Skip to content
All posts

Regulators Are Not Coming for Your Product. They Are Coming for Your Decision.

The Rewiring Trust framework, applied. How the FDA and EU AI Act reframe AI governance from product compliance to decision accountability.


In 1995, the FDA cleared its first AI-enabled medical device. By July 2025, that number had surpassed 1,250, a 35% compound annual growth rate that no quality framework in regulated industry was designed to absorb.

The technology moved fast. The governance infrastructure did not. That gap is where organizations get held accountable now.

The conventional read of this moment is that regulators are tightening the screws on AI-enabled products, adding requirements, raising the bar for clearance, layering on post-market obligations. That read is not wrong. However, it misses the deeper change happening underneath.

The FDA and EU AI Act are not regulating the product. They are regulating the decision behind it.

That distinction is not semantic. It changes the entire architecture of what defensible AI governance requires, and it explains why organizations that have passed inspection before are finding that the same approach no longer holds.


What “Regulating the Decision” Actually Means

Traditional medical device regulation is largely product-centric. A device is designed, tested, submitted, and cleared. The regulatory interaction is front-loaded. Once cleared, the governance obligation is largely fulfilled until a material change triggers a new submission cycle.

AI-enabled Software as a Medical Device breaks that model. A locked AI model can drift. A validated algorithm can behave differently in a real-world clinical environment than it did in structured testing. A device cleared for one patient population may encounter another. The product did not change, but the decision the product is making has.

The FDA’s 2025 draft guidance on AI-enabled device software functions makes this explicit: AI-SaMD is no longer evaluated as a static artifact but as a managed process. The expectation is that design controls, testing, risk management, and real-world performance surveillance operate continuously. Not as a one-time clearance event. As an ongoing governance commitment.

The EU AI Act layers onto this with specificity. For high-risk AI systems, which include most AI-enabled medical devices, the Act mandates explainability, bias mitigation, algorithmic transparency, and continuous monitoring, even for locked, non-adaptive models. Dual compliance is now the baseline: traditional medical device requirements and AI-specific governance standards simultaneously.

Only 29% of AI-enabled medical device deployers consider themselves familiar with the post-market surveillance rules already governing their systems.

That is not a future readiness problem. That is a current audit exposure.


The Reinvention Framework: Compliance + Context + Capability

The organizations moving through this without getting burned run on the same logic. They did not respond to new regulatory requirements by bolting compliance steps onto an existing process. They rebuilt governance from the ground up, structured around three conditions that have to hold at once.

Compliance. Context. Capability.

Compliance, here, does not mean checking the boxes required for clearance. It means traceability that follows the decision, not just the submission. Audit trails that document what the model outputs, and how that output was generated, reviewed, and acted upon. Compliance built into the lifecycle from design, not retrofitted after deployment, when the cost is measured in inspection time and remediation cycles.

Context means accounting for how the system gets used. By whom. In what clinical environment. With what level of human variability surrounding it. A validated AI system that performs accurately in structured testing and drifts in an ICU is not a validation failure. It's a context failure. The capability existed. The conditions required to trust it did not.

Capability means validating against real-world evidence, not structured inputs engineered to produce predictable outputs. It means post-market monitoring that can detect model drift before it becomes a patient safety event. It means the organization has built the technical and operational infrastructure to demonstrate, at any point in the device lifecycle, that the decision the AI is making is as governed as it was at the moment of clearance.

When all three are present, trust is not assumed. It stands up under audit, under scrutiny, and under the weight of a real patient outcome.


Why Compliance Alone Is No Longer the Answer

The organizations facing the most regulatory exposure over the next three to five years are not the ones building bad AI. They are the ones building capable AI inside governance frameworks that were never designed for it.

Compliance retrofitted after deployment is not a governance strategy. It is damage control with extra steps. And in a regulated environment, damage control at the post-market stage carries a cost no quality leader can fully predict at the start of a development cycle.

The next generation of AI-enabled medical devices won't be defined by how sophisticated their algorithms are. It will be defined by how rigorously the systems governing them are built. That rigor is not a product feature. It cannot be purchased from a vendor, integrated into a submission package, or documented after the fact.

It must be engineered in. And it starts long before the submission package is assembled. 


This is the argument at the center of the Rewiring Trust framework, and the foundation of The Courage to Reinvent, arriving Fall 2026. The question every regulated MedTech organization must answer is not whether their device is compliant. It is whether the decision their device makes is trustworthy. Those are not the same question. And the organizations that recognize the difference are the ones building for what comes next.