The Month the Guardrails Came Back

For the better part of 2 years, the loudest voices in health technology have been telling a single story. Regulation is the enemy of progress. The rules are too slow, too blunt, too written for a world of static devices to govern systems that rewrite themselves every 6 weeks. Get out of the way, the argument went, and let the technology run. For most of 2025 and into the start of this year, the regulators seemed to be listening. Then, over the course of about 5 weeks this spring, on 2 continents and across several state capitals, the guardrails came back. Quietly, without a single dramatic headline, the direction reversed.

I want to lay the events out plainly, because read individually they look like unrelated news items, and read together they describe a turning point that anyone building in this field needs to understand.

On 9 April, the United States Food and Drug Administration rejected a petition from Harrison.ai, an Australian health AI company, that had asked the agency to exempt several categories of AI-enabled diagnostic and detection software, including radiology computer-aided detection systems, from the traditional premarket review that medical devices normally face. The petition had been published in the Federal Register, the comment window had closed at the end of February, and 47 comments had been filed. The FDA said no. Its reasoning was the part worth holding onto. The fact that the agency had authorised 1 AI device from a company, it argued, does not demonstrate that future products from that same company will perform safely or effectively. Past clearance is not a standing licence to skip the queue.

What makes that decision striking is that it came from the same FDA that, in January, had moved in the opposite direction, easing oversight of low-risk AI-enabled clinical decision support software and consumer wearables, on the logic that a clinician who can independently review a recommendation does not need the device behind it to be regulated as if it were making the decision alone. So the agency is not simply tightening or simply loosening. It is doing something more interesting and more coherent. It is drawing a line. Low-risk tools that inform a human who remains in charge get a lighter touch. High-risk systems that detect disease or drive a diagnosis do not get to walk around the front door, no matter how good their last product was.

The Same Week, a Continent Away

On 7 May, the European Council and Parliament reached political agreement on what has been nicknamed the AI omnibus, a package designed to simplify and streamline the EU AI Act ahead of its high-risk provisions entering into force on 2 August. It would be easy to read simplification as deregulation, and some of the early commentary did exactly that. It is not. The agreement reinforces the powers of the AI Office, centralises oversight of systems built on general-purpose models, widens access to regulatory sandboxes for smaller companies, and clarifies how the AI Act interacts with existing product safety law. The fines remain what they always were, up to €35 million or 7% of global turnover for the prohibited practices, and they are not going anywhere.

In other words, Europe spent the spring making its rulebook easier to comply with while making the obligation to comply harder to escape. That is not a retreat. That is a regime settling into its enforcement posture.

And while the federal agencies and the European institutions were doing this, the American states were doing something blunter. Illinois and Nevada have now banned the use of AI for behavioural health outright. New York and Utah have passed laws requiring AI systems to disclose, explicitly, that they are not human. These are not abstract policy debates. They are responses to a documented pattern of chatbots presenting themselves as licensed nurses and therapists to people who were, in some cases, in genuine crisis. The states did not wait for a federal framework. They almost never do.

Why This Is Not the Backlash People Expected

For 2 years, the people who warned that regulation was coming tended to frame it as a coming war. The technologists on one side, the regulators on the other, and a fight over whether AI would be allowed to do what it is capable of doing. That framing was always wrong, and the events of this spring show why.

Nobody in this story is arguing that the technology does not work. The FDA did not reject Harrison.ai because radiology AI is bad. It rejected the petition because a clearance is not a blanket. Europe is not slowing down general-purpose models because they are dangerous toys. It is building the office that will supervise them at scale. The states did not ban behavioural-health AI because talking to software cannot help anyone. They banned it because a product that lies about being a person, to a person who is suffering, has crossed a line that no amount of capability redeems.

What actually happened this spring is that the conversation matured. The question stopped being whether these systems are good enough to take seriously, because everyone now agrees that they are, and became the more grown-up question of under what conditions, with what evidence, and with whom accountable, a capable system is allowed to act. That is not a backlash. That is the normal lifecycle of every powerful technology that has ever entered medicine.

What the Gulf Should Take From This

I spend a great deal of my time thinking about how this plays out in the Gulf, because the region is in a genuinely unusual position. Saudi Arabia is expanding digital health aggressively under Vision 2030 and its National AI Strategy 2031, with infrastructure commitments measured in the tens of billions. The first phase of the Stargate compute cluster in the UAE is slated to come online this year, explicitly to underpin healthcare among other sectors. The PwC estimate that AI could add something on the order of $320 billion to Middle East economies by the end of the decade gets quoted at every conference, and healthcare is consistently named among the biggest relative beneficiaries.

Here is the opportunity, and it is real. The Gulf does not have to inherit either the American patchwork or the European weight. It is writing its frameworks now, on a relatively clean sheet, with the benefit of watching how both of those systems behave under load. The mistake would be to read this spring's events as a warning that regulation kills innovation, and to therefore build the lightest possible regime in the name of speed. The deeper lesson runs the other way. The FDA's line, Europe's enforcement posture, and the states' bluntness are all converging on the same principle. Capability is not permission. The systems that earn durable trust are the ones whose conditions of safe operation have been characterised, documented, and made auditable.

A region that builds that principle into its frameworks from the start, rather than retrofitting it after the first public failure, will not be slowed down by it. It will be the place where serious developers want to deploy, precisely because the rules are clear and the trust is real. Data residency is already being called the next battleground in the GCC, and that debate is, underneath, the same debate. Who is accountable, under whose law, for what a system does to a patient. Answering it well is not a tax on ambition. It is the foundation that ambition gets to stand on.

What This Means for Builders

I build and advise on exactly the systems this regime is now reaching for. CIGMA, the social-impact wellness platform I founded, and its companion MOA, were built from the start to stay inside narrow, honest boundaries about what they claim and what they do. Through EthicaLabs I advise organisations on the governance architecture they need to operate inside the regimes that are arriving. And after 13 years in digital health, with WhatsHealth now taking shape, I have watched enough cycles to recognise this one for what it is.

What I tell builders who ask is simple. The era of treating regulation as a problem for later is over. It ended this spring, even if the press did not announce it. The companies that will still be standing in 2028 are the ones building, now, the unglamorous infrastructure that the new line requires. A documented scope of what the system is allowed to do on its own and when it must hand off to a human. Evidence that is kept alive rather than generated once and filed. A clear, named answer to the question of who is accountable when the system gets something wrong. Honesty, in the product itself, about what it is and is not.

None of that is incompatible with moving fast. It is incompatible only with moving carelessly. The systems that lie about being human, that claim a clearance they were never granted, that treat a one-time validation as a permanent licence, are the systems this spring was aimed at. The systems that were built honestly have nothing to fear from any of it.

The Sentence Worth Holding Onto

The cleanest way I can put it is this. The guardrails did not come back to stop the technology. They came back because the technology got good enough to deserve them.

A toy does not need a licence. A diagnostic system that a real patient will rely on does. The fact that regulators on 2 continents reached for the same principle in the same month is not a sign that the field has stalled. It is a sign that the field has grown up, and that the people writing the rules have finally decided to treat it with the seriousness it has earned.

I would rather build for the world that this spring describes than the world the deregulation pitch imagined. If you are working on the governance architecture, the evidence frameworks, or the honest product design that this moment is going to require, those are the conversations I most want to be having. There is more work here than any 1 organisation can carry, and the next 2 years are going to settle a great deal that is still treated as open today. The line has been drawn. The interesting work is in building to fit it.