The Chief AI Officer Mandate

A 600-bed academic medical center purchases an AI tool that predicts sepsis. The CIO of the center plans the integration of the tool with the EHR. The chief medical officer (CMO) of the center contracts the national vendor to allow the sepsis prediction tool to generate outputs into the inpatient workflow. The information security team gives the integration a pass for their technical review. The legal team of the center conducts a final review of the business associate agreement (BAA) and signs it. A clinical operations director of the center develops order set logic using the scoring system to generate a workflow alert. After the sepsis tool is implemented, the sepsis prediction of the tool begins to drift. As a result, there is an alarming increase in the false sepsis alerts generated by the tool. As a result, unit nurses begin to override the alerts even though there was no documented clinical reason. One clinical unit reports a near-miss event due to alert fatigue as the tool consistently masked the clinical presentation of sepsis.

The post-event review starts, and the reports begin to come in one by one. Each report begins with a justified response. Legally, the CIO can justify that the integration is functioning. The CMIO is able to justify that the order set logic was signed and is functioning at the time of go-live. The information security team is able to justify that there was not a data breach. The legal team is able to justify that a contract was signed. The vendor is able to justify that the model is functioning within the constraints of the training data of the model. Each report is consistent from an internal perspective. However, each report is completely self-sufficient and does not answer the question of why alerts were repeating and caused a near-miss event. The model remains in place because no one in the organization can stop the model, retrain it, renegotiate it, or is required to report the use of the model to the committee. That vacant position is the Chief AI Officer.

Why the Previous Org Chart is Inefficient

The CIO owns the infrastructure. The CMIO oversees clinical informatics. The CISO oversees information security. The CDO oversees data. All of these roles touch on some aspect of the model lifecycle. However, none of these roles oversee the model lifecycle. Overseeing the model lifecycle requires a different leadership role than what the EHR era produced. Most health systems struggle to find that role in an organization designed for systems that were set up once and run without any changes to behavior.

The 2024 edition of the Trustees Toolkit on Artificial Intelligence (AI) in Health Care from the American Hospital Association identified the absence of the most senior leader for AI among health systems as the most significant remaining gap in the use of AI in health care. The ECRI Institute placed a lack of effective oversight of AI in health care as its 5th most important health technology concern for 2024 and subsequently placed AI as the most important concern for 2025 related to AI and the health care application. In the HTI-1 final rule, the Office of the National Coordinator (ONC) prioritized the definition of the most senior leadership role among all design decisions. The Agency for Healthcare Research and Quality (AHRQ) patient safety reports advocated for an assertion of absolute safety followed by the post verification and ongoing monitoring of iterative safety modifications.

An organizational design for the electronic health record (EHR) will be obsolete in short order. EHRs are designed for passive use. Models are not. Drift is always lurking, as the patient population, procedural documentation, and upstream data sources inevitably shift. The drift caused by routine updates goes unacknowledged in vendor release notes. EHRs and data can shift drastically and without warning. Each EHR and data source inevitably shift. It requires a continual process to define and bound the scope. The position must have the authority to oversee the process in its entirety, one piece at a time. Only then can the system satisfy the void described in the sepsis-tool report.

What the CAIO Must Own

Six responsibilities arise from the CAIO mandate. The first is the definition of the portfolio strategy. This encompasses the model choices of the health system, the rationale for the clinical or operational stance, model retirement, and the rotations. The second responsibility is the analysis done prior to deployment. This analysis must incorporate local data and address inequity resulting from the data of the vendor. The third responsibility is the assessment of model drift, the performance of the model, and the equity of the outcomes. This assessment must be done on a regular basis, and the methodology must be resilient to staff changes. The fourth responsibility is the negotiation of the contract with the vendor, including the definitions of model change, model pause, and performance shift, and the role of the vendor when a model fails. The fifth responsibility is the upskilling of both the operational and clinical workforce. The goal is to enable the workforce to effectively use the models employed by the system to the fullest, rather than build ways to work around the models. Lastly, the CAIO decides the content, depth, timing, and methodology of the reports to the Board, including which topics are off-limits for the discretion of the Board.

Splitting these six does not work with four senior leaders when there is no one to give an answer. In this nature of combining senior leadership, the Coalition for Health AI in their blueprint, v1.0, speaks to portfolio coherence, lifecycle stewardship, and engagement on the board. The augmented intelligence policy of the American Medical Association states that the need for an AI malfunction flight path cannot be a committee of any sort. The American Hospital Association clarifies the CAIO as the answer to the AI oversight issue the board has begun to develop and inquire about. The Robert J. Margolis Institute for Health Policy at Duke University has the CAIO framework as the most defensible construct in central AI governance for the health systems in the organization.

A rhythm of work is part of the CAIO from the beginning. It is easy for a portfolio to drift when there is no monthly review. It is not the same to have CAIO oversight during board meetings as to have CAIO as a committee member. Having a pathway to report with written documentation to support the system provides an answer and ownership. Health systems trying to recruit a CAIO without the proper functioning rhythm will find that the responsibility will be seen as a part of the individual in that position and will cease to function when the individual is no longer in that position.

Where the CAIO Boundary Breaks

The CAIO boundary is the most rigid with the CMIOs. CMIOs manage the model clinician interface to a large extent and develop strong and close working relationships with clinicians. CAIOs do not hold CMIO positions. CAIOs will assume the portfolio-related tasks that the CMIO was unable to cover, yet will maintain the primary authority of the CMIO regarding the design of clinical workflows. The first model decision is the first test of strength. This first model decision will set the range of the authority of the CAIO for the next model decision. The failure to control the AI committees resulted in the creation of the Coalition for Health AI and Blueprint v1.0. This continues to be the case.

