The first wave of clinical AI products to receive FDA clearance treated their underlying models as if they were locked devices — algorithms frozen at the time of authorization, updated only through a fresh regulatory review. That worked for early image-recognition tools. It does not work for modern foundation-model-based clinical AI, which improves continuously as new data and better techniques arrive.
The framework has had to evolve, and physicians evaluating clinical AI tools should understand what changed.
Software as a Medical Device, briefly
The base concept is Software as a Medical Device (SaMD): software that performs a medical function on its own, without being part of a hardware device. An algorithm that interprets a chest X-ray is SaMD. An algorithm that runs inside a CT scanner during acquisition is software in a medical device, which has different (and often less stringent) oversight.
The FDA classifies SaMD by risk, primarily by the seriousness of the clinical condition the software addresses and how directly its output drives clinical decisions. A triage support tool for non-urgent symptoms is one risk class. A tool that generates a diagnostic finding for an acute condition is another.
For an authoritative overview, the FDA's digital health guidance pages are the primary source. The framework has been shaped by international harmonization efforts through the International Medical Device Regulators Forum and informed by the WHO on global AI health policy.
What changed: Predetermined Change Control Plans
The most significant regulatory development in the past two years has been the introduction and growing use of Predetermined Change Control Plans, or PCCPs.
The problem PCCPs solve is straightforward. A clinical AI vendor receives FDA clearance for version 1.0 of an algorithm. Six months later, they have meaningfully improved the model — better performance, fewer false positives, broader generalization. Under the old framework, deploying that improvement required a new regulatory submission. The result was a strong incentive for vendors to either (a) wait years between updates, accumulating improvements, or (b) maintain unauthorized "minor" updates that drift away from what was actually cleared.
A PCCP lets a vendor specify, in advance, what kinds of changes they intend to make to a model after clearance — performance improvements, expanded indications, retraining on new data — and the validation processes those changes will undergo. The FDA reviews and approves the plan up front. Subsequent updates that fall within the plan don't require a fresh authorization.
This is more important than it sounds. It moves clinical AI regulation from "lock the model and hope it stays good" to "approve the change-management process and let the model improve continuously."
What this means for physicians evaluating tools
A few practical implications.
Ask whether the tool has an active PCCP. A vendor with one is committing to a structured update process under FDA visibility. A vendor without one is either using a frozen model (which may degrade over time as clinical reality drifts away from training data) or updating informally in ways that fall outside their original clearance.
Ask what the validation cohort actually was. Performance numbers from validation studies depend heavily on the patient population, equipment, and clinical setting. A tool validated entirely on academic medical center patients may perform differently in a community ED. The published validation work — increasingly available through journals like JAMA Network and The Lancet — is where this transparency lives.
Know the difference between cleared, authorized, and CE-marked. "FDA cleared" usually means a 510(k) clearance, which establishes substantial equivalence to an existing predicate device. "Authorized" can refer to De Novo classification or PMA approval, which represent higher-risk pathways. CE marks indicate European authorization under MDR. These pathways have meaningfully different scrutiny, and tools that primarily lean on CE-mark while marketing in the US should be evaluated carefully.
Algorithmic transparency requirements
A separate regulatory thread that intersects with FDA oversight is algorithmic transparency. The Office of the National Coordinator for Health IT, through healthit.gov, has finalized rules requiring certified health IT to disclose information about decision-support algorithms — what data they were trained on, how they perform across demographic subgroups, and what their limitations are.
This is sometimes referred to as the "AI nutrition label" requirement. The intent is that physicians using an AI-assisted tool can see, at a glance, whether it has been validated in populations that resemble their patients.
Where ambient AI documentation fits
Ambient AI scribes — tools that listen to clinical encounters and generate documentation — sit in an interesting regulatory position. Most ambient documentation tools are not FDA-regulated as medical devices because they don't claim to drive clinical decisions; they document what the clinician decided.
The line, though, is not always crisp. A tool that generates an MDM section is documenting reasoning. A tool that suggests ICD-10 codes is making a recommendation that affects billing. A tool that flags potential drug interactions in a generated note is veering toward decision support. As capabilities expand, regulatory scrutiny is likely to follow specific feature additions, not entire products.
For now, most ambient documentation tools fall outside SaMD scope, but vendors increasingly need to be careful about which features cross the line. Reasonable companies design their products with this boundary explicitly in mind.
Bias, equity, and the broader picture
A challenge the FDA framework alone cannot solve is algorithmic bias in clinical AI — the well-documented problem that models trained on non-representative data can underperform in populations excluded from training. The regulatory response is partial: requiring subgroup performance analysis, requiring transparency about training data, requiring post-market monitoring.
The harder work happens upstream — in dataset construction, in validation cohort selection, in deliberate testing for performance disparities. The NIH and academic centers have funded substantial research into algorithmic bias in clinical AI. The findings consistently show that bias is detectable, addressable, and easy to ignore unless the regulatory framework requires explicit attention to it.
What to watch in the next year
Three trends to track.
More PCCP submissions. As more vendors adopt predetermined change control, the practical pace of clinical AI improvement will accelerate without sacrificing oversight.
Convergence on transparency standards. The "AI nutrition label" requirement will become more visible in EHR procurement and vendor selection conversations.
Specialty-specific guidance. The FDA has issued increasingly specialty-specific draft guidance — radiology, pathology, cardiology — and emergency medicine is likely next, given the volume of ED-specific tools entering clearance pipelines.
The bottom line
The clinical AI regulatory framework is no longer the bottleneck it was three years ago. It's not perfect, but it has moved with reasonable speed to address the technical realities of modern AI. For physicians evaluating tools, the practical version of the regulatory question is simpler than the formal version: Has this tool been cleared for the indication you're using it for, in a population resembling yours, with a credible plan to maintain its performance over time?
If the answer is yes to all three, the regulatory framework is doing its job. If the answer is no to any of them, that's the conversation to have with the vendor before procurement, not after.
