Two-Thirds of Doctors, Zero Procurement Trail

In 2013, a Veterans Affairs hospital in Texas discovered that more than a hundred of its clinicians were using a third-party app to coordinate handoffs. The product had never been approved. It wasn't on the network whitelist. The CIO learned about it from a vendor's sales pitch. By the time the audit closed, two dozen people had to retrain on the sanctioned tool and the legal department spent eight months working out whether anything actionable had been transmitted through a service nobody had signed paper with.

That story used to be the cautionary tale. The fact that healthcare IT veterans tell it from memory tells you how rare it was. Adoption-without-procurement at clinical scale was a category, not a default.

NBC News this week reported that nearly two-thirds of U.S. physicians log into OpenEvidence, a medical AI tool, using their NPI numbers. The story is framed as adoption-as-progress. The story is actually that the category just became the default.

The number, discounted

Start with the figure itself. "Nearly two-thirds of U.S. physicians" is almost certainly a count of NPI-authenticated account creations, not a count of verified active clinical use. OpenEvidence has every incentive to use the largest plausible denominator when talking to the press, and "registered users" is how the largest plausible denominator gets reported. NBC ran the figure without flagging the methodology. Treat the direction as real and the precision as marketing.

Even discounted by half, the directional signal is the story. A material share of U.S. physicians are consulting an AI tool during clinical work, authenticated by their professional identifier, and their employers (the hospitals and health systems carrying the malpractice exposure) did not buy the product, do not have a contract with the vendor, and in most cases cannot identify which of their clinicians are using it for what.

That's not adoption. That's shadow IT at clinical scale. And the framework matters because once you name it, you can see the phases.

The upstream phase

Every shadow-tooling cycle has two phases. Upstream is the period after adoption has occurred but before the institution has reckoned with it. No procurement review. No data-flow audit. No clarity on whether a clinician pasting a patient summary into a third-party LLM has created a HIPAA event. No policy on whether an AI-assisted differential that turns out wrong is the clinician's judgment call or the tool's failure. None of the apparatus that would exist if the CIO had signed the contract.

The upstream phase feels calm because the consequences haven't arrived. That's exactly what makes it dangerous. Every month of unmanaged adoption is another month of accumulating exposure that no one is measuring, because the institution doesn't know it's there to measure.

A small aside, useful for sizing the gap. Most hospital procurement processes were designed for a world where the unit of analysis was a contract. You buy a product, the product is configured, the product is audited. Shadow tooling makes the unit of analysis a workflow, which is messier and harder. The procurement team can't audit a workflow. The compliance team can't depose a contract that doesn't exist. The governance vocabulary the institution speaks doesn't have a noun for what's happening on its own keyboards.

What Bentonville just did

Walmart is downstream. The WSJ this week framed the news as a 1,000-person layoff, which is how most outlets are covering it, and which buries the structural signal underneath. The org change is the story: Walmart merged its global-tech function with its AI product function, and the redundancies are what fall out when two previously separate orgs become one.

The layoff framing makes this a cost story. It's an admission. The previous org chart, built when AI was a product team inside a tech org, no longer matched how the work actually flowed. Adoption ate the boundary between the two functions. The company restructured to match a reality it didn't design.

That's downstream of shadow adoption when it's visible and measurable. Retail can do this in one news cycle because the consequence is an org-chart change and a severance line. The CEO signs off. The WSJ runs a piece. The market re-prices the discount rate by a basis point.

Why healthcare's reckoning looks different

The first malpractice case that turns on AI-assisted clinical reasoning is going to force the question that hospital general counsel offices are currently not asking out loud: did our clinician use an AI tool, which one, was it sanctioned, and what is our liability for a piece of software we never bought. I don't know whether that first case names the tool, the clinician, or the hospital that didn't know its clinicians were using one. That gap matters, because it determines who pays for the upstream phase.

My guess is the hospital. Not because the clinician was reckless. Most of them are using these tools the way they used UpToDate, as a reference with judgment layered on top. The reason is that the institution is the deep pocket and the institution failed to govern. "We didn't know" is not a defense. It is the allegation.

When that case lands, healthcare gets its Walmart moment. Except instead of an org-chart merger, it's a scramble to retrofit governance onto adoption that's already two or three years deep. Procurement reviews on tools already woven into clinical workflow. Data-flow audits on inputs that have already left the building. Policy frameworks written under deposition pressure rather than at leisure.

What the upstream phase is for

The useful move, right now, is to assume the adoption number is real and start the work that would exist if the institution had bought the tool. Sanction the use or prohibit it. Both are governance. Indifference is not. Audit what clinicians are pasting where. Get a contract in place with the vendors that matter so the data-handling is documented. Decide who carries the liability and put it in writing.

None of this is fun work. All of it is cheaper than doing it on a litigation timeline. The Walmart restructuring tells you what reactive governance costs in retail. The healthcare version, when it arrives, will be priced in settlements and consent decrees.

Nearly two-thirds of U.S. physicians, the NBC piece said. The figure is probably softer than it sounds. The exposure underneath it is harder. The 2013 VA hospital story took eight months and a sanctioned-tool retraining to close out, and that was one app at one site. The reckoning healthcare is queuing up now is the same shape, four orders of magnitude larger.