top of page

Trust, Security Resilience: Governing AI in Healthcare with Confidence

  • Writer: Thibault Williams
    Thibault Williams
  • Jun 11, 2025
  • 4 min read

Updated: Jun 16, 2025

How international standards and NHS principles shape the future of safe, accountable AI in health.


The potential for artificial intelligence (AI) to transform healthcare is no longer hypothetical. From fall prediction in elderly care to population-level disease modelling, AI systems are already shaping diagnoses, triage, and resource planning.


But as these systems begin to touch sensitive patient data and influence care pathways, they raise an urgent question: How do we ensure these technologies are not just effective - but safe, compliant, and trustworthy?


Featured in this article:



At TMW Resilience, we believe the answer lies in operationalising three foundational principles:


  • Secure by design

  • Compliant by design

  • Resilient by design


And the best way to do that? Structured adherence to standards - not just as paperwork, but as living systems.


What is “Reasonable AI” in Healthcare?


The NHS recently released its updated AI Code of Conduct for health and care technologies. This guidance lays out ten principles for developers, suppliers, and implementers of AI in healthcare.


It emphasises:


  • Transparency and explainability

  • Safety, efficacy, and data protection

  • Robust evidence and stakeholder involvement

  • Bias mitigation and equality of access


Crucially, the Code is not a checklist - it’s a values-led framework. It asks not only what an AI system does, but how it was built, who it impacts, and whether it can be trusted in high-stakes environments.


That’s why at TMW Resilience, we champion the idea of “Reasonable AI” - AI that is not just high-performing, but accountable, auditable, and adaptive. And to achieve that, we use two powerful international standards:


ISO/IEC 42001: The first management system standard for artificial intelligence

ISO/IEC 27001: The global benchmark for information security


Published in December 2023, ISO/IEC 42001 is the world’s first AI-specific management system standard. It provides a framework for:

  • Defining AI policies, roles, and responsibilities

  • Managing AI-specific risks (like model drift or unexplainable outputs)

  • Embedding controls across data use, model training, testing, deployment, and ongoing monitoring

  • Ensuring traceability, transparency, and ethical alignment

  • ISO 42001 turns good intentions into operational controls.

  • Key Components Aligned to Healthcare

  • Area How ISO 42001 Applies in Health


Context of Use Models must be evaluated based on how and where they’re deployed (e.g. clinical triage vs. population screening) Human Oversight Defines clear accountability models between developers, clinical teams, and governance boards Ethics & Risk Formalises ethical impact assessments and risk mitigation planning Model Management Enforces documentation of model training, updates, performance testing, and validation

When aligned with NHS AI Code principles, 42001 enables the development of AI that is explainable, safe, and suited to public service delivery.


ISO/IEC 27001: Securing the Foundation


AI governance doesn’t stop at the model - it must also protect the data infrastructure around it. That’s where ISO/IEC 27001 comes in.


This standard sets out how to build and operate an Information Security Management System (ISMS). It ensures that sensitive health data is:


  • Stored securely

  • Accessed only by authorised parties

  • Handled in line with GDPR and the UK Data Protection Act

  • Monitored for breaches, misuse, and unauthorised processing


TMW Resilience implements ISO/IEC 27001 controls alongside 42001—ensuring that AI governance and data protection are fully integrated.


From Principles to Practice: The Three Pillars of Reasonable AI


The Three Pillars of Reasonable AI - secure by design, compliant by design, resilient by design

Here’s how these standards enable our secure, compliant, and resilient approach.


Secure by Design


  • Security isn’t a bolt-on - it’s a baseline. In healthcare, this means safeguarding not just systems, but lives.

  • We implement data classification and minimisation from the start - collecting only what’s needed for the defined AI task

  • Access is controlled via role-based permissions, and every access event is logged

  • AI outputs are stored and transmitted with end-to-end encryption, aligned with NHS Digital standards

  • Our systems undergo regular penetration testing and threat modelling, built into ISO 27001 protocols


Outcome: Stakeholders can trust that AI does not expose patients to new vectors of digital harm.


Compliant by Design


True compliance goes beyond the law - it reflects respect for people and their rights.


  • We implement Data Protection Impact Assessments (DPIAs) for all AI applications, in line with UK GDPR

  • All models are explainable by design - with mechanisms to support patient-facing explanations and clinical review.

  • We document training data lineage, including source, purpose, and validation

  • Our clients receive full audit trails and conformance mapping to NHS AI Code, ISO 42001, and ICO guidance


Outcome: AI systems don’t just comply with policy they earn legitimacy with regulators, clinicians, and the public.


Resilient by Design


Healthcare is dynamic. AI must be resilient to change, uncertainty, and evolving risks.

Our governance systems support model drift monitoring, triggering revalidation if performance degrades


We maintain version control and rollback mechanisms for AI models and data sets

Regular retraining schedules are documented and linked to risk thresholds

Governance is continuous, not one-time - each project has assigned roles for AI ownership and escalation


Outcome: AI remains functional, ethical, and safe - even as data shifts, regulations evolve, or deployment environments change.


Why NHS and Public-Sector Stakeholders Should Care


Healthcare AI can’t afford to move fast and break things. What it needs is:


  • Rigorous oversight

  • Real-world responsibility

  • Sustainable scalability


Whether it’s working with local authorities on predictive fall prevention, or supporting regional data infrastructure to power preventative health outreach, TMW Resilience brings a proven model to the table - combining global standards with sector-specific nuance.


AI in Healthcare is a Governance Challenge First


If we want AI to improve health outcomes, reduce inequality, and support overstretched services, we have to do the hard governance work now.


TMW Resilience is ready.


With certified lead implementers in ISO/IEC 42001 and deep experience in ISO/IEC 27001, we help health and care organisations govern AI with the rigour it demands—and the public deserves.


Let’s build Reasonable AI. Together.


Want to see how this works in practice? Let’s talk.

Comments

Banner image with red squares and shadowed background

Build Digital Resilience with Trusted Insight

Join leaders and decision-makers who rely on TMW Resilience for strategic updates at the intersection of AI, policy, and digital risk. Our newsletter delivers:


  • Expert perspectives on AI governance-as-a-service

  • Actionable guidance on cybersecurity, compliance, and resilience

  • Updates on regulations like the EU AI Act, ISO 42001, and more


Stay informed. Stay compliant. Stay resilient.


No noise, just the insight you need to lead with confidence.

bottom of page