Skip to content
All posts

Healthcare AI · July 4, 2026 · Masano Olivia · 7 min read

The FDA Is Regulating Less Clinical AI, and the Diligence Burden Just Moved to the Buyer

The FDA's January 2026 guidance narrows which clinical decision support tools it regulates. For health systems that used FDA clearance as a quality proxy, the evaluation burden now shifts to the buyer.

The FDA Is Regulating Less Clinical AI, and the Diligence Burden Just Moved to the Buyer
Share

The US Food and Drug Administration now intends to regulate less clinical decision support software, not more. On January 6, 2026, the agency published a revised final guidance on clinical decision support (CDS) software, re-issued on January 29, that widens the category of AI-enabled tools it will not treat as medical devices (strong evidence, formal guidance from a named regulator, FDA). For hospitals that have used an FDA marker as a free proxy for quality when buying clinical AI, the consequence is uncomfortable and clear. The share of decision-support tools carrying any regulator's stamp is set to shrink at exactly the moment adoption is accelerating, and the evaluation work the stamp used to signal now falls to the buyer. That burden lands heaviest in health systems that leaned on the proxy hardest, including much of Africa.

What actually changed on January 6

The statutory test did not change. Under section 520(o)(1)(E) of the US Federal Food, Drug, and Cosmetic Act, CDS software escapes the device definition only if it meets four criteria, including that it does not analyze medical images or signals and that it lets the clinician independently review the basis for its recommendations (strong evidence, statute and regulator guidance, FDA town hall transcript).

What changed is how the FDA will enforce one of those criteria. The 2022 version of the guidance read Criterion 3 narrowly, so software that produced a single specific recommendation, rather than a list of options, was treated as a regulated device. The 2026 revision announces enforcement discretion for tools that provide one clinically appropriate recommendation, provided the other criteria are met and a healthcare professional reviews, revises, and finalizes the output (strong evidence, regulator guidance, King & Spalding analysis). The guidance also clarifies that software drafting a summary of a radiologist's stated findings, including a specific guideline-based diagnostic recommendation for clinician sign-off, can fall outside device regulation, so long as it never analyzes the image itself (FDA town hall transcript).

Some boundaries held firm. Any function that analyzes medical images to generate diagnostic recommendations remains a regulated device, as do tools that interpret continuous physiologic signals (strong evidence, regulator guidance, American College of Radiology summary). The FDA also kept its warning about automation bias, underscoring that non-device CDS should not be used for urgent decisions where clinicians lack time to independently review a recommendation (King & Spalding).

Two pieces of context matter for reading the direction of travel. The guidance was issued as final without a prior public comment period, and FDA Commissioner Marty Makary framed it as cutting unnecessary regulation, previewing a risk-based AI framework that emphasizes post-market monitoring over premarket review and plans to retire a large share of the agency's digital health guidances (reported regulator statements, Arnold & Porter advisory). Legal analysts broadly agree the revision is a boundary clarification rather than a wholesale rewrite (Covington). Even so, the practical effect is that more AI-enabled CDS can now reach the market without any FDA premarket review.

Why the FDA's stamp carried extra weight outside the United States

A regulator's decision in Washington would matter less if every health system ran its own rigorous review. Most do not, and the evidence on this is consistent. A scoping review of medical device regulation across African countries found that national frameworks are commonly modeled on FDA and EU processes, that devices carrying international certifications are treated as trusted sources requiring no further scrutiny, and that pre-market testing and post-market surveillance are limited by funding, personnel, and technical capacity (moderate evidence, systematic scoping review, BMJ Global Health). A WHO review found that as of 2016 roughly 40 percent of countries in the African region had no medical device regulations at all (moderate evidence, WHO regional review reported in a peer-reviewed readiness assessment).

