Most health plans have moved past debating whether artificial intelligence belongs in utilization management and claims operations. The harder question is how to manage change. UM and claims models retrain, recalibrate, and adjust as policies shift, data changes, and performance issues surface. Yet governance structures often assume stability. That mismatch is now one of the most common sources of compliance risk for payer AI.
The FDA’s August 2025 guidance on the predetermined change control plan (PCCP) was not written for payers, but its signal was clear.1 Regulators are less concerned with whether AI changes and more concerned with whether change is controlled, documented, and anticipated. For health plans, this creates an opportunity. Treating PCCP as a governance mindset rather than a device rule better positions organizations to manage UM and claims model updates without turning every adjustment into a compliance fire drill.
Adopt a predetermined change control plan approach to move payer AI governance from reactive oversight to disciplined change control.
Most Payer AI Governance Is Still Reactive
Even among sophisticated health plans, governance for UM and claims models is often built around a familiar cycle. Models are reviewed and approved before deployment. Performance is revisited during periodic audits. Problems are addressed after appeals spike, new trends emerge, or regulators raise questions. This structure works for static rules engines, but it breaks down for machine learning models that change multiple times a year.
What’s missing in many organizations is a standing, repeatable change-control structure. Retraining events, threshold adjustments, and tuning decisions are often handled through informal sign-offs, vendor assurances, or documentation created after the fact. Teams know updates are happening, but the governance record lags behind the operational reality. When questions arise, the organization is left reconstructing intent rather than pointing to a predefined process.
This is where a predetermined change control plan mindset matters. PCCP moves attention away from individual changes and toward the rules that govern change itself. Instead of asking whether a specific update should have happened, the question becomes whether it followed an approved, documented pathway, reflecting the FDA’s emphasis on preauthorized modification frameworks rather than repeated point-in-time review.¹
Models Change More Often Than Governance Does
The pressure to update payer AI models is constant. Governance frameworks, by contrast, tend to change slowly. Many were written before machine learning was in production at scale. They assume infrequent updates and linear approval processes. This means that health plans can struggle to explain how ongoing model updates are controlled, even when those updates are reasonable and necessary.
This gap shows up during audits and internal reviews when teams are able to describe why a model was improved but can’t easily show how that improvement fits within an approved governance structure. A predetermined change control plan addresses this mismatch by acknowledging that change is routine and designing controls around that reality.
PCCP & Defining Acceptable Change
The FDA guidance emphasizes that only changes described in advance qualify as in-scope under a PCCP.² Changes that fall outside those predefined boundaries require additional review and, in regulated contexts, can trigger enforcement risk if implemented without proper authorization.²
For UM and claims models, in-scope changes are those that refine performance without altering intent. These might include retraining a prior authorization model to reflect updated coverage criteria or adjusting a claims model to reduce known error patterns. These changes improve alignment with existing policy rather than redefining it.
Out-of-scope changes are equally important to name. Expanding a model to a new line of business, introducing new data sources, or going from decision support to automated determinations changes the risk profile. A predetermined change control plan does not prevent those changes. It makes clear that they require a different level of review.
By drawing these boundaries in advance, plans remove ambiguity. Teams know which changes can proceed under standard controls and which require escalation.
Planned Validation Evidence
Another lesson from the FDA’s PCCP guidance is that validation expectations must be defined before changes occur. Evidence created after deployment is rarely persuasive. For payer AI, this means deciding in advance what proof is required to support each category of in-scope change.
For UM and claims models, validation should focus on the specific risks those models introduce. Clinical concordance, denial accuracy, subgroup performance, and downstream effects on appeals all matter. Each approved update should be tested using the same metrics and acceptance criteria so that performance can be compared over time.
A PCCP-style validation approach for payers typically includes:
- Performance testing tied directly to the model’s original use case and policy intent
- Subpopulation analysis using payer-relevant groupings (age, product type, geography)
- Evaluation against the prior model so improvements don’t introduce regressions
When this structure is agreed upon in advance, validation becomes a routine step instead of a debate.
Vendor-Managed Models
For many health plans, UM and claims AI is vendor-supplied or jointly managed. This adds another layer of complexity. Plans may have limited visibility into retraining cadence, unclear criteria for when models are updated, and documentation that doesn’t map cleanly to payer audit needs.
This is one of the strongest reasons PCCP-style thinking resonates. A predetermined change control plan gives payers shared language and structure. It lets plans require vendors to operate within defined boundaries, provide specific validation evidence, and document changes in a way that aligns with payer oversight obligations.
As regulators ask more detailed questions about AI decision-making, plans stay accountable even when vendors manage the models.
Regulators Are Asking Better Questions
Although PCCP is not a formal requirement for payers, regulatory scrutiny is increasing. Auditors and reviewers are asking more precise questions about model change, not fewer. Health plans are expected to answer:
- How do you know the model did not change during the review period?
- When was it last updated?
- Who approved the change?
- How was the update tested before deployment?
These questions reflect new expectations. Regulators are probing whether organizations understand and control their AI systems over time. A predetermined change control plan provides a credible way to answer those questions without scrambling for documentation.
PCCP & Audit Logs
The most durable output of a predetermined change control plan is not faster updates; it’s better records. PCCP turns model updates into documented events with clear lineage. Each change can be traced back to an approved scope, a defined validation process, and an accountable decision.
For payer organizations, this matters during CMS audits, state DOI exams, NCQA reviews, and litigation. When questions arise, the plan allows teams to point to a standing process rather than reconstructing decisions after the fact.
The FDA guidance makes clear that failing to follow an authorized PCCP creates its own compliance risk.1 Payers should take the same lesson seriously. An undocumented or inconsistently applied update process is often more damaging than a model performance issue.
Looking Ahead
The FDA’s guidance arrived at a moment when AI governance expectations were already rising. Now the message is clear. Organizations using AI in regulated environments are expected to anticipate change and govern it deliberately.
For payers, adopting a predetermined change control plan mindset is about building a credible, repeatable way to manage UM and claims model updates as routine operational events. Plans that do this well will spend less time defending their models and more time improving them.
Are your UM and claims AI models changing faster than your governance can keep up? Clearlink works with health plans to bring structure and discipline to clinically focused AI operations. We help organizations define acceptable model changes, design validation and documentation practices that stand up during audits, and align vendors, clinical teams, and compliance around a shared change-control approach. Whether AI supports utilization management, claims review, or delegated clinical workflows, Clearlink helps plans govern model updates in a way that reflects how these systems operate in practice.
Contact us to learn how Clearlink can support your UM and claims AI governance efforts.
Sources:
1. Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence-Enabled Device Software Functions, U.S. Food & Drug Administration
2. FDA Issues Guidance on AI for Medical Devices, Ballard Spahr
