems, MPL carriers, and defense attorneys — are not yet aware of the specific forensic, coverage, and documentation failures they will face when the first significant wave of AI-assisted malpractice claims arrives
Specific tools exist right now that can meaningfully reduce that exposure — not as a complete solution, but as the most defensible infrastructure currently available to any of the three audiences this paper addresses
This is not a theoretical concern. The first data points in the litigation curve are already visible. What follows is a framework for understanding the problem and a description of what can be done about it today.
I. The Pace of Adoption Has Outrun Every Governing System
The scale of clinical AI deployment in 2026 is not gradual. It is a step change.
75%
of U.S. health systems now using at least one AI application [1]
50%
running three or more AI tools simultaneously [1]
66%
of physicians now using health AI — up from 38% in 2023 [3]
These numbers describe adoption, not governance. The same research that documents AI’s rapid spread consistently identifies a parallel reality: the frameworks built to ensure that AI performs safely, predictably, and accountably are not keeping up.
Epic Systems — the dominant EHR platform in the United States with over thirty-five percent of hospital market share — has embedded AI throughout its clinical workflow, including an ambient documentation system built in partnership with Microsoft and OpenAI.[4] Epic describes AI as “healthcare’s most transformative area” and has moved to position itself not as an EHR company but as the operating system of healthcare.[5] That positioning is accurate. It also means that when AI embedded in Epic’s workflow influences a clinical decision that results in patient harm, the forensic reconstruction of that event will require understanding not just what Epic recorded, but what the AI layer within Epic did, which version was active, what it recommended, and whether it performed within its marketed standard.
Wolters Kluwer’s own 2026 research acknowledges the core tension: “while AI is showing up everywhere in healthcare, trust is struggling to keep pace.”[6] The company that publishes UpToDate — the point-of-care clinical resource that physicians consult daily — is watching AI enter clinical workflows faster than the evidentiary and governance infrastructure can follow.
This is not a criticism of Epic or Wolters Kluwer. They are responding rationally to market demand. It is a description of a structural condition: the institutions deploying AI are moving faster than the institutions designed to govern, insure, and defend those deployments.
THE PACE GAP — KEY DATA POINTS
Health systems have shortened average AI buying cycles from 8.0 months to 6.6 months — an 18% acceleration. [2]
50% of health systems now run three or more AI applications simultaneously. [1]
The fastest-growing deployment categories in 2026 are ambient documentation, clinical decision support, and prior authorization tools — all of which directly influence clinical decisions and the medical record. [1]
Governance frameworks, insurance policy language, and legal defense protocols have not moved at comparable speed.
II. The Three Institutions Most Exposed — and Why
Health Systems and Their Risk Managers
Health systems are deploying AI tools in clinical workflows without the governance infrastructure to answer the questions that litigation will eventually require them to answer. A Director of Claims and Litigation at one of the largest academic health systems in the country recently described his institution’s current posture as essentially agnostic: he does not yet know what a plaintiff attorney will subpoena, the legal entity structure creates genuine ambiguity about where liability attaches, and nobody has forced the question.
That is not an isolated observation. The Joint Commission, in collaboration with the Coalition for Health AI (CHAI), released the Responsible Use of AI in Healthcare (RUAIH) framework on September 17, 2025 — the first formal governance guidance from a U.S. accreditation body for clinical AI adoption. The framework establishes seven core elements healthcare organizations must address:[7]
AI Policies and Governance Structures — formal oversight including clinical, operational, IT, compliance, and safety representation; lifecycle management of AI tools from selection through retirement
Patient Privacy and Transparency — disclosure to patients when AI directly impacts their care; consent where appropriate; transparency to staff about data use and AI’s role in decision-making
Data Security and Data Use Protections — encryption, strict access controls, regular security assessments, and contractual safeguards even where HIPAA’s technical requirements do not apply
Ongoing Quality Monitoring — pre- and post-deployment validation, performance monitoring in local context, bias evaluation, vendor feedback loops, and risk-based tracking of adverse events
Voluntary, Blinded Safety Reporting — confidential reporting of AI-related safety events to independent entities such as Patient Safety Organizations
Risk and Bias Assessment — evaluation of AI tools for risks and biases across populations and use cases, with ongoing monitoring across the full AI lifecycle
Education and Training — role-specific training and AI literacy for staff and providers, including documentation of intended use and limitations
The RUAIH framework is currently guidance, not a regulatory mandate. But The Joint Commission accredits more than 22,000 healthcare organizations nationwide and has announced a voluntary AI certification program building on these seven principles. Organizations lacking governance structures aligned with these elements face heightened legal exposure if AI systems produce adverse outcomes — and most health systems currently deploying AI do not meet this standard.
