From Code to Conscience: An Ethical Framework for Healthcare AI

3D rendering medical artificial intelligence robot working in future hospital.

By Ed Magee, Chair of NACD Nashville and Jeffrey Saviano, AI Ethics Leader, Harvard University Edmond & Lily Safra Center for Ethics

Beyond Compliance: The Board’s Ethical Imperative

At the 2025 NACD Nashville, “AI Governance in the Healthcare Sector” event hosted at Vanderbilt University’s Owen Graduate School of Management, we explored a profound question that should concern every healthcare board director. How do we ensure AI not only transforms healthcare, but does so equitably and ethically? This is not a hypothetical challenge; AI is already shaping clinical decisions, patient interactions and workforce management making ethical oversight not just optional, but a core responsibility of every healthcare board. 

As Vilas Dhar, President of the Patrick J. McGovern Foundation framed it, “The tools we build today will shape the dignity, safety and opportunity of future generations.” For board directors, this raises fundamental questions about oversight responsibilities that extend beyond mere legal compliance to ethical leadership. 

The Legal Framework: What Courts Expect from Boards 

Recent court decisions have significantly expanded board oversight responsibilities for mission-critical risks, particularly those tied to emerging technologies like AI. In Marchand v. Barnhill (2019), the Delaware Supreme Court held that boards must actively implement and deploy monitoring systems for what the court defined as ‘mission critical’ risks central to a company’s business model, establishing that Caremark duties apply most rigorously where oversight failures could threaten enterprise viability. 

The Boeing decision (2021) reinforced this standard, with the Delaware Court of Chancery finding that Boeing’s board failed to adequately oversee airplane safety, a function vital and mission critical to its core business. While Delaware law continues to prioritize shareholder interests, the ruling demonstrated that harm to other stakeholders can create substantial reputational, legal and financial exposure, making proactive oversight essential, not only for compliance but for safeguarding stakeholder trust. For healthcare boards, this reinforces that lapses in oversight, even when not directly tied to shareholder harm, can reverberate across patients, regulators and the public, eroding trust in ways that are difficult to repair. 

For healthcare organizations, these precedents have particular significance. AI systems now influence safety-critical diagnostics, treatment recommendations and staffing decisions – all mission critical to healthcare delivery. Consequently, boards must recognize that their fiduciary duties now encompass the operational and ethical risks inherent in AI development and deployment across patient care, enterprise operations and workforce management. 

Introducing the Boundaries of Tolerance (BoT) Framework: A Pyramid of Ethical Progression

To help boards navigate these challenges, Saviano presented a comprehensive AI governance framework rooted in ethics, developed through his research at Harvard’s Edmond & Lily Safra Center for Ethics. The Harvard research team continues to refine, and now pilot, this framework with leading organizations ensuring its relevance to real-world governance challenges. We will address the most recent version of the framework in this reflection piece, shown here in Figure 1. For board directors, it serves as both a diagnostic tool and a roadmap for ethical progression. 

boundaries of tolerance framework

Figure 1: Boundaries of Tolerance Framework

Non-Compliance

  • Level 0Non-compliance: Failure to comply with laws applicable to AI, whether intentionally or due to lack of internal systems or processes

The Compliance Foundation (Must Do) 

  • Level 1Reactive Compliance: Responding to legal or regulatory prompts, but not proactively ensuring compliance
  • Level 2Basic Compliance: Proactively fulfilling legal requirements for AI but doing no more than required

Conscious Capitalism (Should Do)

  • Level 3Limited Ethical Actions: Going beyond legal mandates with selective ethical enhancements (e.g., bias mitigation)
  • Level 4Proactive Ethical Integration: Deep integration of ethical principles throughout the enterprise

Ethical Stewardship (Could Do)

  • Level 5Ethical Leadership and Advocacy: Leading industry standards and influencing external ethical and legal frameworks (actions that may not produce direct ROI for the enterprise but should benefit society at large if widely adopted) 

Human Rights Banner 

  • A cross-cutting dimension ensuring fundamental human rights are considered at every level of the BoT framework

The BoT framework helps leaders assess their company’s ethical maturity in a structured manner, determine company’s AI ethics aspirations and set concrete, achievable goals for establishing or enhancing ethical AI practices within the company through three key pillars: 

  1. Enterprise ethics integration
  2. Ethical principles adoption
  3. Leading Practices.

The first two pillars enable a current-state diagnostic definition of a desired future state and a roadmap for closing the gap. They are designed to help boards and senior executive teams assess whether ethical imperatives are being operationalized across the business. The third pillar examines governance approaches that complement the assessment tools in the first two framework pillars.

