AI-Enabled Medical Devices: The Broader Compliance Landscape

In a recent post on this blog, we examined the U.S. Food and Drug Administration's (FDA) core regulatory framework for artificial intelligence (AI) and machine learning (ML) enabled medical devices — the Predetermined Change Control Plan (PCCP), the clinical decision support boundary question, cybersecurity mandates, and what the framework means for company legal and regulatory teams. This article examines converging obligations that extend beyond that foundation.

The regulatory environment for AI is shifting, including at the federal level, in ways that reflect both caution and restraint. In early June 2026, the White House issued an executive order titled "Promoting Advanced Artificial Intelligence Innovation and Security," following revisions to an earlier draft pulled amid concerns of unintended regulatory consequences. The executed order establishes a framework for voluntary collaboration between the federal government and developers of AI models. While it expressly disclaims intent to create a mandatory licensing or pre‑clearance regime, it signals a more engaged federal posture toward advanced AI capabilities. For life sciences companies developing AI solutions, this development underscores a broader policy dynamic: even where formal regulation is deferred, government expectations and informal oversight structures continue to evolve in parallel.

Algorithmic Bias and Transparency

As discussed in our prior post, the FDA’s software as a medical device (SaMD) framework treats algorithmic bias mitigation and transparency as lifecycle obligations rather than discrete compliance checkpoints. Those expectations remain central as AI‑enabled medical devices move beyond narrow, task‑specific models and into more adaptive and generative use cases.

In practice, this means that subgroup performance testing, documentation of known limitations, and clear, functionally comprehensible labeling are not merely static premarket exercises. They shape how devices are validated, updated, monitored, and defended over time. For companies operating under authorized PCCPs, transparency obligations also extend to explaining what has changed after each update and how those changes affect clinical use.

These baseline expectations form the backdrop for the broader compliance challenges discussed below, particularly as generative AI, real‑world performance monitoring, and cross‑border regulatory regimes introduce new sources of variability and risk.

Generative AI and Foundation Models

The current regulatory framework for SaMD was designed primarily for narrow, task‑specific AI models. The technology frontier, however, is moving beyond those bounded applications. Recent FDA actions involving foundation‑model‑based and patient‑facing AI systems illustrate the agency’s willingness to engage with generative AI on a case‑by‑case basis, even as formal regulatory paradigms continue to evolve.

Foundation models present regulatory challenges that may differ in kind, not just degree, from traditional AI/ML devices. The FDA has acknowledged these gaps, specifically soliciting public comment in its January 2025 draft guidance on whether existing recommendations are adequate to address concerns raised by generative AI. The agency has also begun tagging devices that incorporate foundation models or large language model‑based functionality on its AI-Enabled Device List, signaling an intent to track and, potentially, differentiate the regulatory treatment of these technologies over time.

Under the EU AI Act (Regulation (EU) 2024/1689), generative AI introduces a layered compliance structure. Foundation model developers bear separate General Purpose AI obligations, while device manufacturers remain responsible for high‑risk AI system requirements. These are distinct regulatory responsibilities held by different entities, highlighting the need for contracts between foundation model providers and device manufacturers to allocate expectations and obligations clearly.

For life sciences companies, generative AI heightens risk across multiple dimensions. Validation and PCCP design become more complex when outputs are generative rather than deterministic. Transparency obligations become harder to satisfy when model reasoning is not readily explainable. The central strategic question is whether existing validation protocols and change management frameworks are sufficient, or whether the unique characteristics of generative technologies require a different approach.

Real-World Performance Monitoring

Regulatory attention is also shifting toward what happens after deployment. In September 2025, the FDA issued a Request for Public Comment on measuring and evaluating the performance of AI‑enabled medical devices in real‑world settings, signaling that more structured post‑market monitoring expectations are likely on the horizon.

Real‑world performance monitoring highlights the limits of formal regulatory mechanisms such as authorized PCCPs. While PCCPs provide a structured pathway for certain post‑market modifications, they do not, by themselves, govern all sources of model change. Retraining cycles, dataset updates, vendor‑initiated foundation model revisions, and cybersecurity patches may occur outside the scope of an authorized PCCP. Companies deploying AI‑enabled medical devices are increasingly expected to implement internal change governance processes that ensure updates are tracked, assessed, documented, and, where necessary, escalated for regulatory review. From a risk perspective, undocumented or poorly governed changes can create exposure not only under FDA quality system requirements, but also in downstream liability.

Although the request for comment does not establish new requirements, it suggests that FDA expectations around post‑market monitoring may become more prescriptive over time. For companies operating under authorized PCCPs, the question is likely not whether ongoing performance monitoring will be expected, but how granular those expectations will become.

