From sandbox to scan room: Navigating NHS AI compliance in 2025

By iatroX Clinical Team||7 min read
Featured image for From sandbox to scan room: Navigating NHS AI compliance in 2025

Why AI compliance is now the main battleground

The UK healthtech market is rich in innovative AI, but NHS trusts are finding adoption slow. The bottleneck is no longer the algorithm; it's the assurance. Getting AI as a Medical Device (AIaMD) safely deployed now requires navigating three converging assurance rails, making compliance the new battleground for 2025.

These three rails are:

  1. The MHRA: Focusing on novel and adaptive AIaMDs through its AI Airlock, which welcomed its Phase 2 cohort in October 2025 to test devices in real-world settings before a full UKCA mark.
  2. NHS England: Mandating the Digital Technology Assessment Criteria (DTAC) as the non-negotiable procurement baseline, covering clinical safety, data protection, cybersecurity, and interoperability.
  3. NICE: Providing the evidence-of-value layer through Health Technology Appraisals (HTA) and Early Value Assessments (EVA), such as its updated 2023-2025 guidance on AI for chest X-ray analysis.

This article breaks down this compliance stack and shows what "good" looks like, using real-world examples of AI tools already deployed in the NHS.

The UK compliance stack (an editor-ready explainer)

2.1 MHRA and the AI Airlock

The AI Airlock is the MHRA's regulatory sandbox, designed to de-risk complex, adaptive, or "black-box" AIaMDs within a controlled, real-world NHS environment. This process happens before the manufacturer can place a full UKCA mark on their product. The findings from the 2024 and 2025 cohorts are critical, as they will directly shape future UK medical device regulations for all AI.

2.2 DTAC as the NHS gate

Think of DTAC as the essential passport for any digital tool entering the NHS. It is the procurement baseline. Trusts use it to assess five key areas:

  • Clinical safety (DCB0129/0160)
  • Data protection (requiring a comprehensive DPIA)
  • Cybersecurity (including penetration testing)
  • Interoperability (adherence to standards like FHIR)
  • Usability (evidence of user-centred design)

In 2025, developers can no longer show up with an "in-progress" DTAC; it must be complete at the point of procurement.

2.3 NICE EVA and radiology AI guidance

NICE provides the crucial evidence-of-value layer. Its Early Value Assessment (EVA) for AI-driven chest X-ray (CXR) analysis, updated in 2025, clearly signals that the NHS demands real-world performance data, not just accuracy claims from a lab.

The withdrawal of Behold.ai's red dot® from NICE recommendations in February 2025 serves as a critical case study: evidence of lifecycle performance and ongoing supplier continuity are now non-negotiable.

Tool spotlight (radiology): concrete, NHS-proven AIaMD

3.1 Brainomix e-Stroke Suite — “DTAC-friendly” AI for hyper-acute stroke

The Brainomix e-Stroke suite is a strong example of successful, scaled deployment. It is used across multiple NHS stroke networks to support faster, more accurate interpretation of hyper-acute stroke CT scans. Its compliance story is robust: it is an established UKCA/CE-marked SaMD, has a strong reputation from the NHS AI Awards, and has successfully passed repeated trust-level DTAC scrutiny.

3.2 Annalise.ai Enterprise CXR — at scale via the AI Diagnostic Fund

Annalise.ai's chest X-ray tool is being rolled out at scale, supported by the AI Diagnostic Fund, in trusts like Leeds, Doncaster, Bolton, and across the Yorkshire Imaging Collaborative. It functions as a "second pair of eyes," identifying up to 124 findings. The key lesson here is that central funding does not equal a compliance-free pass. Each trust must still conduct its own local DTAC assessment, DPIA, and clinical safety sign-off.

3.3 Behold.ai red dot® — a live lesson in lifecycle evidence

The Behold.ai red dot® story is a vital lesson in post-market realities. The tool, a CE-marked (Class IIa) device approved in the UK for normal/rule-out CXR analysis, was assessed by NICE. However, the 2025 EVA update later removed it from recommendations because its availability changed. This case perfectly illustrates why a vendor's compliance plan must include ongoing performance monitoring and supplier continuity.

3.4 Qure.ai qXR / Lunit INSIGHT CXR — pilots needing UK-grade evidence

Tools like Qure.ai's qXR and Lunit's INSIGHT CXR are currently in active pilots and studies across England and Scotland, with results expected through 2025. For these tools to move from "pilot" to "business-as-usual," trusts must ensure the full compliance stack is in place: confirmed MHRA device status, a completed DTAC, and a local clinical safety case.

