At HIMSS 2026 in Las Vegas last week, every major health IT vendor unveiled AI agents. Epic announced three new agents and a platform for building more. Google Cloud showcased partnerships with Humana, CVS Health, and Quest Diagnostics. Oracle and Microsoft added their own autonomous assistants. The message from the conference floor was clear: the agentic era in healthcare has arrived.
What arrived with less fanfare: evidence that any of these systems have been adequately tested on patients.
The Agent Flood
More than 85% of Epic’s customers now use its AI capabilities, according to the company. The adoption has yielded measurable outcomes in clinical documentation, billing, and patient scheduling. But the ambition at HIMSS went far beyond documentation.
Epic announced Agent Factory, a no-code platform that lets health systems build and deploy their own AI agents using a visual builder. Organizations can customize agents with local policies and knowledge bases and deploy them on their own timeline. The system includes three persona-based agents already in production:
Art drafts medical documentation and clinical notes, working alongside physicians during patient encounters.
Penny handles revenue cycle operations - coding, denial appeals, and billing optimization.
Emmie answers patient questions, helps schedule appointments, and builds collaborative visit agendas with Art to bring patient and clinician priorities into a unified view.
Google Cloud matched the ambition with scale. Humana’s Agent Assist, built on Gemini Enterprise, now supports more than 20,000 member advocates handling up to 80 million calls annually. CVS Health launched Health100, a new technology services subsidiary with agentic AI built in. Quest Diagnostics, Highmark Health, and Waystar announced their own Gemini-powered implementations.
Oracle rolled out agents supporting 30 medical specialties for note drafting and clinical suggestions. Microsoft and Amazon added AI personas across their healthcare platforms.
The Validation Gap
The problem is not that AI agents are arriving in healthcare. The problem is that validation standards have not arrived with them.
STAT News reported that experts at HIMSS raised concerns that products are not sufficiently tested with patients. The tools are being deployed faster than they can be evaluated in real-world clinical scenarios.
When clinicians and healthcare organizations were asked why they used AI tools not approved by their organization, 48% cited a lack of available approved tools. Another 25% said they wanted a faster workflow. The result is shadow AI - unauthorized systems operating without oversight in environments where errors can harm patients.
“Disruptive elements are going in without evaluations, without oversight,” one expert noted at the conference.
The FDA’s regulatory framework was built for static medical devices, not autonomous agents that learn and adapt. Agentic AI systems that can act independently and potentially improve themselves create challenges the existing approval process was not designed to handle. Regulators are encouraging adaptive trials that mirror everyday practice, but the frameworks remain works in progress.
Governance as Product Category
The validation gap has created a market opportunity. AI governance emerged as a standalone vendor category at HIMSS 2026.
Singulr AI launched Agent Pulse, a platform specifically designed to monitor and control AI agent behavior in real time. The system provides continuous visibility into AI agents operating across platforms, evaluates risk posture based on model access and tool configurations, and enables real-time enforcement to prevent unauthorized access and prompt injection.
The product addresses a real need. When Epic tells health systems they can build their own agents with a drag-and-drop interface, someone needs to ensure those agents do not prescribe harmful treatments or leak patient data to unauthorized systems.
But selling governance as a separate product layer also normalizes the underlying problem: that AI agents are being deployed faster than organizations can evaluate them.
The HIPAA Assurance
Google Cloud emphasized that its healthcare AI operates within a “walled garden” - a HIPAA-compliant environment where patient data is never used to train Google’s foundation models. Epic makes similar assurances about its systems.
These protections matter. But they address data privacy, not clinical validity. A system can be perfectly compliant with HIPAA while still providing harmful medical advice.
The vendors are not unaware of this distinction. Google described its vision as moving healthcare “from point-and-click software to anticipatory care.” The implication is that AI systems will not just document what clinicians decide - they will suggest what clinicians should do next.
That is a fundamentally different product from a dictation assistant. And it requires fundamentally different validation standards.
What Needs to Happen
The healthcare industry has well-established frameworks for evaluating new interventions. Clinical trials, peer review, post-market surveillance. These processes are slow and expensive, but they exist because medical errors kill people.
AI agents are being deployed without comparable scrutiny for several reasons:
Speed: Vendors are racing to capture market share before competitors. A 24-month clinical trial is a competitive disadvantage.
Ambiguity: It is unclear whether AI-suggested clinical actions constitute medical devices requiring FDA approval. The regulatory boundary keeps moving.
Burden: Health systems are under pressure to reduce costs and improve efficiency. Tools that promise productivity gains are hard to reject even without rigorous validation.
Assumption: There is an implicit belief that AI assistants, unlike AI decision-makers, do not need the same level of scrutiny because humans remain in the loop.
That last assumption deserves examination. When an AI agent drafts a clinical note and the physician has 15 minutes to see a patient, review the note, and move on, the “human in the loop” becomes a human rubber stamp. The distinction between assistance and decision-making blurs in practice.
What This Means
The technology industry’s answer to validation gaps is usually “move fast and iterate.” In healthcare, iteration means learning from mistakes on patients.
The vendors at HIMSS 2026 are not being reckless. They are responding to genuine problems - documentation burden, administrative waste, access barriers. Their tools may ultimately prove beneficial. Some already show measurable improvements in efficiency metrics.
But efficiency metrics are not patient outcomes. And the rush to deploy autonomous agents without establishing validation standards first is a gamble that the benefits will outweigh harms we have not yet measured.
AI governance as a product category is better than no governance at all. But it represents the industry building guardrails around a highway that was constructed before anyone checked where it leads.
The Bottom Line
Healthcare AI agents are no longer experimental - they are in production at scale. Epic, Google, Oracle, and Microsoft are all shipping autonomous systems that suggest clinical actions, handle patient communications, and manage billing decisions. The governance tools to validate these systems are arriving separately, sold by different vendors, implemented at organizational discretion. In regulated industries, we usually establish safety standards before deployment. Healthcare AI is running the experiment in reverse.