When the Patient Brings the Algorithm

A patient arrives and says, "An AI tool reviewed my labs and told me something is wrong." No clinician ordered it. The health system never validated it. Governance has never reviewed it. But it is now in the room. THE BOUNDARY THAT NO LONGER HOLDS Healthcare governance has always assumed a boundary. Inside the organization: governed systems. Outside: patient opinions. AI collapses that distinction. Patients now bring algorithmic interpretations, summaries, and risk assessments generated by systems clinicians did not choose and organizations cannot audit. Clinical authority is being challenged by tools that exist entirely outside institutional control. THE LIABILITY CONCENTRATION POINT Agreement with a patient-generated AI interpretation creates responsibility. Disagreement creates discoverable clinical judgment. "The patient brought it" does not absolve duty of care. Clinicians are being asked to respond to systems they cannot inspect, validate, or explain. Risk concentrates at the bedside without institutional support. THE NUMBERS BEHIND THE RISK Uncontrolled AI use is already widespread. A January 2026 Wolters Kluwer survey of more than 500 healthcare professionals found: 40% were aware of colleagues using unapproved AI tools. Nearly 20% reported personal use of unapproved AI. 10% had used an unapproved AI tool for direct patient care. 51% of administrators cited faster workflows as the reason. Only 29% of providers were aware of their organization's AI policies. UpGuard reported in November 2025 that 81% of employees and 88% of security leaders use unapproved AI tools. Senior leadership was 50% more likely to use shadow AI than other employees. IBM's 2025 Cost of a Data Breach report identified shadow AI as a factor in 20% of data breaches, adding an average of $670,000 per incident. These figures measure employee behavior. Patient-generated AI is not included. WHAT LEADERS NEED TO DO NOW Ignoring patient-generated AI does not reduce exposure. The liability shifts to clinicians. Assign ownership for patient-generated AI. Someone must be responsible for how clinicians engage with AI outputs patients bring. Provide documentation guidance. Improvised note language increases legal risk. Consistent, defensible phrasing protects both clinician and organization. Design for disagreement. When AI outputs conflict with clinical judgment, the documentation needs language that holds up. "I disagree with the AI" is not a strategy. Train for the conversation. Patients will arrive with AI outputs. The response cannot dismiss, validate, or absorb liability the clinician cannot manage. Slow down escalation. Speed without governance concentrates liability where protection is weakest. Right now, the clinician is the only one in the room accountable for a system nobody in the organization approved.