CMS 0057-F Got You to Interoperability. Did AI Governance Come With It?

A prior authorization request that used to take days, sometimes weeks, will now take 72 hours. That's not a goal. For most Medicare Advantage plans, Medicaid programs, and marketplace insurers, it's a federal requirement that went into effect January 1, 2026.

CMS Final Rule 0057-F, finalized in January 2024, mandates that impacted payers overhaul how prior authorization works. That includes Medicare Advantage organizations, state Medicaid and CHIP programs, Medicaid managed care plans, and QHP issuers on the federal exchanges. Operational requirements started January 2026: faster decisions, specific denial reasons, public metrics reporting. The full FHIR-based Prior Authorization API mandate arrives in January 2027. For a process that has historically run on faxes and phone queues, this is a two-wave transformation.

Most payers aren't getting there without AI.

The Compliance Rush That Created an AI Governance Gap

The January 2026 operational requirements forced payers to automate: decisions in 72 hours for urgent requests, 7 days for standard cases. Manual review processes built for a world of faxes and five-day turnarounds can't produce 72-hour decisions at scale without technology. Intelligent document processing for provider faxes, NLP systems that classify and route requests, AI-powered operational support: these got deployed because the compliance timeline demanded it.

Now, with the January 2027 API mandate approaching, a second wave of AI deployment is underway. Payers are building or procuring Prior Authorization API infrastructure, and the AI sitting inside that infrastructure is being stood up fast.

That speed, across both waves, created a problem most governance teams haven't fully caught up to.

These AI systems behind compliance aren’t a single use case. There are dozens of interconnected use cases between a multitude of different vendors and internally-built products, all of which can touch PHI and PII.

HIPAA requires appropriate safeguards for any AI processing PHI. The question auditors are beginning to ask isn't whether you're using AI for prior auth. It's whether you can show how it's governed.

Three Governance Gaps That Come With the Compliance Win

No inventory of what was deployed. When deadline pressure was highest, AI procurement moved fast, often through channels that didn't loop in governance. Many organizations can't produce a complete list of which AI systems are involved in their prior authorization workflows, including the models embedded inside vendor tools.

No ongoing oversight of how the AI is performing in production. AI might have been approved pre-production but once it’s in production, health plans can struggle to keep up with the breadth of ongoing monitoring requirements.

No governance of vendor AI. Most prior auth AI was procured, not built internally. The logic driving recommendations inside vendor tools is rarely covered by formal governance documentation. Under CMS 0057-F, payers are accountable for what their systems produce, including what vendor systems produce on their behalf.

Three Questions to Assess Your Exposure

1. Can you produce a documented inventory of every AI system in your prior authorization workflow, including vendor tools, within 24 hours?
2. If CMS requested an explanation of how your AI reaches a denial recommendation, where does that documentation live?
3. When did you last formally review the performance of the AI systems in your prior auth workflow, and what does that review process look like?

If any answer is uncertain, the governance gap is real. It gets harder to close after an audit initiates it, not before.

The January 2026 operational requirements are already in effect. The full API mandate arrives in January 2027. For organizations still building or replacing AI systems in this workflow, the window to build governance in from the start is closing. Those who do it now will be in a fundamentally different position than those who backfill it under pressure.