Nearly 70% of clinical research professionals are exploring or piloting AI. Only 12% are using it consistently.

That gap is not a technology problem. It is a governance problem.

When Florence’s League AI Working Group brought together 17 clinical research professionals to talk about AI implementation, the conversation kept circling back to one uncomfortable truth: most organizations do not yet have a clear, repeatable process for deciding which AI tools to adopt, who approves them, or how to validate that they are working.

According to Gartner, roughly half of all employees now use AI at work and 65% report productivity gains, but enterprise-wide transformation remains limited. Adoption is outpacing governance, and that is precisely where risk creeps in.

Without governance, organizations face shadow AI use, data leakage, inconsistent decisions, and ultimately slower scaling. With governance, organizations get controlled adoption, defined accountability, and the foundation to move fast responsibly. The difference between those two paths is not the quality of the AI tools an organization chooses, it is the structural work done before and around those tools.

Where AI Governance Breaks Down

Most organizations adopting AI are doing so faster than their governance structures can keep up. The result is a patchwork of informal workarounds, stalled approvals, and policies written for a world that predates the technology they’re meant to regulate. Understanding where the gaps tend to appear is the first step toward closing them, especially in clinical research, where data integrity and patient safety are always on the line.

The Approval Process Is a Cross-Functional Puzzle With No Owner

Ask who approves an AI tool at a typical research site and you will get a different answer from every department. The honest answer, as our working group confirmed, is that no one really knows yet.

Traditional software purchases already require sign-off from multiple stakeholders: functional teams, legal, compliance, IT and security, finance, and executive leadership. AI adds new layers, such as data governance, IRB and ethics considerations, vendor review, and, in some cases, regulatory bodies, all without an established playbook.

What’s worse, because AI governance is perceived as high-stakes and poorly defined, organizations often end up in a situation where no one wants to be the final decision-maker. Accountability gets diffuse. Reviews drag on. And in the meantime, staff are using consumer-grade AI tools without any structure at all.

The result is that governance is either happening too slowly through overly cautious formal review, or not at all through unsanctioned shadow use. Neither is acceptable in an environment where data integrity, patient safety, and regulatory compliance are on the line.

Existing Regulations Weren’t Written for the AI Use Cases of Clinical Researchers

Regulatory guidance does not address high-risk AI for tools that directly impact patient safety, drug quality, or the reliability of clinical evidence. Neither does it consider what most clinical research teams are actually doing with AI today.

The majority of AI use in clinical research is operational: drafting communications, reviewing documents, streamlining workflows, managing administrative tasks. These are not minor uses; they consume enormous amounts of staff time, and improving them can meaningfully accelerate trials. But they fall into a grey area under current frameworks like the FDA’s draft guidance on AI for regulatory decision-making or the EU AI Act’s compliance requirements, which set baseline literacy and transparency obligations without providing practical direction for routine operational applications.

The EU AI Act’s risk classification is a useful lens here. It divides AI systems into four tiers: 

• unacceptable risk – prohibited outright)
• high risk – critical sectors requiring formal conformity assessment
• limited risk – transparency obligations, such as disclosing chatbot use
• minimal risk – most operational tools, where voluntary codes of conduct apply

The challenge is that much of what research organizations are implementing sits in the limited-to-minimal tier, where formal regulatory requirements are light, but the internal governance questions are anything but simple.

This gap leaves organizations in an awkward position: either apply enterprise-level validation requirements to a scheduling assistant, or adopt tools with no governance framework at all because none seem to apply. As one working group member put it, the guidance just does not address what most researchers are actually doing.

Until that guidance matures, organizations cannot wait for regulators to solve for their industry-specific needs. They need to build their own frameworks.

AI Governance Is Different Because AI Behavior Is Different

Beyond the regulatory gap, there is a more fundamental challenge: AI systems make decisions in ways that are not always transparent or consistent. Traditional software is deterministic—the same inputs always produce the same outputs. AI, particularly generative and agentic AI, is probabilistic. Outputs can vary and errors can be subtle. Unlike a software bug, which tends to fail visibly, AI errors can look convincingly correct.

For clinical research, where accuracy and auditability are foundational, this creates a real trust problem. The danger is not automation itself. It is in allowing decision making to migrate over to AI models.

As such, human oversight is a responsible design choice for a context where errors carry real consequences.

Five Principles for Building Your AI Governance Framework

There is no established industry standard or perfect framework. What works is a set of principles that translate into a practical workstream. Here are five AI principles that apply to clinical research:

Principle 1: Contain the data

This is the non-negotiable starting point and the principle that addresses the single biggest enterprise fear: data exposure. Any AI tool used in clinical research should operate within a controlled environment where PHI and PII are top of mind. That means, AI outputs inherit the access permissions of the underlying data and no customer data is used to train or improve the underlying model. Context-aware controls and data minimization are not IT configurations — they are governance requirements.

