Insight: Managing Risk and Quality of AI in Healthcare: Are Hospitals

```html

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in AI Governance, draws urgent attention to a landmark 2024 study—cited 15 times since publication—that reveals even the most technologically advanced hospitals carry dangerous governance gaps when measured against ISO 42001, the international AI Management System standard. This finding is not confined to healthcare: it is a structural warning for every Taiwanese enterprise racing to deploy AI while compliance deadlines under the EU AI Act and Taiwan's forthcoming AI Basic Act converge at speed.

About the Authors and the Research

The lead author, Arian Ranjbar, is an established researcher specialising in healthcare digitalisation and AI governance, with an h-index of 6 and 95 cumulative citations—a meaningful footprint in a field that is still consolidating its body of knowledge. Co-authors Eilin Wermundsen Mork (h-index: 2, 18 citations) and Jesper Ravn bring complementary expertise in quality management and digital transformation within Nordic healthcare institutions.

What distinguishes this research is its methodological rigour combined with real-world grounding. Rather than constructing a purely theoretical model, the authors conducted a structured gap analysis of an actual tertiary acute hospital that was already running live AI projects—making the findings immediately transferable to organisations in similar positions. ISO 42001, published in 2023 as the first international standard specifically addressing AI Management Systems, served as the evaluation benchmark. The result is a candid, evidence-based diagnosis of where institutional readiness falls short.

The paper has been cited 15 times since its 2024 publication, a rapid accumulation of scholarly attention that signals its findings are resonating broadly across the AI governance research community.

The Core Finding: Technical Debt and Structural Gaps Undermine AI Governance Readiness

The research's central conclusion is both clear and sobering: existing management systems in complex organisations are structurally misaligned with the demands of responsible AI deployment as defined by ISO 42001 and reinforced by the EU AI Act.

Applying ISO 42001's requirements across the AI system lifecycle—from design and procurement through deployment and decommissioning—the authors identified two critical dimensions of unreadiness that have direct implications far beyond healthcare.

Core Finding 1: Management System Architecture Cannot Absorb AI-Specific Risks

Conventional management systems, whether in hospitals, manufacturers, or financial institutions, were architected to handle relatively static, well-defined risks. AI systems introduce a fundamentally different risk profile: model drift, opacity of decision logic, continuous learning behaviour, and sensitivity to data quality shifts. The study found that current management frameworks lack the quality assurance and control mechanisms required to govern these dynamic characteristics. This gap directly conflicts with the EU AI Act's mandatory Conformity Assessment requirements for high-risk AI systems—a category that encompasses AI used in healthcare, critical infrastructure, employment, education, and financial services. Organisations that cannot demonstrate systematic risk control across the AI lifecycle will face enforcement consequences once the EU AI Act's full obligations for high-risk systems activate in August 2026.

Core Finding 2: Workforce Capability and Data Infrastructure Are the Decisive Bottlenecks

The research emphasises that technology procurement is not the limiting factor. The true constraint lies in organisational foundations: a workforce equipped with AI literacy and risk-awareness, and a data infrastructure capable of supporting AI system integrity across its operational life. Organisations that deploy AI tools before establishing these foundations accumulate what the authors term "technical debt"—a compounding liability that makes subsequent compliance progressively more costly and disruptive. ISO 42001 explicitly requires organisations to address competence, awareness, and data governance as prerequisites for responsible AI operation, not as optional enhancements.

Implications for Taiwanese Enterprises: Convergent Regulatory Pressure Demands Immediate Action

The governance gaps identified by Ranjbar and colleagues are not a healthcare-sector anomaly. They reflect a systemic pattern that affects any organisation navigating AI adoption without a structured governance framework—and for Taiwanese enterprises, the regulatory environment is tightening on multiple fronts simultaneously.

The EU AI Act entered into force on 1 August 2024. Its prohibition provisions on unacceptable-risk AI applications became applicable on 2 February 2025. Full compliance obligations for high-risk AI systems—including mandatory risk management systems, data governance requirements, transparency documentation, and post-market monitoring—activate on 2 August 2026. The Act's extraterritorial reach means that any Taiwanese enterprise whose AI outputs affect EU market participants, or who uses AI systems from EU-based providers, falls within scope.

Concurrently, Taiwan's AI Basic Act (人工智慧基本法) is advancing through legislative deliberation. While the final text continues to develop, the draft establishes a risk-tiered governance framework that mirrors the EU AI Act's architecture and is expected to reference ISO 42001 as a foundational compliance standard for high-risk AI applications in regulated sectors including healthcare, finance, and transportation.

