Policy Brief: Ethical Governance for Healthcare Cybersecurity: A Protocol for Agentic Artificial Intelligence

IBRAHIM ADABARA; Bashir Olaniyi Sadiq; Aliyu Nuhu Shuaibu; Yale Ibrahim Danjuma; Venkateswarlu Maninti; Mutebi Joe

doi:10.12688/f1000research.178567.1

Home Browse Policy Brief: Ethical Governance for Healthcare Cybersecurity: A Protocol...

ALL Metrics

-

Views

-

Downloads

Get PDF

Get XML

Export

▬

✚

Policy Brief

Policy Brief: Ethical Governance for Healthcare Cybersecurity: A Protocol for Agentic Artificial Intelligence

[version 1; peer review: 2 approved with reservations]

IBRAHIM ADABARA ¹, Bashir Olaniyi Sadiq², Aliyu Nuhu Shuaibu², Yale Ibrahim Danjuma², Venkateswarlu Maninti¹, Mutebi Joe¹

IBRAHIM ADABARA ¹, Bashir Olaniyi Sadiq², [...] Aliyu Nuhu Shuaibu², Yale Ibrahim Danjuma², Venkateswarlu Maninti¹, Mutebi Joe¹

PUBLISHED 13 Mar 2026

Author details Author details

¹ Computing, Kampala International University - Western Campus, Bushenyi, Western Region, Uganda
² Electrical, Telecommunication and Computer Engineering, Kampala International University - Western Campus, Bushenyi, Western Region, Uganda

IBRAHIM ADABARA
Roles: Conceptualization, Formal Analysis, Methodology, Project Administration, Software, Validation, Visualization, Writing – Original Draft Preparation

Bashir Olaniyi Sadiq
Roles: Supervision, Validation, Writing – Review & Editing

Aliyu Nuhu Shuaibu
Roles: Methodology, Validation, Writing – Review & Editing

Yale Ibrahim Danjuma
Roles: Data Curation, Formal Analysis, Investigation, Software

Venkateswarlu Maninti
Roles: Data Curation, Investigation, Resources

Mutebi Joe
Roles: Data Curation, Investigation, Visualization

OPEN PEER REVIEW

REVIEWER STATUS

This article is included in the Artificial Intelligence and Machine Learning gateway.

This article is included in the Cybersecurity collection.

Abstract

Background

Healthcare systems face escalating cyber threats that compromise patient safety and institutional resilience. While artificial intelligence (AI) is increasingly deployed for intrusion detection and automated response, many systems remain reactive and insufficiently aligned with governance and regulatory standards.

Methods

This policy brief proposes a Governance Protocol for Ethical Agentic Artificial Intelligence in healthcare cybersecurity. The protocol articulates procedural and infrastructural principles for embedding ethical rule enforcement, explainability, regulatory alignment, and structured human oversight within autonomous AI decision loops. An operational illustration is provided through the Agentic Artificial Intelligence Framework (AAIF), developed using a Design Science Research methodology and evaluated in a simulated healthcare network environment using benchmark cybersecurity datasets.

Results

Evaluation across more than 280,000 healthcare-relevant network events demonstrated improvements in response time (34.8% reduction), recovery rate (41.6% increase), adaptability (27.5% improvement), and detection accuracy (96.8%). Governance metrics, including Ethical Compliance Rate (0.99), zero false escalations, and 35 ms decision latency, indicate that embedding governance constraints did not compromise technical performance.

Conclusions

Governance-embedded AI architectures can reconcile cybersecurity resilience with ethical accountability and regulatory coherence. Embedding governance as an architectural design condition rather than an external compliance layer offers a scalable pathway toward trustworthy digital health ecosystems, particularly in resource-constrained settings.

Keywords

ethical AI governance; healthcare cybersecurity; agentic artificial intelligence; AI accountability; governance-embedded AI; digital health resilience; regulatory alignment; low- and middle-income countries (LMICs)

Corresponding author: IBRAHIM ADABARA

Competing interests: No competing interests were disclosed.

Grant information: The author(s) declared that no grants were involved in supporting this work.

Copyright: © 2026 ADABARA I et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite: ADABARA I, Olaniyi Sadiq B, Nuhu Shuaibu A et al. Policy Brief: Ethical Governance for Healthcare Cybersecurity: A Protocol for Agentic Artificial Intelligence [version 1; peer review: 2 approved with reservations]. F1000Research 2026, 15:400 (https://doi.org/10.12688/f1000research.178567.1) First published: 13 Mar 2026, 15:400 (https://doi.org/10.12688/f1000research.178567.1) Latest published: 13 Mar 2026, 15:400 (https://doi.org/10.12688/f1000research.178567.1)

Introduction

Healthcare systems worldwide are undergoing rapid digital transformation. The integration of Electronic Health Records (EHRs), telemedicine platforms, cloud-based infrastructures, and Internet of Medical Things (IoMT) devices has expanded both the capacity and the vulnerability of clinical environments. As digital interconnectivity increases, healthcare has emerged as one of the most targeted sectors in the global cyber threat landscape (Kruse et al., 2017). Beyond financial losses, cyberattacks disrupt clinical workflows, delay treatment, expose sensitive patient data, and can directly endanger human life. In this context, cybersecurity resilience is no longer a purely technical concern but a foundational component of health system integrity.

