With deep expertise in drafting and analyzing complex international agreements, Desiree Sainthrope has become a leading authority on global compliance. Her work at the intersection of law, intellectual property, and emerging technology provides her a unique vantage point on the most pressing challenges facing highly regulated industries. Today, she shares her insights from a recent survey by Corporate Counsel and Ropes & Gray, exploring how the health care and life sciences sectors are navigating the promise and peril of artificial intelligence. The conversation delves into the practicalities of using AI for regulatory monitoring, the intricate dance between federal and state governance, the heightened need for accountability when patient outcomes are at stake, and the foundational elements of a robust AI governance strategy.
Your survey found nearly half of legal departments see AI’s top potential in regulatory monitoring. Could you describe a step-by-step process for how a life sciences company might implement AI for this task, and what specific metrics they would use to measure its success?
That finding really gets to the heart of the pressure these companies are under. A staggering 61% of in-house counsel are already spending significant resources just trying to keep up with the shifting sands of AI law. The first step in implementing an AI solution is to define its scope. You can’t just unleash a tool and hope for the best. A company would first identify its highest-risk jurisdictions and the specific regulatory bodies—say, the FDA and a handful of key state health departments—that matter most. Next, they would select and train an AI model, feeding it not just the existing laws but also proposed bills, regulatory actions, and official guidance. The critical third step is integration—linking the AI’s output directly into the compliance team’s workflow, so that tailored summaries and alerts are generated automatically. Success isn’t just about speed; it’s measured by the reduction in false positives, the accuracy of the summaries produced, and ultimately, the demonstrable decrease in person-hours spent on manual research, freeing up legal experts to focus on strategic counsel rather than clerical review.
The article highlights a “tug-of-war” between federal and state AI regulation. How does this tension practically impact a health care provider’s AI adoption strategy? Please share an example of a conflicting state and federal guideline and how a company might navigate that specific challenge.
This “tug-of-war” Christine Moundas mentioned creates a minefield for any organization operating across state lines. On a practical level, it means a national health system can’t create a single, uniform AI adoption policy. For example, you might see a federal initiative from the current administration aimed at accelerating the adoption of AI-powered diagnostic tools to improve rural health care access. That federal push might streamline the clearance process for “software as a medical device.” At the exact same time, a state like California could pass a stringent patient privacy law that requires a level of algorithmic transparency that the AI vendor is contractually unable or unwilling to provide. Suddenly, the health care provider is caught. To navigate this, they must rely on a sophisticated governance committee to conduct a risk-benefit analysis. They might have to pilot the technology only in states where it’s clearly permissible, while simultaneously engaging in tough negotiations with the vendor to see if a more transparent version of the algorithm could be developed for use in the more restrictive state. It forces a piecemeal, state-by-state strategy that is costly and complex.
Benjamin Wilson noted that for health care, “bad outcomes are bad health outcomes.” How does this high-stakes environment shape AI governance? What specific accountability or traceability measures are companies implementing that you wouldn’t typically see in other less-regulated business sectors?
That quote from Benjamin Wilson is the absolute core of the issue. In e-commerce, a bad AI recommendation means a lost sale. In health care, a bad recommendation can mean an irreversible decline in a patient’s health. This hyper-regulated, high-stakes reality fundamentally changes the governance model. The focus on accountability and traceability is magnified in a way no other sector experiences. For instance, we are seeing companies implement “human-in-the-loop” protocols as a non-negotiable standard for any AI that influences clinical decisions. This means an AI can suggest a diagnosis or treatment, but it cannot be executed without explicit review and approval by a qualified clinician. Another measure is the creation of immutable audit trails. Every piece of data the AI used, every step in its reasoning, and the final output are logged in a way that cannot be altered. This creates a detailed record for review if an adverse event occurs, something you wouldn’t find in a system designed to optimize a supply chain.
Given that Ropes & Gray advises clients on “emerging norms,” can you walk us through the essential components of an effective AI governance committee? What key roles should be included, and what are the first three policies they should tackle when dealing with vendors and data rights?
Absolutely. Establishing these “emerging norms” is one of the most critical services we provide because there’s no official playbook yet. An effective governance committee must be a multidisciplinary body. It needs a leader from the legal or compliance department, but it must also include senior representatives from clinical operations, information technology, data science, and even procurement. You need the people who understand the law, the patient care implications, the technical infrastructure, and the contractual realities all at the same table. The first policy they should establish is a comprehensive Vendor Due Diligence Framework. This goes beyond a standard security check; it must scrutinize a vendor’s data-handling practices, their model’s training data, and their position on liability. The second is a clear Data Rights and Usage Policy, which explicitly defines who owns the data, who owns the insights generated by the AI, and how patient data is de-identified. Finally, they need to create a Use Case Risk Assessment Protocol to classify proposed AI applications—distinguishing between low-risk administrative tasks and high-risk clinical decision support—to ensure the level of oversight matches the potential for harm.
What is your forecast for the federal and state AI regulatory landscape in health care over the next five years?
My forecast is that the “tug-of-war” will intensify before it resolves. I anticipate the federal government will continue to push for accelerated AI adoption, likely through targeted funding and perhaps creating regulatory “sandboxes” for specific high-value applications like drug discovery or personalized medicine. However, I believe states will become even more active, establishing themselves as the primary guardians of patient rights. We’ll see a patchwork of state-level laws emerge focusing on algorithmic fairness, bias audits, and a patient’s “right to an explanation” for AI-driven medical decisions. This will make national-level compliance incredibly challenging. The most successful organizations will be those that build agile, principles-based governance systems now, allowing them to adapt to this fragmented and constantly shifting regulatory climate without stifling innovation. Rigorous, continuous monitoring won’t just be a best practice; it will be an absolute necessity for survival.
