Utah quietly built the first non-federal regulatory lane for clinical AI in the United States, and a lot of clinical-AI founders are reading it as a way to skip the FDA conversation for a year.
It isn't. The Utah lane is interesting and useful, but the compliance footprint a sandbox participant still owes — federal law, tort exposure, second-state planning — is larger than the framing usually suggests. The reading I keep seeing in pitch decks treats the sandbox as a waiver. It's a contract, not a waiver, and the parts it cannot touch are the ones that actually carry the risk.
Here's what Utah's program actually does, what it cannot do, and the six-item checklist I'd run before anyone packs up the office for Salt Lake.
The thing Utah actually built
In 2024, Utah passed SB 149, the Artificial Intelligence Policy Act. It did two things that matter for clinical-AI founders. It stood up the Office of Artificial Intelligence Policy. And inside that office, it created what most people now call the AI Learning Laboratory — the program Endpoints News and others have been tracking as a clinical AI sandbox.
The mechanic is a regulatory mitigation agreement. A company applies, the state evaluates what specific Utah laws or licensing rules would otherwise block the product, and if the office signs off, those specific rules get carved out or softened for a defined window, usually 12 months, with reporting requirements attached.
That's it. That's the magic. It's a contract that says "this Utah law won't bite you for a year, in exchange for telling us what happens."
This is the first non-federal regulatory lane in the country for clinical AI doing diagnostic or treatment work. Not back-office automation. Not scribes. The "AI doctor" use cases — AI that's making or recommending a clinical decision a licensed human used to make.
What Utah cannot do for you
Here's the part founders skip over.
Utah is a state. State law is one of three rule stacks your clinical AI product is sitting in. The other two — federal and tort — Utah can't touch.
FDA still applies. If your product meets the SaMD definition (and most diagnostic or treatment AI does), the FDA's framework still governs. Utah's mitigation agreement does not waive a 510(k), De Novo, or PMA pathway. It doesn't waive the FDA's evolving AI/ML guidance for SaMD. It doesn't waive the predetermined change control plan expectations that came out in the 2024 final guidance.
If you're a sandbox participant and FDA decides your tool is a device, the agency can still send you a Warning Letter, still pull it off the market, still refer to DOJ. Utah's office is not going to call FDA off.
HIPAA still applies. Utah's office cannot waive a federal law. If you're a covered entity or business associate, the Privacy and Security Rules still apply, in full, in Utah, exactly as they apply in Massachusetts. The sandbox doesn't give you a lighter Business Associate Agreement. It doesn't reduce your breach-notification obligations.
Malpractice still applies. This is the part founders consistently underweight. The mitigation agreement is between your company and Utah. It is not between your company and a plaintiff. If your AI tells a patient they don't have sepsis and they die, the family's lawyer doesn't care that you had a sandbox letter. They care about standard of care, foreseeability, and whether your training data made the failure predictable.
The medical board piece is more interesting. SB 149 lets the Department of Commerce coordinate with the licensing boards on what gets relaxed. So a sandbox agreement can address whether your AI is "practicing medicine" under Utah's Medical Practice Act, which is the one state-law question every founder I've talked to actually loses sleep over. But it's a Utah answer for Utah patients. It doesn't transfer to Tennessee.
What you still owe, even inside the sandbox
If I were doing the regulatory-readiness checklist for a sandbox-bound company, I'd run through these in order. None of them go away.
1. An FDA pre-submission meeting, planned and scoped. Even if your product is in the Utah lane, FDA still wants to see you. A pre-submission (Q-Sub) lets you get the agency's read on classification, the predicate situation, and what clinical evidence they'll want. The Q-Sub uses the same shape as the drug-side meeting requests our library covers under /library/m1-admin/meetings/pre-ind-meeting-request — a meeting request, a briefing document, a meeting package, and a written response you can cite later. The questions are different; the discipline is the same.
2. A clinical evaluation file that would survive a 510(k). The sandbox lets you collect real-world data faster than you could in a traditional pre-market study. Don't waste that. Set up the evaluation file the way FDA will eventually want to read it: an indication-population-performance chain of evidence with study reports underneath. The drug-side analog in our library — the clinical overview on top of the efficacy and safety study reports — uses the IND vocabulary, but the evidence pyramid is identical for a SaMD clinical-evidence package.
3. A HIPAA program a federal auditor would believe. I don't mean a one-page policy doc. I mean: a Security Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A) that's been updated in the last 12 months. A breach playbook. A vendor list with executed BAAs. Training records. Encryption-at-rest and in-transit evidence. If you're using a foundation model API for any PHI processing, the BAA chain has to terminate at a provider that will actually sign one.