The following is a summary of the framework pillars: 

Pillar 1: Enterprise Ethics Integration – Five Critical Lenses 

The framework evaluates ethical integration through five enterprise-level dimensions: 

  1. Stakeholder Accountability – How the organization answers to all stakeholders, internal and external, on ethical issues
  2. Operational Integration – How ethics are embedded within business operations
  3. Balancing Ethics and Profit – How financial goals are weighted alongside ethical responsibilities
  4. Leadership Commitment – How committed is leadership to ethical principles
  5. External Collaboration – How the organization works with outside entities to advance shared ethical standards.

Pillar 2: Ethical Principles Adoption 

The second pillar focuses on how well ethical principles are embedded into technical and operational practices at the company. These principles move ethics from abstract commitments into tangible design and operational requirements that directors can oversee. The five sets of ethical principles embedded in this pillar are: 

  1. Transparency & Explainability – Evaluates whether stakeholders, including internal decision-makers and external users, can understand how AI systems work and why specific outputs from the AI systems are generated
  2. System Reliability & Safety – Measures the consistency, robustness and performance of AI systems under real-world conditions
  3. Fairness & Inclusivity – Assesses whether the company has implemented processes to identify and mitigate bias in datasets, models and outcomes
  4. Data Privacy & Security – Examines how well the company protects individual data rights, anonymizes where appropriate and secures datasets against breaches and misuse
  5. Human Oversight & Accountability – Gauges whether appropriate human controls exist to oversee and if needed, override AI decisions

Perhaps the most powerful aspect for healthcare boards is the framework’s concept of ‘boundaries of tolerance’, explicitly defining the ethical guardrails for an organization’s AI strategy. This is crucial when facing ethical dilemmas that are inevitable with AI adoption. 

As Saviano explained, many organizations publish statements signifying their adoption of ethical AI principles but stop there. The framework helps boards and senior management teams move beyond vague principles to explicitly define their tolerance thresholds across each pillar of AI governance. This important step will prove critical when companies face ethical dilemmas that inevitably arise with AI implementation. By defining tolerance levels in advance, boards establish accountability thresholds that clarify when to intervene and how to balance innovation with patient safety. 

Pillar 3: Leading Practices Relevant for Healthcare Boards 

The BoT framework offers several leading practices which are recognized as effective at improving AI governance in business organizations. Here is a selection of the most relevant practical implementation strategies that healthcare boards should consider: 

Board Committee Structures

Boards have several structural options for AI oversight: assigning responsibility to existing committees, forming dedicated technology or AI committees (or subcommittees), or creating ethics-founded advisory councils. Research reveals that 13% of S&P 500 companies now have technology committees at the board level, with some evidence suggesting correlation with stronger financial performance. 

The Fractional AI Ethicist 

This is a part-time expert role to advise boards or senior management on ethical AI practices within the enterprise. As Saviano noted, 

Most companies don’t need a full-time AI ethicist. But I’ve yet to meet an organization that wouldn’t achieve some benefits from accessing a professional with this expertise, an advisor who can translate complex AI risks into actionable governance decisions.” 

Such fractional roles can also act as bridges between technical teams and directors, translating complex issues into strategic language. 

Intel’s “Guard Band of Safety” 

A proactive approach modeled after Intel’s antitrust prevention strategy offers a compelling framework for ethical AI governance. During the 1990’s and early 2000’s, Intel faced intense regulatory scrutiny over potential monopolistic practices. Rather than simply meeting minimum legal requirements, Intel developed what they referred to as a “Guard Band of Safety” strategy, where the company deliberately exceeded minimum legal standards to account for regulatory gray areas and anticipate future enforcement shifts, thereby reducing the risk of antitrust litigation and regulatory action.  Intel’s practices included: 

  • Internal “raids” on executive offices to search for potentially damaging evidence of antitrust behaviors
  • Mock executive depositions before the board to simulate a hostile interrogation by federal officials
  • Creating a culture of vigilance around risks that are critically important to the organization. 

