Artificial intelligence (AI)-enabled applications are increasingly used in health care, including for financial, administrative, and clinical purposes. They hold the promise of increased efficiency, improved quality of care, and better health outcomes, while simultaneously challenging regulators, clinicians, payers, and legislators with their safe deployment. The U.S. Food and Drug Administration (FDA) regulates a subset of AI-enabled health care applications as medical devices, and it is balancing regulation of these rapidly advancing, novel tools with access to low-risk products. Over the past several years, the agency has taken a number of steps to support device manufacturers developing these products.
FDA regulates the safety and effectiveness of medical devices, including those with device software functions (DSFs). DSFs include both software as a medical device (SaMD) and software integral to a traditional hardware device (software in a medical device, SiMD). SaMD is defined as "software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device." An AI-enabled device is generally defined in nonbinding guidance by FDA as a device that includes one or more AI-enabled DSFs (AI-DSF), but FDA also uses the terms interchangeably.
FDA has authority only over software functions that meet the definition of "device" in the Federal Food, Drug, and Cosmetic Act (FFDCA). The 21st Century Cures Act (Cures Act, P.L. 114-255) clarified the scope of software functions that meet the definition of device. Specifically, the Cures Act excluded from the device definition those software functions intended (1) "for administrative support of a health care facility"; (2) "for maintaining or encouraging a healthy lifestyle … unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease"; (3) "to serve as electronic patient records"; and (4) "for transferring, storing, converting formats, or displaying" certain data and results. The law also excluded clinical decision support (CDS) software that meets specific criteria (e.g., is for the purpose of displaying medical information about a patient; providing recommendations to a health care professional about prevention, diagnosis, or treatment of a disease; and enabling a professional to independently review the basis for the recommendations).
Determining whether a software function meets the definition of a device, and is thus regulated by FDA, can be a challenge for the developer. FDA has published guidance clarifying products that meet the device definition and addressing enforcement discretion policies for various types of DSFs (e.g., mobile medical applications). FDA has also developed resources to aid with determining if a given software function is a DSF, and if so, whether it is the focus of FDA oversight.
FDA maintains a list of AI-enabled devices, based on publicly available information, that have received marketing authorization beginning with the first such device in 1995. FDA reports that approximately 1,450 such devices have been authorized for marketing, with the majority in the fields of radiology, cardiology, and neurology. Most of these devices were cleared for marketing through the 510(k) premarket notification pathway for moderate risk devices, which requires a determination that the device is "substantially equivalent" to a legally marketed device in terms of intended use, technological characteristics, and performance testing.
To date, the agency does not appear to have authorized for marketing any generative AI (genAI)-enabled device. However, in March 2026, FDA gave breakthrough designation to a patient-facing clinical genAI application developed by RecovryAI. FDA has considered issues around the regulation of genAI devices in two meetings of its Digital Health Advisory Committee.
AI-enabled devices, which are often SaMD, are regulated as FDA regulates other devices. That is, these devices are subject to a risk-based regulatory scheme, with devices designated as Class I (low risk), Class II (moderate risk), and Class III (high risk). Regulatory control is based largely on a device's classification. All devices are subject to general controls, including adverse event reporting, establishment registration and device listing, and the Quality Management System Regulation (QMSR, or current good manufacturing practices for devices), among others. Premarket review requirements vary based on a device's class.
To date, AI-enabled devices have been most often classified as Class II—moderate risk—and therefore are generally subject to premarket review through 510(k) notification. These devices may also come to market through a de novo classification request if the device is low or moderate risk and novel. In certain cases, these devices may be Class III, and would be subject to premarket approval (PMA) prior to marketing, requiring the development of clinical evidence to support their approval.
Unlike most traditional hardware devices, AI-enabled devices are expected to change over their lifecycle. The FDA's device regulatory scheme is based on evaluating a device at a point in time, with the expectation that it will remain largely unchanged during its use. In cases where changes to devices are needed postmarket, FDA generally requires follow-on regulatory submissions, such as a PMA supplement or a new 510(k).