Principle 2: Classify the risk before you govern it and apply guardrails appropriately

Not all AI is alike, and not all AI in clinical research carries the same stakes. The EU AI Act’s tiered model provides a structured way to calibrate oversight. Assistive AI that surfaces information for a human to act on sits in a different risk tier than predictive AI that scores site feasibility, or agentic AI that executes multi-step workflows autonomously. Your governance requirements should scale with that risk, not apply uniformly across every use case.

Principle 3: Define what data is used, by whom, and for what purpose

AI governance requires organizations to think carefully about contextual integrity, that is, whether data is being used in ways consistent with the context in which it was collected. AI that aggregates across studies, sites, or sponsors raises different questions than AI that operates within a single contained workflow. Governance requires being explicit about these distinctions before a tool is deployed, not after an incident prompts the question.

Principle 4: Establish where human oversight should engage

AI supports decisions, but humans remain accountable for those decisions. Governance frameworks must specify, for each AI use case, exactly where in the workflow a human reviews AI output before action is taken, what constitutes a meaningful review, and what happens when a human overrides an AI recommendation. Continuous monitoring for model performance and bias is an ongoing operational responsibility.

Principle 5: Build and empower a governance committee to make autonomous decisions

Cross-functional governance committees are necessary. They are also, at many organizations, where governance goes to die. The difference between a committee that works and one that doesn’t comes down to whether it has defined authority, clear scope, and a mandate to make decisions rather than simply to discuss them. A governance committee’s job is to create policies and ethical guidelines for AI development and use, review and approve or restrict specific use cases, conduct AI risk assessments, evaluate vendor tools, establish risk tolerance thresholds, and report meaningfully to executive leadership. If your committee is doing all of those things, it is functioning well.

What Doesn’t Work and What Does

AI governance is not a technical issue to be resolved by the engineering team and handed back to the business. It is a cross-functional organizational capability that requires ownership at the leadership level and engagement from legal, compliance, risk, and every major business function that touches AI. When done correctly, AI governance comes down to a few processes that work well.

What tends to fail

• Unclear data policies that leave staff guessing about what is permitted
• Lack of AI inventory and lack of clarity about what tools are actually in use
• Governance ownership so diffuse it effectively means no ownership
• Theorized frameworks that are never operationalized
• Little monitoring of AI tools after deployment

What works well

• Starting simple and building a comprehensive framework incrementally
• Focusing early governance energy on guardrails rather than comprehensive policy
• Treating audit-ready documentation as a discipline from the start
• Being ready for unexpected edge cases that weren’t fully anticipated

One principle that experienced governance practitioners emphasize: scale controls with risk. As AI deployment accelerates, governance controls should tighten, not relax. Organizations need to maintain consistent oversight to ensure their operations are compliant.

The Organizations That Move Faster Are the Ones Building Now

Governance is often framed as a barrier to AI adoption. The data suggests the opposite is true. Sites and organizations that invest in clear governance structures are the ones that move from exploration to consistent use. Governance does not make AI adoption easier in the short term, but it makes it defensible—it creates the institutional trust that allows the next tool to get approved faster than the last.

Early AI experiments are about learning where your processes, data infrastructure, documentation practices, and team capacity need to improve before AI can operate at scale. The organizations building governance frameworks now will reap the benefits in the long term.

Key Takeaways

Governance is an accelerant, not a brake. Organizations with clear decision-making pathways for AI adoption move faster and more confidently than those without them.

Contain the data first. Data exposure is the primary risk with AI. Any governance framework starts here, before use cases, before approvals, before deployment.

Risk stratification is the practical path forward. Not every AI tool needs enterprise-level validation. A tiered approach based on patient impact, data sensitivity, autonomy level, and human oversight requirements is both more rigorous and more sustainable than uniform review.

AI governance is not an IT problem. It is a cross-functional organizational capability requiring leadership ownership and engagement across legal, compliance, risk, and every business function that uses AI.

Build for learning, not for perfection. The goal of early governance frameworks is not airtight compliance structures from day one. It is enough structure to learn from AI experiments responsibly — and to build the institutional knowledge that makes the next adoption cycle faster.

---

This post draws on discussions from The League’s AI Working Group, which brings together clinical research professionals to explore practical challenges in AI implementation, and on the governance framework presented by Nancy DiGioacchino at the Central Florida Compliance Roundtable in April 2026. Florence’s 2026 State of Clinical Trial Technology Report provides additional data on AI adoption trends across the industry.

Interested in joining the conversation? Learn more about The League.