The EpicMyChart Case Study: Real Risks in Healthcare AI

Healthcare boards should pay particular attention to the cautionary case study of Epic’s MyChart system, which permitted health practitioners to select a system setting allowing AI-generated communications to patients. The research revealed: 

  • 7 out of 116 communications (approximately 6%) contained hallucinations
  • Fewer than one-third of AI-generated drafts were edited by doctors or other healthcare provides
  • 7% of the time, if followed, the AI advice risked severe patient harm
  • Most hospital groups or other healthcare organizations failed to disclose that the patient communication was AI-generated, an omission that highlights why disclosure must be treated as a board-level issue.

This example underscores the urgent responsibility of boards to demand transparent disclosure and continuous oversight in all patient-facing AI systems. 

The Nashville Healthcare Imperative 

April Childs-Potter, President of the Nashville Health Care Council offered a compelling perspective, delivering what many felt was a mission statement for the industry’s AI future. Her words captured the strategic dilemma faced by every healthcare board: 

The Silicon Valley disruption model doesn’t work in healthcare. It’s far too complex.  Particularly for companies selling into health systems, buyers need to see not just the tech and what it solves—but how the change management process will be implemented.” 

Five Key Actions for Healthcare Boards in the AI Age

Drawing from Saviano’s Boundaries of Tolerance framework, healthcare boards should: 

  1. Engage the board and senior management – Apply the first two pillars of the BoT framework to more precisely articulate the ethical boundaries within their organization
  2. Embed ethics-based approaches within the enterprise – Augment existing governance structures and operations with ethical practices
  3. Move beyond principles – Operationalize key actions emanating from the ethical AI principles that are relevant to their organization
  4. Experiment with oversight mechanisms – Consider the fractional AI ethicist model, new board committee structures, cross-sector collaboration and other innovative governance approaches
  5. Build governance structures that anticipate future technologies – Create structures that are adaptable as AI and other emerging technologies continue to develop 

The Need for “Prudent Vigilance”

As Brian Besanceney, Board Chair at Orlando Health articulated, “Quarterly board cycles don’t match the tempo of AI.” This disconnect requires what Saviano calls “Prudent Vigilance” – the middle ground between advancing innovation despite inherent risks and halting innovation because of them. Prudent Vigilance means pursuing new opportunities while committing to continuous monitoring and risk mitigation, balancing the drive to innovate with the duty to safeguard patients and stakeholders. This approach enables innovation while ensuring risks are identified and addressed in real time. 

The Epic MyChart case study powerfully illustrates why continuous monitoring is essential. What appeared to be a helpful efficiency tool revealed serious risks only through post-implementation analysis, suggesting that initial system design and training were important, but insufficient safeguards. Most troubling, the lack of patient disclosure in many jurisdictions meant patients couldn’t make informed decisions about AI-generated medical advice that proved harmful 7% of the time. 

The critical importance of continuous monitoring was emphasized by several healthcare directors at the event. As one board member noted, the Epic case study demonstrates that “as important as governance is and the establishment of an AI system, what’s even more important is continuous monitoring to determine how it’s really impacting patients in the real world.” 

Conclusion: From Hype to Habit 

The question isn’t whether AI will reshape healthcare, that’s already happening. The question is whether boards will have the wisdom and courage to ensure it positively reshapes healthcare for everyone. 

When the history of healthcare’s AI transformation is written, how will directors be remembered? As those who pursued innovation at the expense of ethics or as leaders who demanded systems that were as compassionate as they were clever? Will directors be remembered for prioritizing speed over governance or for balancing bold innovation with robust ethical oversight and human judgement? 

In healthcare, where what breaks might be trust, safety or lives, an ethical AI governance framework offers a path that honors both innovation and responsibility, a path every healthcare board should now consider. 

----------------------

Ed Magee is the Chair of NACD Nashville. Jeffrey Saviano is the AI Ethics Leader at Harvard’s Edmond & Lily Safra Center for Ethics. 

This reflection is based upon the April 2025 event, “AI Governance in the Healthcare Sector: Navigating the Disruption,” sponsored by EY and hosted by Owen Graduate School of Management at Vanderbilt University.