To help to address this, in 2019, FDA published a proposed regulatory framework for AI/ML-enabled SaMD, introducing the concept of a predetermined change control plan (PCCP) to describe planned changes to a device over its implementation. FDA defines a PCCP as "the documentation describing what modifications will be made to a device and how the modifications will be assessed." In 2022, a provision authorizing inclusion of a PCCP in premarket submissions was included in the Food and Drug Omnibus Reform Act of 2022 (FDORA, P.L. 117-328, Division FF, Title III).
Predetermined Change Control Plans (PCCPs). Pursuant to the authority granted in FDORA, the FFDCA authorizes the use of PCCPs in certain premarket submissions for devices where relevant, including AI-enabled devices. A PCCP allows manufacturers to not have to submit a new premarket submission for certain planned changes to a device postmarket. For example, changes to an approved device (with a PMA) generally require a PMA supplement. However, a supplement is not required for a change to an approved device that is consistent with a PCCP if the device remains safe and effective. A PCCP includes labeling or certain notification requirements for changes, as well as performance requirements for changes under the plan. In August 2025, FDA published final guidance outlining nonbinding recommendations for information to include in a PCCP as part of certain premarket submissions specifically for AI-enabled devices.
Cybersecurity requirements. Cybersecurity concerns will be relevant for many AI-enabled devices. Traditionally, FDA addressed device cybersecurity through its existing authorities (i.e., Quality Management System Regulation, 21 C.F.R. Part 820) and guidance on both premarket and postmarket device cybersecurity. In 2022, Congress established requirements for premarket submissions for cyber devices (Consolidated Appropriations Act, 2023; P.L. 117-328). Many AI-enabled devices will meet the definition of cyber device, which is defined as a device that "(1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains … technological characteristics validated, installed, or authorized … that could be vulnerable to the cybersecurity threats." Device sponsors must, among other things, "design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure" and include in their premarket submissions "a plan to monitor, identify, and address … in a reasonable time, postmarket cybersecurity vulnerabilities" (FFDCA §524B). In February 2026, FDA issued final guidance on device cybersecurity generally that in part addresses these statutory requirements for cyber devices.
AI-enabled devices represent a rapidly advancing and relatively novel class of products with a wide range of intended uses, software functionalities, and risks to users, posing unique challenges for the oversight of such devices. Currently, as noted, these products are regulated as medical devices under the FFDCA. Most recently, FDA has adopted a somewhat deregulatory approach in certain cases through, for example, updates to its general wellness product and CDS software guidance documents. There is debate about how regulation or oversight should proceed, however, and uncertainty around regulation of AI, and especially genAI, devices may affect consumer confidence and developer innovation. Some stakeholders are calling for additional regulatory authorities, while others maintain that current authorities are adequate. In addition, there is discussion around specific considerations for regulation of genAI devices.
Some stakeholders maintain that the current device regulatory authorities are not a good fit for AI-enabled devices, and that new authorities may be needed. A 2024 GAO report recommended that FDA broadly "identify and document the specific changes to its statutory authorities that would enable FDA to take the actions it determines best to oversee AI/ML-enabled devices, and then communicate these potential legislative changes to Congress."
Others have called specifically for new approaches to monitoring the postmarket performance of AI devices. Congress required FDA to, within 90 days of passage of the FY2026 appropriations for the agency, "conduct an assessment of its existing authorities and provide to Congress a report that identifies, if any, changes to its statutory authorities necessary for the FDA to conduct oversight of post-deployment performance and patient safety monitoring" of AI/ML-enabled devices. In September 2025, FDA published a request for public comment (comments were due December 2025) requesting information "on best practices, methodologies, and approaches for measuring and evaluating real-world performance of AI-enabled medical devices."
Still others maintain that no new authorities are needed at this time. The existing device authorities have options for flexibility; for example, a mechanism exists to request exemption of Class II device types from the premarket notification requirement, a flexibility that had been under consideration for application to several types of AI radiology devices.
GenAI devices raise unique regulatory issues, highlighted by devices with chatbot interfaces. They may perform differently across environments, generate false content ("hallucinate"), or be developed using opaque datasets. Some have suggested an entirely new framework may be needed for genAI devices, for example, regulating them as a form of intelligence more akin to a health care provider rather than a device, or that agencies in addition to FDA should have a role in their oversight.