— By Brett Marshall, Regulatory Affairs Lead, DPM.
Recent debate around the UK’s proposed Medical Device Regulation (MDR) amendments has exposed a much larger challenge facing healthcare regulators globally — existing medical device frameworks were not originally designed for modern generative AI systems.
The discussion has largely centred on how some therapeutic AI products could potentially fall into lower-risk classification pathways than diagnostic systems under the proposed drafting. While some online commentary has become dramatic, the underlying concern is entirely legitimate.
Historically, medical device frameworks evolved around physical hardware and deterministic software designed to deliver expected, repeatable, and predictable outputs. Classification rules focused heavily on whether a device diagnoses, monitors, or directly drives treatment. That binary made sense when software functioned in narrowly defined, predictable ways.
But generative AI fundamentally changes that dynamic. These systems are inherently probabilistic, fluid, and adaptive — meaning they do not fit neatly into traditional categories, and their behavioral outputs cannot be entirely predicted.
Generative AI flips the historic dynamic
A therapeutic AI system may significantly influence patient outcomes without ever formally “diagnosing” a condition in regulatory terms. It may shape patient behaviour, affect escalation decisions, alter adherence to treatment, influence emotional wellbeing, or influence delayed access to care. Increasingly, the clinical impact of AI systems lies not only in what they technically do, but in how humans interact with and trust them.
This is where existing classification logic begins to show strain.
There is a growing recognition across the sector that functional definitions alone may no longer adequately capture real-world clinical risk. But that does not automatically mean the proposed regulations are unsafe, nor does it mean Class I devices are “unregulated”, as some online commentary has implied. Even self-certified medical devices remain subject to significant legal and regulatory obligations, including clinical evaluation, post-market surveillance, vigilance reporting and MHRA enforcement requirements.
In practice, many healthcare organisations already expect governance standards that go well beyond minimum regulatory classification. NHS organisations, enterprise buyers, insurers, and investors look for evidence of robust clinical safety processes, cybersecurity controls, human oversight frameworks, validation evidence and continuous monitoring regardless of the formal device class.
We are entering a transitional phase where the most pressing clinical risks are behavioral and contextual, rather than purely functional. This reality forces several difficult regulatory questions.
Difficult regulatory questions
How should regulators assess systems that influence patient decision-making without explicitly diagnosing disease?
At what point does conversational dependency become a clinical safety issue?
Should the degree of autonomy or behavioural influence itself become a regulatory trigger?
These questions are not unique to the UK. Regulators worldwide are grappling with the same problem. The likely long-term direction is toward more dynamic models of AI assurance that consider lifecycle monitoring, autonomy, human oversight and real-world clinical influence alongside traditional functional classification.
This is one reason why international frameworks such as the International Medical Device Regulators Forum (IMDRF) software risk model continue to attract attention. They attempt to assess software risk not only by technical function, but by the significance of the information provided and the severity of the healthcare situation involved.
Whether the UK ultimately aligns more closely with those approaches remains to be seen. The current MDR proposals are still draft legislation and further clarification or refinement may yet emerge through consultation and implementation guidance.
It is clear, though, that AI regulation can no longer be treated purely as an administrative exercise. Classification should ultimately be a patient safety decision.
The central challenge for regulators is how much clinical trust, influence and autonomy the system has within it, and how much is tolerable without further regulation — that is the question the next generation of AI governance frameworks will need to answer.