The specific infrastructure gap that will define the first generation of AI malpractice claims is not about policy or procedure. It is about the medical record itself. The EHR audit trail — which captures who accessed a chart, who entered information, and when — was not designed to capture the AI layer. It does not record which version of the AI tool was active at the moment of the clinical encounter, what the tool recommended for that specific patient, whether the clinical note was authored by the clinician or generated by an ambient scribe, or whether the clinician’s reasoning was independent of the AI output or absorbed from it.
MPL Carriers and Their Underwriters
Medical professional liability carriers are writing clinical AI exposure under policy language that does not know clinical AI exists. The MAG Mutual Medical Professional Liability Policy — representative of what the majority of physician policyholders carry — was last substantively revised in 2015. The words “artificial intelligence” appear nowhere in the form. The coverage trigger, the incident definition, and the duty-to-defend language were all written for a world in which physicians made clinical decisions using their own judgment, with reference tools, and with the occasional consultation. None of that language was designed for a world in which an AI tool influences the clinical finding before the physician’s independent review occurs.
A senior wholesale broker appointed with more than fifty MPL carriers spent approximately six months asking every carrier she worked with how they are contemplating AI-related exposures in their policy forms. She found one MGA — one, out of more than fifty — that has incorporated affirmative AI coverage language into its medical professional liability product. Every other carrier in her market either offers no meaningful AI language or is discussing endorsements that have not yet been implemented.[8]
The four-policy void — MPL, Cyber, CGL, and Tech E&O each designed to cover different aspects of the risk, each pointing at the others when an AI-related claim arrives — means that a health system with all four policies in force may have no clear coverage path for an AI-assisted adverse event. ISO endorsements CG 40 47 and CG 40 48, effective January 2026, have quietly removed general liability coverage for generative AI-related bodily injury at renewal, narrowing the field further.[9]
Defense Attorneys
The defense bar is not building the infrastructure it needs for AI-assisted malpractice litigation. It is using AI to review medical records faster — which is a plaintiff tool as much as a defense tool — while the structural problem of defending AI-assisted encounters without an audit trail remains unaddressed.
The operating assumption in the defense bar is that the physician is still the focal point of liability and that traditional malpractice standards apply. That assumption is correct under existing law. It is also the source of the problem. If the standard is whether the clinician acted reasonably, and the record cannot prove whether the clinician engaged with the AI output at all, the defense has no evidence to work with. The reasonable physician standard requires proof of reasoning. AI-assisted encounters produce no such proof by default.
A managing partner at a healthcare defense firm today has no structured protocol for what to request at first notice of loss when AI is in the record. No checklist for evaluating AI tool version documentation. No framework for assessing whether the execution truth record is complete or has been reconstructed after the fact. No standard for identifying systemic exposure when a single AI tool failure may have affected hundreds of patients before the first claim was filed.
III. The Litigation Curve Is Already Visible
The argument that clinical AI governance can wait for the litigation wave to arrive before building the infrastructure is no longer supportable. The first data points are already present.
A fourteen percent increase in diagnostic AI malpractice claims has been documented in current reporting
A federal discovery order in the UnitedHealth nH Predict prior authorization litigation has compelled production of AI governance records — establishing that courts will reach into AI system documentation when claims arise
A class action alleging lack of meaningful consent for ambient AI documentation has been filed against major health systems in federal court
Pennsylvania enforcement authorities have taken action against a chatbot that posed as a licensed psychiatrist, establishing state-level enforcement appetite
Alibaba’s own researchers documented an experimental AI agent that, during training, autonomously created a covert communication channel, bypassed a firewall, and redirected computing resources — without any instruction to do so — and described their safety guardrails as “markedly underdeveloped”[10]
That last point is not about clinical AI directly. It is about the nature of the technology. An AI system can develop behaviors during training that are not reflected in the version documentation. The version number does not tell you what the model learned to do. For clinical AI, that means the documentation standard for deployment approval is insufficient without evidence of training behavior — a gap that no current governance framework has fully closed.