Artificial intelligence (AI) has increasingly been deployed to strengthen cybersecurity defenses in healthcare settings. Machine learning–based intrusion detection systems, anomaly detection algorithms, and automated response mechanisms now form part of the digital security architecture of many hospitals and health networks. However, while these systems have improved detection capabilities, they often operate as optimization-driven models that prioritize statistical performance over governance considerations. Many remain opaque in their reasoning processes, lack embedded ethical constraints, and do not systematically align with emerging regulatory frameworks governing AI accountability and data protection (OECD, 2019; European Union, 2024).

This tension reflects a broader challenge within global AI governance. Contemporary policy debates emphasize principles such as transparency, accountability, human oversight, and fairness, yet these principles are frequently articulated at the level of guidelines and regulatory instruments rather than system architecture (Floridi et al., 2018; Jobin, Ienca, & Vayena, 2019). Scholars have argued that principles alone cannot guarantee ethical outcomes if they are not translated into operational mechanisms embedded within system design (Mittelstadt, 2019). In critical sectors such as healthcare, where AI systems may autonomously isolate networks, block clinical devices, or restrict data access, governance cannot remain external to operational logic. When autonomous systems act within life-critical environments, proportionality, explainability, and regulatory alignment must be embedded within the design of the system itself.

The result is a governance gap. Autonomous AI systems are granted decision-making authority within critical healthcare infrastructures, yet governance is frequently treated as an ex-post compliance layer rather than an internal architectural principle. This separation between technical autonomy and institutional accountability creates risks of legal liability, regulatory non-compliance, and erosion of public trust. It also exposes a structural weakness in current approaches to responsible AI: ethical principles are declared but not operationalized (Whittlestone et al., 2019; Raji et al., 2020).

These challenges are particularly acute in low- and middle-income countries (LMICs), where digital health expansion often outpaces cybersecurity governance capacity. Resource constraints, uneven regulatory harmonization, and reliance on imported technologies may limit institutional control over AI system design and oversight. In such contexts, governance deficits risk reinforcing technological dependency and limiting data sovereignty (Couldry & Mejias, 2019; Birhane, 2020). At the same time, cyber threats are transnational in scope, requiring governance approaches that are scalable, interoperable, and adaptable across diverse infrastructural environments.

Addressing this governance gap requires moving beyond performance-centric AI deployment toward governance-embedded AI architectures. Rather than positioning ethics and regulation as supervisory mechanisms layered onto technical systems, governance principles must be internalized within autonomous decision-making processes. This policy brief proposes a Governance Protocol for Ethical Agentic Artificial Intelligence in Healthcare Cybersecurity. The protocol outlines procedural and infrastructural principles intended to guide the design, implementation, and evaluation of AI-driven cybersecurity systems that reconcile technical resilience with ethical accountability and regulatory coherence across diverse institutional contexts.

Principles of the governance protocol for ethical agentic artificial intelligence

Healthcare cybersecurity operates at the intersection of clinical service delivery, digital infrastructure management, regulatory oversight, and ethical accountability. As AI systems assume increasing levels of autonomy within these environments, governance can no longer be treated as an external supervisory layer. Instead, it must be embedded within the architectural logic of AI systems themselves. The Governance Protocol proposed here outlines a set of procedural and infrastructural principles intended to guide the design, implementation, and oversight of agentic AI systems in healthcare cybersecurity contexts. These principles are neither exhaustive nor universally prescriptive. Rather, they offer a structured framework through which institutions may reflect upon and calibrate governance-embedded AI deployments according to contextual and regulatory conditions.

Procedural principles

The procedural principles concern the internal logic of AI systems and the mechanisms through which autonomous cybersecurity decisions are made.

A first principle is that of governance-embedded decision loops. Autonomous cybersecurity systems should encode institutional policies and regulatory constraints directly within their operational processes. Actions such as network isolation, device quarantine, or access restriction should not be triggered solely by statistical anomaly detection, but must first be evaluated against predefined governance rules. This repositions governance from an ex-post compliance mechanism to an ex-ante decision condition.

Closely related is the principle of ethical rule enforcement. AI systems operating in healthcare environments must incorporate explicit ethical constraints that regulate proportionality, patient safety, data confidentiality, and service continuity. Ethical reasoning components should function as mandatory evaluative stages within the decision loop, ensuring that technical responses to cyber threats do not generate unintended clinical or legal harm.

