Artificial intelligence is delivering real, measurable benefits across NHS organisations, but the health service remains far from embedding it as a strategic tool. New research commissioned by technology company Rackspace Technology and conducted by Coleman Parkes Research finds that while adoption is progressing, most organisations are still operating AI in isolated pockets rather than at any meaningful scale.

The figures point to cautious optimism. Just over half of NHS organisations surveyed plan to enhance existing technologies with AI capabilities, and 41 per cent intend to invest in new AI-enabled tools. Among those already using the technology, the results are encouraging: 37 per cent report a reduction in clinician workload, and 33 per cent say they have faster access to insights through data analytics. These are not trivial gains for a health service under sustained pressure. Yet the broader picture is less encouraging. Only one per cent of organisations describe AI as fully embedded in their business strategy. A third say their use of AI remains minimal or ad hoc. The gap between early wins and systemic adoption is wide, and the reasons for it are becoming clearer.

Security sits at the centre of the problem. Forty-four per cent of organisations identify security risks and vulnerabilities as a primary concern, and the same proportion say they lack confidence in their ability to protect data from cyberattacks. Only 12 per cent describe their organisation as genuinely cyber resilient. These are striking numbers for institutions handling some of the most sensitive personal data in the country. The problem does not stop at security posture. Seventy per cent of NHS bodies describe their technical debt as moderate to high, meaning many are running AI applications on infrastructure that was not designed to support them. Only one in five organisations expresses strong confidence in interoperability across their systems. When the underlying architecture is fragmented and outdated, scaling any new technology becomes significantly harder.

This is where the governance question becomes pressing. As AI systems access clinical notes, patient records, and operational data, the question of where that data goes and who controls it matters enormously. One approach gaining traction is what has been described as sovereign AI, a model built on the principle of bringing AI processing to the data rather than moving data into external platforms for processing. In practical terms, this means deploying AI capabilities within environments that organisations themselves govern, rather than routing sensitive healthcare data through third-party or shared AI systems. The appeal is straightforward: organisations retain visibility over how data is accessed, how decisions are made, and how systems are audited. In a regulatory environment where accountability for AI outcomes in healthcare is still being defined, that level of control is becoming harder to ignore.

Getting AI into production is one thing. Keeping it running well is another. Many NHS organisations have discovered that launching a pilot is considerably easier than operationalising AI across complex, multi-site healthcare environments. Sustainable deployment requires ongoing infrastructure management, consistent access controls, and continuous performance oversight. Without those structures in place, AI tools risk becoming unreliable or ungoverned as they scale, which in healthcare carries consequences that go beyond inefficiency. The research suggests that organisations which treat deployment as the finish line, rather than the starting point, are the ones most likely to struggle as ambitions grow.

The direction of travel for NHS AI is not in serious doubt. Adoption will continue, and the operational case for it is already made. What remains unresolved is whether the governance and security foundations are being built at the same pace. The organisations most likely to scale AI successfully are those treating oversight as integral from the start. Those that do not will find that the gap between a promising pilot and a functioning, trustworthy system at scale is wider than the technology alone can bridge.

‍