The litigation wave is not a prediction. It is a forecast based on evidence that is already accumulating. The institutions that build the forensic and governance infrastructure before the wave arrives will be in a fundamentally different legal and financial position than those that wait.
IV. What Exists Right Now to Close the Most Dangerous Gaps
This section does not describe a complete solution. It describes the most defensible infrastructure currently available to health system risk managers, MPL carriers, and defense attorneys who want to reduce their exposure before the litigation wave arrives. The honest framing is this: no single framework, tool, or checklist closes every gap. But several specific instruments address the gaps that matter most, and their absence is demonstrably indefensible.
For Health System Risk Managers
The most important single action a health system risk manager can take today is conducting a clinical AI governance assessment against a structured framework before the next AI tool goes live. The CARAF Procurement Checklist — 108 questions across nine governance layers, with a Green/Yellow/Red scoring output — is the first instrument built specifically to answer the question an institution needs answered before deployment: does this AI tool create materially different risk, and can that difference be documented?
The checklist cannot prevent every adverse event. It can ensure that the governance documentation exists to demonstrate that the institution exercised due diligence in procurement, that the clinician training and competency documentation is in place, and that the version control and change management process was established before the first patient encounter. Those three elements alone change the defensive posture of a health system in litigation.
The CARAF Clinical AI Claims Triage Tool provides the first-response investigation framework for when an AI-assisted adverse event is reported. It walks a risk manager through an 108-item investigation checklist across eight phases, surfaces the coverage question across all four policy lines at the moment the file opens, and includes a clinician consent form library with risk profiles across fifty-three specialties.
For MPL Carriers
The most immediate action available to an MPL carrier is building clinical AI governance assessment into the submission and renewal process using a structured tier classification and critical override trigger framework before the loss experience makes the differentiation unavoidable.
CARAF classifies clinical AI deployments into four tiers: Administrative and Operational AI, Clinical Decision Support, Embedded Diagnostic AI, and Autonomous or Semi-Autonomous AI. A health system operating Tier 3 or Tier 4 AI without governance documentation at each layer represents materially different risk than a health system operating Tier 1 tools only — even if their specialty mix, claims history, and volume are identical. The current market prices them the same.
Six Critical Override Triggers identify governance failures severe enough to warrant underwriting action regardless of tier: no FDA clearance documentation, no clinician training records, no version control process, AI output indistinguishable from clinician-generated documentation, no escalation protocol, and no post-incident reconstructability. Any single trigger present at submission represents a material underwriting concern. CO-4 and CO-6 represent conditions under which defense of an AI-related adverse event claim is structurally compromised before the claim is filed.
The CARAF/CAFRE Insurance Value Translation Brief translates this governance architecture into direct underwriting, claims, and reserving implications for carrier leadership.
For Defense Attorneys
The defense bar’s most urgent need is a first-notice-of-loss protocol specifically designed for AI-assisted adverse events. The CAFRE — Clinical AI Forensic Reconstruction Engine — is the only architecture currently built to generate an Execution Truth Record rather than a reconstructive proof narrative. The distinction is legally significant: a record generated before litigation was contemplated cannot be characterized as self-serving post-event reconstruction. A record assembled after the claim arrives always can be.
CAFRE guides defense counsel through a structured seven-step forensic intake: case creation and mode selection across three privilege modes, AI system documentation, source document upload with SHA-256 hash chain for tamper evidence, AI interaction logging with temporal validity analysis, integrity verification, report generation, and intake locking. The Cognition Gate — a five-state forensic determination of whether a clinician demonstrably engaged with AI output — is the instrument that answers the question the plaintiff attorney will ask: can you prove the physician’s reasoning was independent of what the AI said?
Without that record, the defense is working from a medical record that was never designed to answer the questions AI litigation will ask. With it, defense counsel has an execution-bound narrative before the first deposition.
V. What This Body of Work Is — and What It Is Not
The instruments described in this paper were built by one person: a clinical risk manager and MPL insurance professional with twenty years of carrier-side experience specializing in physicians and surgeons, and five and a half years as a Healthcare Risk Manager at Duke University Health System — conducting M&M reviews, root cause analyses, ED liaison work, pharmacy safety reviews, and adverse event reconstruction within a captive insurance structure. That combination of credentials does not exist anywhere else in this space.
But credentials are not a substitute for honesty about what these instruments are and are not.
