A recap of AI Catalyst's third annual AI Policy Essentials briefing, with Sutter Health's Preston Young and University of Vermont Health Network's Dr. Justin Stinnett-Donnelly.
"The thing that baffles me most is why health systems are never in the room when the legislation that’s impacting us directly is being drafted."
That was a CIO at a leading health system, and the frustration is earned. For the third year running, AI Catalyst convened more than 50 health system executives for its AI Policy Essentials briefing, and this year the session moved past the legislative inventory toward a harder question: how do you actually shape the outcome when it matters? Two leaders who have been in exactly that legislative room offered the answer.
What Legislators Actually See When They Think About AI
Start with a reality check. Most legislators are not reading the same headlines you are. Their understanding of AI is shaped by data-center siting battles becoming the new NIMBY battle, Pope Leo’s recent encyclical on AI and human dignity, the US-China chip war, and graduation ceremonies getting booed this spring when AI was mentioned. These are the mental models in the room when healthcare-affecting bills get drafted. The implication for advocacy is that health systems are not just trying to tell their story to policymakers, they are trying to place that story inside a public narrative legislators are already living in.
The numbers explain the urgency. More than 1,500 state AI bills were introduced in the first three months of 2026 alone, already more than all of 2025. A federal effort to pause state AI laws was voted down 99 to 1 in the Senate, with most Republican senators joining despite administration pressure. The states have effectively won the right to regulate AI, and they are using it.
On the federal side, the June 2 executive order established a voluntary, non-mandatory framework for frontier AI model access — well short of licensing. Deregulation is still the stated posture. But the session was direct: this administration will regulate when it chooses to, and health systems shouldn’t mistake a deregulatory default for a permanent guarantee.
Five state-level trends every governance team should track
Transparency has moved from principle to operations. Recording consent lawsuits over ambient documentation are already spreading. Not as HIPAA violations, but as violations of state recording consent laws. In two-party consent states like California, how you capture patient consent before using ambient listening is a live legal question, not a hypothetical one.
Liability is effectively settled. No state has exempted health systems from responsibility for adverse AI outcomes. The deployer, the health system, remains the most liable party no matter what the vendor contract says or how responsibility is shared with the developer.
Payer AI restrictions are becoming baseline law. Indiana’s new mandate (effective July 1) prohibits AI as the sole basis for down-coding a claim without documented human review, and near-identical language is already spreading to other states. Expect this standard to be near-universal within a couple of years.
Risk tiering is the model to build for. Colorado, Connecticut, and others are setting stricter requirements for high-risk AI and a lighter touch for the rest. It’s also the most actionable governance step available now: If your AI use case inventory doesn’t have risk tiers assigned to every tool, that’s where to start.
States now publish AI inventories you can measure your own against. Connecticut already posts an annual list of every AI system its agencies use, naming the vendor, the function, whether it drives decisions, and whether it cleared an impact assessment. More states are following. Compare your own inventory against public lists: for vendors you share, you see how they are classified elsewhere; for vendors with no public footprint, your own records are the basis for classification and accountability.
Do these in order. Inventory all of your AI, then tier it by risk, then compare against the state's inventory. Jump to the comparison before the first two are done and all it surfaces is what you already left out.
One more front worth tracking: the Joint Commission and Coalition for Health AI now offer a formal Responsible Use of AI in Healthcare (RUAIH) certification program, backed by eight detailed governance playbooks published in May. The session’s read was direct: treat it as optional at your own risk. RUAIH is following the same trajectory as Joint Commission accreditation — voluntary until the field makes it standard.
Getting into the Room, and What to Say When You’re There
The session’s practical half featured two case studies approaching the advocacy challenge from opposite directions — one trying to stop legislation, one trying to pass it.
Getting to no: Sutter and AB 1018
Preston Young led a coalition that successfully stopped California Assembly Bill 1018, one of the most sweeping AI automated-decision bills the country has seen. The bill would have required disclosure of every AI-assisted “consequential decision” to patients, a compliance officer for every automated decision system, and patient rights to notice, data correction, and appeal for every AI-influenced outcome.
The problem in practice was immediate: a sepsis patient would have needed to be consented across dozens of AI technologies before treatment began. The coalition, led by the California Hospital Association alongside state health plans, organized around five pillars: patient care impact, equity implications for smaller and rural providers, regulatory overreach, cost burden, and innovation competitiveness.
The message was consistent throughout: healthcare AI is assistive technology in a workforce already stretched by shortages, and a patient is not a standard consumer. One-size-fits-all regulation built for other industries will end up harming the patients they mean to protect. The bill failed for lack of votes, though it can still be revived this session.
Getting to yes: UVM and HR 84
At UVM Health, Dr. Stinnett-Donnelly had the reverse problem. A pre-COVID Vermont recording consent law, designed to protect patients from unauthorized recording, had inadvertently made ambient documentation in telehealth impermissible. The law predated the technology, nobody intended the outcome, and unwinding it took two legislative sessions.
His coalition worked through a hospital and specialty-society coalition with an education-first approach: explain what an electronic health record does, what ambient documentation does and does not do, and then, critically, show it.
The live demo before the Health Subcommittee was decisive. It was grounded in a well-known image of a child’s crayon drawing of their pediatrician staring at a computer screen, family sitting off to the side. He made the point that ambient rearranges that scene so the clinician can face the patient again. A skeptical committee member shifted position and the bill passed.
The lesson from both cases is the same:
show the workflow, not just the policy argument
build the coalition before the vote
and get to legislators before legislation is drafted, not after.
Each system found the one idea that reorganized the debate, then made it impossible to unsee.
Then the government proved the point
On June 12th, days after the session, the US Commerce Department sent Anthropic an export-control directive to suspend access to Fable 5 and Mythos 5, its two newest and most capable AI models, for all foreign nationals.
Because Anthropic could not filter access by nationality, it had to disable both models globally for all customers, with no advance notice. Its other models stayed available. The stated concern was a jailbreak technique on the models; Anthropic disputed the severity, calling the finding minor and already known, and said it believes the action is a misunderstanding is working to reverse.
For health systems, this makes the session’s argument concrete. A deregulatory federal posture does not mean a predictable one. A directive can land at 5 PM on a Friday with no advance notice and no transition period and take mission-critical workflows with it.
It also pulls model misuse and jailbreaks directly into the governance conversation: as health systems deploy more capable and agentic tools, monitoring for misuse stops being only a cybersecurity concern and becomes a governance and liability one, tied directly to the risk-tiering work the session focused on.
Systems that have tiered their AI risk, built vendor continuity plans, and engaged the policy environment early are ready to move when the ground shifts. The ones that haven't are finding out, in real time, why the CIO's question at the top of this recap was never rhetorical.
Questions to Consider
Is your organization in the room when state AI legislation affecting your operations is being drafted? If not, what would it take to get there, and who would you send?
Do you know your recording consent obligations for ambient documentation across every state you operate in? If you’re multi-state, are you defaulting to the most conservative standard?
If a key vendor’s AI models were suspended overnight with no advance notice, which clinical and operational workflows would be affected and do you have a continuity plan?