The EU AI Act and Extraterritorial Exposure

For companies with any European market presence, the FDA framework does not exist in isolation. The EU AI Act, which entered into force in August 2024, classifies AI‑enabled medical devices as high‑risk systems subject to a comprehensive compliance regime, with extraterritorial reach extending to any provider whose AI system outputs are used in the EU.

While the AI Act is formally distinct from the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR), the interaction between these regimes introduces additional complexity. Conformity assessments and post‑market obligations under the AI Act may influence how notified bodies assess “significant changes” under MDR or IVDR, even where a device’s intended use has not changed. Manufacturers can reasonably anticipate increased coordination between regulatory strategies that have historically been managed separately.

If pending amendments are formally adopted, timelines for certain obligations — including those affecting medical devices — may be extended. Pursuant to a May 2026 proposed "Omnibus" amendment, medical devices embedded with AI systems (classified as "high-risk") could be subject to an August 2028 compliance deadline. Timelines and interpretations remain subject to change, however, and neither that uncertainty nor the current proposed timeline extension provides a basis to defer planning. Conformity assessment under the AI Act requires notified body engagement, documentation buildout, and quality management system integration that cannot be completed quickly. Notably, a PCCP authorized by the FDA does not satisfy EU AI Act obligations, and vice versa.

State-Level AI Healthcare Legislation

The regulatory landscape is also accelerating, and further fragmenting, at the state level. 2025 marks the first year that lawmakers in all 50 states introduced AI-related bills. A total of 47 states introduced over 250 bills touching on healthcare and related sectors specifically. Of those, a growing number reached enactment, with the pace of state-level AI legislation accelerating significantly from prior years.

Notable examples include, with scope and application variations: 

• Texas Responsible Artificial Intelligence Governance Act (TRAIGA), effective January 1, 2026, establishing broad AI governance requirements and mandates that licensed healthcare practitioners disclose AI use to patients. 
• California's AB 489, effective January 1, 2026, prohibiting AI systems from using terms or design elements implying they hold a healthcare license. 
• Illinois's Wellness and Oversight for Psychological Resources Act, effective as of August 1, 2025, prohibiting AI from autonomously making therapeutic decisions or engaging in therapeutic communication without licensed professional oversight.

Although many state AI statutes formally regulate healthcare providers rather than device manufacturers, their practical impact extends upstream. Enforcement is likely to occur through a combination of professional licensing actions, state attorney general investigations, and private litigation that uses statutory violations as predicates for broader claims. As a result, both care providers and their customers may increasingly look to device manufacturers for assurances, documentation, and technical controls that support compliance with state‑level disclosure and oversight requirements. In other words, for life sciences companies, state AI laws are less about direct regulation and more about shifting customer expectations and risk allocation. Staying current on this rapidly evolving patchwork is a meaningful component of any AI device compliance program.

Insurance Considerations

The liability profile of an AI-enabled device that evolves post-clearance is materially different from that of a static product. In this context, insurance analysis may increasingly turn on process as much as product. Many insurers assessing AI‑enabled medical devices are paying closer attention to how model changes are governed, documented, and disclosed across the product lifecycle. Misalignment between regulatory change management, quality system documentation, and contractual representations can create insurance friction, particularly to the extent post‑clearance modifications may contribute to an adverse event.

For life science companies navigating this space, the insurance conversation benefits from being ongoing rather than episodic. Clinical trial liability, products liability, and professional liability coverages merit ongoing evaluation in light of the unique risks AI introduces.

The Future of AI Regulation

The FDA's SaMD framework is no longer aspirational. It is in active implementation, and it carries meaningful operational and compliance consequences for companies that do not engage with it proactively. Cybersecurity mandates, bias and transparency obligations, EU compliance timelines, state-level legislation, and the emergence of generative AI in clinical applications are quickly converging to create a multi-layered compliance challenge. Recent state and federal actions, including the June 2026 executive order on advanced AI innovation and security, illustrate how policy instruments short of formal regulation can still shape development, disclosure, and risk management expectations for AI technologies operating in regulated sectors. Importantly, the requirements and expectations described in this article continue to evolve and vary based on jurisdiction, device type, and intended use.

The takeaway may be straightforward but challenging. For life sciences companies, the work ahead lies in building the robust, cross-functional fluency to hold these obligations together in a coherent strategy for managing both present and future risk, even as the landscape underneath continues to shift.

Authored by Phillip Skaggs, Berkley Life Sciences, Vice President & Chief Legal & Regulatory Affairs Officer