4. A malpractice and product-liability stack. Errors-and-omissions plus product liability, with a carrier that has actually underwritten AI risk before, not the cheapest quote you can find. If your sandbox agreement contemplates direct patient-facing decisioning, this is non-negotiable.
5. A real audit trail. Every clinical recommendation, the model version that produced it, the input features, the confidence, the human in the loop if any, the override if any. Time-stamped, immutable, queryable. Utah will ask for outcome data. FDA will ask for everything else. A plaintiff's lawyer will ask for what you don't have.
6. A second-state plan. Utah is the first state. It will not be the last. If your product works in Salt Lake, the next call you take will be from a hospital system in Nashville or Phoenix or Boston, and they'll ask which state law you operate under. Have an answer that isn't "well, in Utah we..."
Why "Utah-first" probably forces FDA's hand
The interesting structural argument isn't about Utah at all. It's about what happens to FDA when a state starts generating clinical outcomes data that the agency doesn't control.
FDA's AI/ML SaMD framework has been "in progress" for the better part of a decade. The Predetermined Change Control Plan got a final guidance in 2024. Most of the rest is still draft. The agency moves at the pace it moves at, which is not the pace of a Series B clinical AI roadmap.
Utah is now going to start producing structured data on clinical AI deployments — adverse events, accuracy in the wild, override rates, time-to-detection on missed diagnoses — under a state framework. That data is going to get cited. By academics, by other state legislatures, by congressional staffers. By the time FDA's next AI/ML draft comes out, Utah's sandbox will have a 12 to 24-month head start on the only thing the agency really needs: real-world performance data on clinical decision AI.
That's the leverage. Not "Utah replaces FDA." Utah surfaces evidence the agency wasn't going to get on its own.
The companies that win this are the ones that participate in Utah seriously, generate clean evidence, and file with FDA on the same product on the same timeline. Two lanes, one body of evidence, one regulatory story.
What to actually do this quarter
If you're a clinical AI founder and you read this far:
Talk to Utah's Office of AI Policy. The application is a real document but it's not a 200-page FDA submission. Have your indication, your population, your failure modes, and your reporting commitments written out.
Stand up the FDA pre-sub anyway. Don't pick one lane.
Run a clean HIPAA gap assessment. The Utah agreement does not make HIPAA homework optional, and federal OCR audits do not care about state sandboxes.
Decide whose risk this is. Carrier, board, cap-table, term sheet. AI risk is now a line item, and pretending otherwise is how Series B rounds get repriced.
Regfo is a preclinical-to-IND compliance engine — that's the work I lead at the company. The clinical AI / SaMD lane sits one floor up from where Regfo runs today, but the mechanics of the homework are the same: read the guidance, find the gaps in your document, cite the section. If you want to see what that kind of structured check looks like on a real document, the fastest path is to start a workspace and paste an IND-stage protocol you have lying around. If you're earlier than that and want to browse what FDA expects across modules, the library is open.
Utah is real. The sandbox is real. The federal compliance footprint is still real too. Plan for both.
FAQ
Does the Utah AI sandbox waive FDA requirements for clinical AI?
No. Utah's mitigation agreement only addresses specific Utah state laws and licensing rules. If your product meets the SaMD definition, FDA's 510(k), De Novo, or PMA pathway still applies, and so does the agency's AI/ML guidance and the 2024 final Predetermined Change Control Plan framework. Utah cannot waive federal law.
Who runs Utah's clinical AI sandbox and how do you apply?
The program sits inside Utah's Office of Artificial Intelligence Policy, created by SB 149 in 2024. Companies apply with a description of the product, the specific Utah laws or licensing rules that would otherwise block it, and reporting commitments. If the office approves, you sign a regulatory mitigation agreement, typically for a 12-month window.
Does HIPAA still apply if you operate inside the Utah sandbox?
Yes. HIPAA is a federal law and Utah's office cannot waive it. If you're a covered entity or business associate, the Privacy and Security Rules apply in full in Utah, identical to any other state. The sandbox does not change your Business Associate Agreement obligations or breach-notification timing.
Should clinical AI founders still schedule an FDA pre-submission meeting?
Yes, and I'd schedule it even if you're going into the Utah sandbox. The Q-Sub meeting tells you how FDA classifies your product, what predicates exist, and what clinical evidence you'll need for a future submission. Running both lanes in parallel produces the strongest regulatory story — Utah real-world evidence plus an FDA-aligned classification path.