WHAT THIS BODY OF WORK IS AND IS NOT
These instruments are not the silver bullet. Clinical AI governance is a multi-institution, multi-regulatory, multi-carrier problem that no single framework fully solves.
They are not software yet. CAFRE is a Next.js application awaiting production deployment — HIPAA-compliant, multi-tenant, EMR-integrated. That engineering work requires resources not yet secured.
They are not legal advice. Every checklist, framework, and reconstruction tool described here should be reviewed by qualified legal counsel before deployment in a specific institutional context.
They are, however, the most complete forensic and governance infrastructure currently available to any of the three audiences this paper addresses. Their absence is demonstrably indefensible. Their presence creates a forensic posture that does not otherwise exist.
The institutions that will be least prepared for the AI malpractice wave are not the ones that tried something imperfect. They are the ones that waited for a complete solution that never arrived while the exposure accumulated.
The pace of clinical AI adoption is not slowing. The governance, insurance, and legal systems designed to accompany it are not catching up on their own. The instruments described in this paper exist today. They are available today. And the window to build the forensic infrastructure before it is needed in litigation is closing.
Michael Tekely, AAI
Founder, Malpractice Insurance & Clinical Risk Management Academy, LLC
Developer, CARAF V3.2 — Clinical AI Reasoning and Accountability Framework
Developer, CAFRE V10 — Clinical AI Forensic Reconstruction Engine
How to Engage
The instruments described in this paper — the CARAF Procurement Checklist, the Clinical AI Claims Triage Tool, CAFRE, and the Insurance Value Translation Brief — are available now. They were built for the three audiences this paper addresses, and they are the most complete clinical AI forensic and governance infrastructure currently available to any of them.
If you are an MPL carrier or underwriting leader who wants to build clinical AI governance assessment into your submission and renewal process, the Insurance Value Translation Brief describes a tiered engagement structure starting with a no-cost thirty-minute scoping conversation.
If you are a health system risk manager or administrator who wants to assess your current clinical AI governance posture before the next tool goes live, the CARAF Procurement Checklist is the right starting point.
If you are a defense attorney or MPL claims professional who wants a structured first-notice-of-loss protocol for AI-assisted adverse events, CAFRE is the instrument built for that work.
If you are a software or AI engineer who sees the deployment opportunity that this paper describes and wants to discuss the production build of CAFRE — including an equity conversation — that door is open.
Every conversation begins the same way: with an honest assessment of where the gap is, what exists to close it, and what the right next step is for your specific situation.
Michael Tekely, AAI — mikepackman135@gmail.com — aiandtheoath.substack.com — linkedin.com/in/michaeltekely
REFERENCES
[1] Eliciting Insights, AI Adoption Survey, February 2026 (120 U.S. health systems). Reported by Fierce Healthcare, March 2026.
[2] Menlo Ventures, 2025 State of AI in Healthcare, March 2026.
[3] American Medical Association, 2026 Physician Survey on Augmented Intelligence. Reported by CM&F Group, April 2026.
[4] The Advisory Board, Epic Annual Meeting Coverage, August 2025.
[5] Epic Systems Corporation, AI for Clinicians, epic.com, 2026.
[6] Wolters Kluwer, 2026 Future Ready Healthcare Survey, June 2026.
[7] Joint Commission and Coalition for Health AI (CHAI), Guidance on Responsible Use of AI in Healthcare (RUAIH), September 17, 2025. Seven core elements sourced from Pearl Cohen legal analysis, October 2025. Full guidance at jointcommission.org.
[8] Direct market intelligence from a senior wholesale broker appointed with 50+ MPL carriers, May 2026. MGA identity withheld at source’s request.
[9] ISO Endorsements CG 40 47 and CG 40 48, effective January 2026, removing CGL coverage for generative AI-related bodily injury.
[10] Alibaba ROCK/ROLL/iFlow/DT research teams, ROME technical paper, December 2025, revised January 2026. Reported by The Block, March 2026.
NOTICE OF PROPRIETARY CONTENT
This white paper and all frameworks, methodologies, and derivative works described herein — including CARAF and CAFRE — are proprietary and confidential. This material may not be reproduced, redistributed, summarized for redistribution, or used for AI training purposes without the express written permission of Michael Tekely, AAI.
© 2026 Michael Tekely, AAI. All rights reserved.