The picture is improving but not yet resolved. A 2026 analysis in Nature Health notes that no national medical device regulator in Africa has yet reached WHO maturity level 3, the benchmark for a stable and well-functioning oversight system, while pointing to the African Medicines Agency and the WHO's expansion of prequalification to AI-based medical devices as serious efforts to close the gap (moderate evidence, peer-reviewed policy analysis, Nature Health).

Put those facts together and the mechanism is plain. When reliance pathways point at the FDA, a narrowing of what the FDA reviews propagates outward. The proxy weakens most in the places that depended on it most. It is worth being honest that the proxy was never as strong as procurement habits assumed. FDA clearance is not FDA approval, it says nothing about CE marking or approval in Uganda or the wider region, and performance validated on a US population does not automatically generalize. But a weak signal is still better than no signal, and for a growing class of decision-support tools there will now be no signal at all.

Post-market monitoring assumes infrastructure many buyers do not have

The FDA's stated direction, less premarket review and more post-market monitoring, is a defensible bargain where the downstream half of that bargain exists. It requires functioning adverse-event reporting channels, staffed regulators who act on reports, and vendors with local accountability. The same scoping review that documented reliance on international certifications also identified post-market monitoring and adverse-event reporting as among the weakest regulatory functions in African health systems (moderate evidence, systematic scoping review, BMJ Global Health).

There is a second assumption embedded in the non-device category itself. The entire exemption rests on the clinician independently reviewing the basis for each recommendation. Commentators have already flagged that many clinicians lack the time, information, or tooling to perform that review in practice, which risks de facto reliance on software that no regulator has examined (limited evidence, peer-reviewed commentary, report to the FDA on AI product approvals). In understaffed facilities where one clinician may see a hundred patients a day, that assumption is under the greatest strain.

Questions procurement teams should now put to vendors directly

If "is it FDA cleared" answers less than it used to, the diligence has to become explicit. Five questions do most of the work.

  1. State the regulatory status precisely. Which jurisdiction, which pathway, which product code, or is the tool positioned as non-device CDS under the 2026 guidance? Phrases like "FDA registered" or "built to FDA standards" are not clearances and should be treated as marketing language until documented.
  2. Show the basis for recommendations. Can clinicians see the patient inputs, the guideline or evidence source, and the reasoning behind each output? Independent review is both the legal hinge of the non-device category and the clinical safeguard. A tool that cannot support it fails on both counts.
  3. Provide validation evidence with numbers. Ask for performance in a population comparable to yours, with sample sizes, absolute error rates, and the care setting named. A relative improvement without a base rate is not evidence.
  4. Define the intended-use boundary, especially for time-critical care. The FDA itself warns that automation bias rises when clinicians lack time to review. If the vendor's demo shows the tool in emergency workflows, ask how that squares with its regulatory positioning.
  5. Describe the post-deployment monitoring the vendor funds and runs. Error reporting channels, response times, model update governance, and what happens when performance drifts. If oversight has moved post-market, the vendor must carry part of it, because the public infrastructure often cannot.

Evidence discipline has to move in-house

The January guidance is not a crisis, and overstating it would be its own failure of evidence discipline. The FDA clarified boundaries, kept image analysis and signal interpretation under oversight, and preserved its warnings about automation bias. But the direction is unambiguous, and the timing matters. Regulation is thinning at the front end precisely as clinical AI adoption accelerates, and the assurance model replacing it assumes surveillance capacity that many health systems, particularly in lower-resource settings, do not yet have.

The practical response is to stop treating any single stamp as a substitute for evaluation. Hospitals need a standing internal habit of asking for evidence, grading it honestly, and holding vendors to intended-use boundaries. That is how Curely approaches its own work. We build for health systems where the regulatory safety net is thinnest, which is why clinician-reviewable reasoning and graded evidence are product requirements rather than compliance overhead.

The FDA's stamp was always an imperfect proxy borrowed from another health system. As of this year, it covers less. The institutions that adapt fastest will be the ones that were never fully outsourcing their judgment in the first place.