3.5 Annalise vs Behold vs Qure.ai — what differs for compliance

These three radiology examples show different compliance challenges:

  • Annalise.ai: Being centrally funded for high-volume diagnostics, it faces greater ICS-level scrutiny on integration and pathways.
  • Behold.ai: As a UK-registered, NICE-assessed tool, its story highlights the critical importance of managing lifecycle and data-continuity risk.
  • Qure.ai/Lunit: These are still in the evidence-gathering phase; their main hurdle is formalising trial data into a robust assurance pack for routine procurement.

Beyond imaging: cardiovascular & workflow AIaMD

4.1 HeartFlow FFRCT — the “classic” NICE-supported AI device

HeartFlow FFRCT is a classic example of "getting it right" long before the current compliance stack was formalised. It has been deployed in the NHS for years. Its success in assurance came from a clearly defined intended use, strong NICE support, and a powerful economic model demonstrating cost savings. This remains an excellent template for new AIaMDs needing to build a compelling economic case for NICE.

4.2 Tortus / ambient-scribe AI — heading for regulated territory

Ambient-scribe tools (like those from Tortus) are attracting significant attention, with ED pilots and HSJ coverage projecting near-£1bn in NHS productivity gains. Due to their high novelty (processing clinical language in real-time), these tools are prime candidates for the MHRA's AI Airlock. Beyond the Airlock, they will still require a full DTAC and a very robust trust-level DPIA. As the MHRA flagged in its October 2025 blog, continuous monitoring of their outputs will be essential.

What “good” looks like in 2025 (an NHS buyer checklist)

For NHS digital leads, CCIOs, and procurement teams, here is your 2025 checklist:

  1. Is it a medical device? Confirm its MHRA device classification, UKCA details, and precise intended use.
  2. Has it been through the AI Airlock? Prioritise tools from the 2024-25 AI Airlock cohorts, as they are aligned with future regulation.
  3. Show me your DTAC: Demand the completed DTAC report, not a work-in-progress.
  4. What is the NICE position? Check for any active NICE EVA, HTA, or guidance, especially for high-volume radiology AI.
  5. What is the post-market plan? Ask for the policy on monitoring performance drift, managing model updates, and change control. This should align with the MHRA's new direction on continuous monitoring.
  6. Where are the clinical safety artefacts? Request the supplier's DCB0129 report and the template for your local DCB0160 clinical safety case.
  7. How is data protected? Review the DPIA and confirm UK data residency, which is now a standard demand in 2all 2025 trust AI policies.

Lessons from Spain & EU (to contrast)

The UK isn't alone. Spain's successful rollout of DxGPT demonstrates that a clear scope, public reporting of outcomes, and a strong national framework can accelerate adoption. The UK is building its equivalent feedback loop through the AI Airlock and the NHS AI Knowledge Repository. UK trusts can adopt this principle now by sharing assurance work and standardising processes to shorten local deployment times.

Risks to name explicitly

Despite the progress, leaders must manage three clear risks in 2025:

  • Tool churn: As seen with the Behold.ai red dot® and NICE, a tool's availability or regulatory status can change, disrupting established clinical pathways.
  • Performance drift: The MHRA is clear that continuously learning models must be monitored for performance degradation or bias when used in your specific local population.
  • Compliance burnout: Vendors face significant pressure satisfying DTAC, the AI Airlock, and local trust IG requirements simultaneously. This can slow down the market and stifle innovation.

FAQs (schema-ready)

Do all AI tools need DTAC?

Yes. For any NHS procurement, DTAC is the baseline standard. This applies even if the tool is also a regulated medical device.

Is the MHRA AI Airlock mandatory?

No, but it is now the MHRA's preferred route for novel, adaptive, or complex AIaMDs. Its outputs will directly inform future UKCA expectations, so tools that have passed through it are de-risked.

Which tools are safest to start with in 2025?

The safest bets are imaging AI tools that already have clear NICE or EVA signals and are live in other NHS trusts (e.g., Brainomix e-Stroke, Annalise.ai, HeartFlow). Their assurance story is public, proven, and often supported by national funding schemes.

Calls to action

  • For NHS trusts and ICBs: Standardise your AI procurement pack now. It must demand a completed DTAC, MHRA device status, and a clear post-market monitoring plan. Prioritise tools already validated in the NHS AI Diagnostic Fund pipelines to save time on assurance.
  • For AI vendors: Be transparent. Publish your completed DTAC, your clinical safety case, and your AI model update policy. Align your evidence and reporting to the AI Airlock format to speed up future procurement cycles.

Share this insight