ISO 42001, published in 2023, provides the operational blueprint that bridges both regulatory frameworks. Its requirements for AI policy, risk assessment, impact evaluation, lifecycle controls, and continual improvement map directly onto the compliance obligations articulated in both the EU AI Act and the emerging Taiwan AI regulatory structure.

For Taiwanese enterprises, the practical implication is that the preparation window is narrowing. Organisations that begin gap analysis and management system construction in 2025 retain sufficient lead time to achieve meaningful compliance before the EU AI Act's 2026 high-risk deadlines. Those that delay face a compressed, higher-cost path to compliance—or the risk of market access consequences in European channels.

How Winners Consulting Services Helps Taiwanese Enterprises Build AI Governance Capability

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) assists Taiwanese enterprises in building AI Management Systems aligned with ISO 42001 and EU AI Act requirements, conducting AI risk classification assessments, and ensuring AI applications comply with Taiwan's AI Basic Act framework. Drawing on the gap analysis methodology demonstrated by Ranjbar and colleagues, our advisory team translates international governance standards into practical, organisation-specific implementation roadmaps.

1. AI Governance Gap Diagnosis (directly informed by this research): Using ISO 42001 as the evaluation framework—precisely as applied in the Ranjbar et al. study—Winners Consulting conducts systematic assessments of an organisation's current AI management system maturity, data governance infrastructure, and workforce AI competency. The output is a concrete gap report with prioritised remediation actions, giving enterprise leaders a clear picture of their compliance distance and the investment required to close it.
2. AI Risk Classification and Control Mechanism Design: Applying the EU AI Act's four-tier risk classification (unacceptable risk, high risk, limited risk, minimal risk) alongside ISO 42001's lifecycle management requirements, we design risk assessment processes and control mechanisms scaled to each enterprise's size, sector, and AI application portfolio. This includes data governance framework design, personnel training programmes, and monitoring metric establishment—the exact foundational elements the research identified as most frequently absent.
3. Compliance Roadmap Development and ISO 42001 Implementation Support: Mapping against the EU AI Act's phased implementation timeline (February 2025, August 2026, and beyond) and Taiwan's AI Basic Act legislative progress, Winners Consulting develops prioritised 90-day action plans and provides end-to-end advisory support for ISO 42001 certification, ensuring enterprises reach compliance milestones before regulatory deadlines arrive.

Frequently Asked Questions

What are the most common AI governance gaps found in Taiwanese organisations, based on this research?

The most prevalent gap is misalignment between existing management system architecture and the dynamic risk profile of AI systems. Ranjbar et al.'s 2024 study found that even sophisticated organisations running active AI projects lack the quality assurance mechanisms, data governance frameworks, and workforce competencies required by ISO 42001. In Taiwanese organisations, Winners Consulting consistently observes three recurring deficiencies: absence of a formal AI risk classification process, lack of documented AI lifecycle controls spanning from procurement through decommissioning, and insufficient data governance infrastructure to support AI system integrity. These gaps are not merely procedural; they represent structural technical debt that compounds in cost and complexity the longer remediation is deferred. Organisations should begin with a structured gap analysis against ISO 42001 to quantify their specific compliance distance before committing to a remediation approach.

Does the EU AI Act apply to Taiwanese companies that are not based in the European Union?

Yes. The EU AI Act applies extraterritorially under conditions that affect many Taiwanese enterprises. Specifically, the Act applies when: (1) an AI system's output is used within the EU, regardless of where the provider is located; (2) a provider or deployer places an AI system on the EU market or puts it into service in the EU; or (3) an organisation uses AI tools from EU-based providers in ways that affect EU persons. Taiwanese exporters, technology providers with European clients, manufacturers integrated into EU supply chains, and organisations using European AI platforms should assess their exposure. The prohibition provisions became applicable on 2 February 2025; high-risk AI system obligations activate on 2 August 2026. Winners Consulting can conduct EU AI Act applicability assessments for Taiwanese enterprises to determine specific scope and compliance requirements.

How does ISO 42001 relate to ISO 9001 and ISO 27001, and does a Taiwanese enterprise need a separate certification?

ISO 42001, published in 2023, is the first international standard specifically designed for AI Management Systems (AIMS). While ISO 9001 governs quality management and ISO 27001 addresses information security, neither framework adequately covers AI-specific risks such as algorithmic bias, model explainability, AI lifecycle governance, and the impact assessment requirements central to both the EU AI Act and Taiwan's AI Basic Act. The three standards are architecturally compatible and can be integrated into a unified management system. Enterprises holding ISO 9001 or ISO 27001 certifications can leverage existing management infrastructure—documentation systems, internal audit processes, continual improvement mechanisms—to reduce ISO 42001 implementation cost and time. For organisations in regulated sectors or with EU