Tomasz Jan Gomoła — Founder and Chief Architect, DeepSensi PBC, USA · ORCID 0009-0001-5222-6154 Version: 3.0 — July 2026 · Perspective prepared for NEJM AI
In every other safety-critical domain, we measure reliability before we deploy. An aircraft engine must demonstrate a failure rate below 10⁻⁹ per flight hour before it enters service. A nuclear reactor's safety systems must satisfy Safety Integrity Level requirements per IEC 61508 before fuel is loaded. A pharmaceutical must complete Phase III trials before reaching patients.
Clinical AI has no equivalent. A large language model can be deployed in hospital decision support with no quantitative reliability standard, no certification framework, and no measurable hallucination probability bound. The regulatory landscape is not merely inadequate — it is structurally absent for the dominant failure mode of generative AI in medicine.
Hallucinated medical assertions are syntactically fluent, contextually plausible, and indistinguishable from correct output without independent verification. A hallucinating model may cite retracted studies as current evidence, fabricate drug-interaction profiles, or generate confident diagnoses that are physiologically impossible for the patient at hand. Published benchmarks place clinical hallucination rates between 15 and 25 percent for raw LLMs, and 5 to 10 percent even with retrieval augmentation [1]. For systems advising on millions of decisions, this is not a statistical abstraction; it is a systematic patient-safety failure.
The evaluation infrastructure is not immune either. During calibration of our reference implementation, its evidence-integrity layers — applied to benchmark items rather than to model outputs — identified defective items and methodological weaknesses in a widely used public benchmark (HealthBench Hard), including negative-rubric scoring that grades deterministic safety gates as failures: the Safe Triage Paradox [7]. Benchmark scores inherit the epistemic quality of the benchmark. If we cannot fully trust the measuring stick, the case for verification architecture — rather than leaderboard position — becomes stronger still.
The EU AI Act (2024) classifies clinical AI as high-risk but specifies no quantitative reliability target for generative output [2]. IEC 62304 assumes deterministic software behavior [3]. The FDA's AI/ML SaMD guidance addresses change management but provides no hallucination probability bound [4]. ISO 14971 offers process-level risk management with no LLM-specific failure-mode coverage [5]. Aviation solved this class of problem decades ago with DO-178C Design Assurance Levels; nuclear engineering solved it with IEC 61508. Clinical AI — despite operating where errors carry lethal consequences — has no equivalent.
We propose the DeepSensi Standard (DSS) — to our knowledge the first quantitative safety certification standard for clinical AI. It rests on five independently auditable pillars: Multi-Specialist Cognitive Diversity (structured adversarial deliberation across independent specialty perspectives — the computational analogue of the consilium); Evidence Integrity Verification (provenance, funding bias, temporal relevance, population matching); Deterministic Safety Verification (drug interactions, logical contradictions, and physiological plausibility checked by rule-based mechanisms that do not rely on AI judgment, with cross-vendor verification of critical conclusions); Transparent Uncertainty (a formalized protocol producing a structured "I don't know" — the core disagreement, a working hypothesis, and the specific tests that would resolve it); and Immutable Accountability (a tamper-proof audit trail attributing every conclusion to AI, physician, or automated rule).
The standard defines four certification levels with explicit per-assertion hallucination bounds — DSS Bronze (<10⁻³), Silver (<10⁻⁵), Gold (<10⁻⁷), Platinum (<10⁻⁹) — mapped, with stated caveats, to IEC 61508 demand-mode targets. These thresholds are not aspirational. A companion Fault Tree Analysis per IEC 61025 demonstrates that a production system employing 23 independent verification barriers achieves a worst-case bound of 3.23 × 10⁻⁶ — meeting the SIL 4 numerical target with an approximately 31-fold margin even under pessimistic common-cause assumptions [6]. The same system, evaluated on N = 301 consecutive NEJM Clinicopathological Conference cases (2014–2023) under a safety-first audit protocol [7], achieved 86.0% top-1 and 93.7% top-3 diagnostic accuracy after calibration (frozen baseline: 80.0% and 88.0%; development-cohort result), with a 0.0% missed-critical rate and a median deliberation time of 14.3 seconds — because a safety architecture that cannot also diagnose would be an empty vessel. Analytical bounds and empirical accuracy answer different questions, and neither can substitute for the other: no accuracy study can verify a 10⁻⁷ bound, and no fault tree can diagnose a patient. A deployable system must demonstrate both.
The standard is offered royalty-free and open. Any vendor may certify against it; any hospital may require it in procurement; any regulator may reference it. The EU AI Act compliance deadline in 2027 creates immediate urgency: procurement teams currently have no standardized metric for comparing clinical AI systems, and insurers cannot calculate liability exposure without a reliability benchmark — which is why several major carriers have begun excluding AI-related claims outright. A quantified, auditable bound converts an uninsurable uncertainty into an actuarially tractable parameter. We are commencing dialogue with the FDA under the Q-Submission pathway on precisely this basis.
The question facing clinical AI is no longer whether these systems will be deployed in patient care. They already are. The question is whether we will hold them to a measurable, auditable, and enforceable standard — or wait for the consequences of not doing so.
Disclosures: T.J. Gomoła is the founder and chief architect of DeepSensi PBC, which operates the reference implementation of the DeepSensi Standard. The Standard itself is royalty-free and open. Correspondence: [email protected] · https://deepsensi.com
References 1. Ji Z, et al. Survey of Hallucination in Natural Language Generation. ACM Computing Surveys 2023;55(12). 2. Regulation (EU) 2024/1689 (Artificial Intelligence Act). OJEU, 2024. 3. IEC 62304:2006/AMD1:2015. Medical device software — lifecycle processes. 4. FDA. AI/ML-Based Software as a Medical Device Action Plan, 2021. 5. ISO 14971:2019. Medical devices — risk management. 6. Gomoła TJ. Formal Reliability Analysis of Multi-Layer Deterministic Verification in Clinical AI. Technical Whitepaper WP-001, DeepSensi Medical OS, 2026. medRxiv (in deposit). 7. Gomoła TJ. The Flawed Yardstick: Why Static Medical Benchmarks Penalize Clinical Safety. Technical Whitepaper WP-002, DeepSensi Medical OS, 2026. medRxiv (in deposit).