FDA Clearance Does Not Clear Providers from AI Liability

By Charlotte Kalafut, CEO & Co-Founder, and John F. Kalafut, PhD, CTO & Co-Founder  ·  Asher Informatics 

 A dangerous assumption has taken root across American healthcare: that FDA clearance covers everything. It doesn’t, and emerging law is codifying exactly who is responsible. 

1. What FDA Clearance Actually Means 

More than 96% of AI medical devices reach market through the FDA’s 510(k) pathway. Under this process, manufacturers demonstrate “substantial equivalence” to a predicate device.  This earns permission to market, not a validation of clinical benefit. The Bipartisan Policy Center confirmed in 2025 that clearance only means the device meets safety and effectiveness standards relative to a predicate. That is a critical nuance many healthcare leaders overlook when making procurement and deployment decisions. 

A 2025 JAMA Health Forum study of 691 cleared AI/ML devices found the underlying evidence base is far thinner than most leaders assume. A companion systematic review of 717 radiology AI devices found that just 5% underwent prospective testing and only 8% included a human-in-the-loop evaluation. 

2. The 91% Problem: AI Models Degrade After Deployment 

A landmark study in Scientific Reports, from researchers at MIT, Harvard, Cambridge, and the University of Monterrey, tested 128 model-dataset pairs across healthcare, finance, transportation, and weather. The finding was unambiguous: 91% experienced temporal quality degradation after deployment. 

Three degradation patterns are most relevant to clinical AI. The first is gradual erosion, where model accuracy declines steadily even when data distributions appear stable — producing no single event to trigger an investigation. The second is abrupt collapse: models perform acceptably for months and then fail suddenly, without warning. The third is widening variance, where median error stays acceptable while worst-case predictions deteriorate, masking the underlying problem behind average performance metrics. 

A 2025 JAMA Network Open study of 143,049 patients across seven hospitals confirmed these risks in practice. Changes in patient demographics, hospital types, admission sources, and laboratory assays substantially degraded clinical AI performance — particularly during the COVID-19 pandemic. The study found that proactive monitoring and continual learning were essential to maintaining safe and equitable deployment. 

The implication is direct: an AI model validated at the time of FDA clearance is statistically likely to degrade in your environment after deployment. Without continuous monitoring, you will not know when or how severely that degradation is affecting patient care. 

3. The Colorado AI Act: Deployers Are Liable 

The Colorado Artificial Intelligence Act (SB 24-205), signed May 17, 2024, is the most comprehensive state AI law in the United States, and the template other states are actively reviewing with full enforcement beginning June 30, 2026. 

The Act explicitly designates healthcare as a domain where AI makes “consequential decisions.” Any AI involved in triage, diagnostics, treatment recommendations, or care access decisions is automatically classified as high-risk, with no exemption for FDA clearance and no size threshold. The Act applies to any entity doing business in Colorado, including telehealth providers and multi-state systems serving Colorado patients, even without a physical presence in the state. Violations are treated as deceptive trade practices, carrying penalties of up to $20,000 per violation enforced by the Colorado Attorney General. 

The Act draws a critical distinction between developers, those who build or substantially modify AI systems and deployers, those who use purchased or internally developed high-risk AI. Most healthcare organizations are deployers. Those that also build their own tools occupy both roles simultaneously, triggering the full obligation set for each. 

Deployer obligations include: a formal risk management program; impact assessments before deployment and annually thereafter; patient notification when AI is a substantial factor in a consequential care decision; correction and appeal rights for patients; AG notification within 90 days of any discovered algorithmic discrimination; and a public transparency statement on the organization’s website. 

4. FDA Clearance vs. the Colorado AI Act 

These two frameworks address fundamentally different risk domains. They are complementary,  not substitutes. An AI tool can carry FDA 510(k) clearance while simultaneously violating the Colorado AI Act if the deploying organization has not conducted impact assessments, implemented a risk management program, or monitored for algorithmic bias. 

5. What to Do Now 

Healthcare organizations that rely solely on vendor FDA clearance status as evidence of AI governance are exposed across every dimension: clinical safety, performance stability, bias and equity, legal liability, and regulatory compliance. The path forward requires building institutional capabilities that extend well beyond procurement. 

— 

Asher Informatics PBC is a Public Benefit Corporation focused on healthcare AI governance and oversight solutions. Its platform, the AshMatics AI Governance Studio, provides tools to govern the full lifecycle of health AI from policy creation and vendor evaluation through monitoring and regulatory compliance. Learn more at asherinformatics.com.