Next is information security. For the last fifteen years, health system Chief Information Security Officers (CISOs) have focused on building defenses for exfiltration, identity, and ransomware attacks. Unlike these defense challenges, AI will pose a completely new attack scenario. Prompt injection and adversarial attacks largely circumvent breach and security information event management (SIEM) systems. Model exfiltration will be done under the guise of normal API usage, which will most likely be considered an acceptable use of the API. Security breaches due to supply chain attacks of foundation models will use elements the security team intended for different uses. Model security frameworks must now incorporate the risk of building blocks. The Coalition for Health AI Blueprint v1.0 considers model security and information security on a balanced policy stack, yet very few health systems have adopted these. The first AI security incident to be addressed by policy will be the incident that meets the most public outcry and will be the most difficult to defend. This is in stark contrast to the most defendable policy response of where AI security incidents will be addressed.

Changes have been made to how the CFO meetings are conducted. In 2026, several presentations by AI vendors will have CFOs anticipating and adjusting the projected AI cost savings, even before the AI vendor slides begin to load. One senior AI leader will prepare based on the AI vendor case and will have to deal with the discounts developed by CFOs, even before the AI case slides begin to load. The parts of the AI vendor case that will solidly convince the CFO will be largely absent from the vendor case. These parts will include the costs relating to an evolving patient population, the costs associated with constant surveillance of the models, and the costs associated with the supportive staff who possess advanced capabilities and deep organizational support. The research of the Robert J. Margolis Institute on strategic AI and the associated committee work demonstrates that CFOs are more likely to survive their first year on the committee if integrated finance is included as part of the committee. CFOs that observe a senior AI leader accurately predict three times will become their strongest supporters. Their support will most likely result in the extension of the budget cycle.

AI conversations often ignore issues of clinical quality, which are the most critical when an AI system fails. Chief Quality Officers include the review of safety events that include medication and surgical errors, as well as diagnostic delays. As described by the Joint Commission, RCA2 methodology places human, technological, and process gaps as causal, though they are separable. AI failures cannot be accommodated in gaps that are causally separable. While a medication error may involve a syringe and a label, as well as a note from the pharmacist, an AI failure would involve a model output, a data pipeline, and the clinician who viewed the output and took clinical action. A CQO who references their existing methodology and considers an event involving AI stops one step short of the gap in causality. The ECRI Institute, in ranking AI the number one threat for 2025, recognized the lack of attention to analysis of the post-deployment gap. Bridging the gap requires the CAIO and the CQO to investigate, in equal partnership, a modality most health systems have yet to implement.

The Mandate

The Trustees Toolkit on AI from the AHA has directed the 2024 senior AI question for boards attention to four decisions on scope. These decisions delineate the relation of the role to the CIO and CMO, the reporting line, the ownership of function description, and the allocation of budget. These decisions scaffold the stature of the role. If any of the decisions is poorly made, the role is on a defined trajectory of diminished stature. A position with no budget is a reviewer. The role is a seat with no decision-making power on the initiatives to be funded because the title and budget require a request to be funded. If the reporting is through the CIO, the seat is a project manager. A role that bypasses the board line is a consultancy. The workforce is unable to provide the role the latitude to elevate the requests, so they cease to pay attention. Each health system that has taken one of the decisions on scope has spent two years in recovery as the workforce has lost confidence in the system after observing the first year and labeling the seat as unfulfilling.

The activities of an initial holder in the first quarter set the stage for the following three years. Chiefs who are intentional about clarifying and formalizing the inherited portfolio, lifecycle policy, board cadence, and escalation path in the first quarter will come to the first review of the quarter with documents and artifacts that the rest of the organization will be able to engage with. Those who use the first quarter for meetings come to the review with hardly anything more than stated intentions. Nine months later, artifacts will be either created and visible to the workforce or will be noticeably absent. The workforce will decide, without any official deliberation or discussion, if the title is hired for a purpose or functional. Coalition for Health AI Blueprint v1.0 explicitly states that lifecycle ownership comes first, and other artifacts will demonstrate that the first quarter will show the extent of lifecycle ownership.

During the first year, the shift will be from what should not occur to who answers when things go wrong. This concern will be anchored by the budget, access to the board, and charter. Depending on when and where the decision gets made, reports will continue to close with no answers, and no one will be authorized to change any of the shifting patterns. ECRI Institute recognized the same gap when AI became the number one issue in their 2025 concern list.

Context and Sources

This edition draws on positions from the American Hospital Association 2024 Trustees Toolkit on AI in Health Care, ECRI Institute Top 10 Health Technology Hazards reports for 2024 and 2025, the ONC HTI-1 final rule and accompanying technical documents, AHRQ patient safety publications on pre-deployment validation and post-deployment monitoring, the American Medical Association augmented intelligence policy, Coalition for Health AI Blueprint v1.0, NIST AI Risk Management Framework 1.0, the Joint Commission RCA2 methodology, and the Robert J. Margolis Institute for Health Policy at Duke University 2024 publication of AI oversight structures in health systems. Related editions are Your Board Will Ask About AI, The Incident Response Fallacy, Where Responsibility Breaks Down, and The Innovation Tax.

Christopher Hutchins Founder and CEO, Hutchins Data Strategy Consultants