Joint Commission certifies AI governance in hospitals, not the tools

Joint Commission introduces AI responsibility certification

The Joint Commission has launched a voluntary certification called Responsible Use of AI in Healthcare (RUAIH) to establish standards for how hospitals and provider organizations deploy artificial intelligence. The program does not validate or certify individual AI tools; instead, it assesses organizational governance, processes, and staff education around AI use.

The certification framework organizes requirements around five areas: governance structures, effective data management, risk and bias reduction, monitoring and validation of safety and performance, and transparency plus staff training. Healthcare organizations do not need to be Joint Commission-accredited already to apply for RUAIH.

The timing aligns with broader industry activity. In 2025, Joint Commission worked with the Coalition for Health AI to convene more than 20 stakeholders. This week, CHAI released eight detailed governance playbooks developed by 150+ health AI leaders, covering AI policy, organizational structures, resource allocation, lifecycle management, risk assessment, data governance, third-party vendor management, and training.

According to Baptist Health's chief digital information officer Aaron Miri, the certification "has been long-awaited by our organization and many others across the industry as AI tools become increasingly embedded in our clinical, operational, administrative, and care-support workflows."

Governance audits are not safety guarantees

The certification addresses real vulnerabilities in healthcare AI deployment. Healthcare organizations cite privacy and security risks, data inaccuracies, and lack of transparency in AI decision-making as ongoing challenges. With over 80% of physicians already using AI in professional settings (per Joint Commission), the absence of deployment standards has created regulatory and patient safety exposure.

What RUAIH does not do is validate that certified organizations are actually using AI correctly. The program audits whether governance exists, monitoring occurs, and training happens. It does not measure clinical outcomes, catch hallucinations in patient notes, or verify that bias-reduction controls actually work in practice. A hospital can be certified and still deploy a diagnostic model trained on biased data, provided it documents its risk assessment process.

This matters because Joint Commission accreditation carries weight in healthcare. Patients, regulators, and liability insurers treat the stamp as evidence of safety. RUAIH certification will likely acquire the same halo, even though it certifies intent and process, not results. The playbooks themselves acknowledge this gap: they are "intended to be interpreted within the specific context of each organization," which is another way of saying there is no enforceable standard.

What healthcare IT teams should do now

Healthcare CISOs and clinical informatics teams should inventory existing AI deployments and map them against the five RUAIH pillars before pursuing certification. Governance is the easiest to retrofit; data provenance and bias measurement are harder. Organizations running models without documented training data or third-party risk assessments will need engineering work before they can honestly claim certification.

Do not assume certification readiness. The playbooks are detailed (8 components, dozens of controls), but compliance is not binary. Start with the third-party management section if your organization sources AI tools from vendors. That is where liability exposure concentrates if a model fails in production.

Finally, separate the governance audit from the clinical validation work. Joint Commission will tell you whether you asked the right questions. It will not tell you whether your AI model is accurate for your patient population. You still need independent testing.