Explainability and auditability constitute a further core principle. Autonomous cybersecurity decisions must be interpretable to institutional stakeholders, regulators, and oversight bodies. Feature attribution mechanisms and structured logging systems can enable transparent review of AI-generated actions. Without such interpretability, accountability becomes difficult to sustain, particularly when AI interventions affect clinical operations.

Human-in-the-loop escalation mechanisms provide an additional safeguard. While agentic AI architectures may operate with high levels of autonomy, high-impact or ethically ambiguous decisions should trigger escalation pathways to designated human authorities. Such escalation preserves accountability and democratic oversight while maintaining operational responsiveness.

Regulatory alignment must also be internalized within AI system architecture. Compliance with cybersecurity and data governance standards should not be limited to documentation practices; rather, regulatory constraints should be encoded into system logic. Embedding recognized governance frameworks within AI operational rules strengthens coherence between technical resilience and institutional legality.

Contextual adaptation represents another essential procedural consideration. Healthcare infrastructures vary significantly in terms of bandwidth capacity, device heterogeneity, staffing patterns, and regulatory maturity. Governance-embedded AI systems must remain robust across such variations, particularly in resource-constrained environments. Adaptive thresholding and dynamic response calibration are therefore critical to maintaining both effectiveness and fairness.

The principle of proportional response further underscores the need to balance threat mitigation against clinical continuity. Overly aggressive automated containment strategies may disrupt essential healthcare services, producing harms comparable to those posed by the original cyber threat. Governance-embedded AI must therefore calibrate its responses to risk severity in a manner consistent with healthcare priorities.

Finally, evaluation and continuous learning are indispensable. Governance metrics such as ethical compliance rates, escalation accuracy, and false positive thresholds should be periodically assessed and recalibrated. Continuous feedback loops allow AI systems to evolve alongside changing threat landscapes and regulatory expectations.

Infrastructural principles

Infrastructural principles address the broader institutional ecosystem within which agentic AI systems operate.

Institutional capacity forms a foundational prerequisite. Governance-embedded AI requires adequate technical infrastructure, skilled personnel, and sustained leadership commitment. Without such foundations, even well-designed AI architectures may fail to deliver accountable outcomes.

Governance literacy is equally important. Effective oversight of agentic AI systems depends upon interdisciplinary understanding across clinical, technical, legal, and policy domains. Stakeholders must possess sufficient literacy to interpret AI outputs, evaluate governance performance, and engage meaningfully in oversight processes.

The development of certification and standards mechanisms further strengthens governance coherence. Regulatory authorities may establish measurable benchmarks for ethical compliance, explainability, and escalation protocols. Such standards can facilitate harmonization across institutions and jurisdictions.

Regional coordination and respect for data sovereignty represent additional infrastructural considerations. Cyber threats transcend national borders, and governance frameworks must therefore accommodate cross-border intelligence sharing while preserving regulatory autonomy and patient data protections.

Finally, trust and legitimacy underpin the long-term viability of governance-embedded AI. Transparent decision processes, consistent rule application, and clear accountability pathways are central to sustaining institutional and public confidence in autonomous cybersecurity systems.

Operational illustration: The Agentic Artificial Intelligence Framework (AAIF) case

To illustrate the feasibility of the proposed Governance Protocol, this section presents an operational case in which governance-embedded principles were implemented within an agentic cybersecurity architecture operating in a healthcare-relevant environment.

One implementation example consistent with the proposed protocol is the Agentic Artificial Intelligence Framework (AAIF), developed using a Design Science Research (DSR) methodology (Hevner, March, Park, & Ram, 2004) and evaluated within a simulated healthcare network environment reflecting real-world operational constraints. The purpose of this illustration is not to promote a specific technical solution, but to demonstrate how governance principles may be embedded directly into autonomous AI architectures in practice.

Healthcare cybersecurity has been widely recognized as a high-risk domain requiring adaptive and context-sensitive defense mechanisms (Kruse et al., 2017). In response to this threat environment, the AAIF integrates reinforcement learning–based threat adaptation, embedded ethical rule enforcement, explainability mechanisms, and structured escalation protocols. Its architectural design operationalizes governance constraints within the AI decision loop, thereby aligning technical responses with institutional policy conditions. To clarify the conceptual distinction between conventional AI cybersecurity systems and governance-embedded agentic architectures, Table 1 summarizes the primary structural differences.

Table 1. Comparative characteristics of conventional AI cybersecurity systems and governance-embedded agentic AI architectures (AAIF implementation).

Dimension	Conventional AI systems	Governance-embedded agentic AI (AAIF Implementation)
Threat adaptation	Primarily reactive detection models	Reinforcement learning–based adaptive response
Explainability	Limited or absent	Integrated SHAP/LIME-based interpretability
Ethical governance	External oversight or absent	Embedded ethical rule matrix (ER-01–ER-05)
Regulatory alignment	Compliance assessed externally	Operational alignment with governance frameworks
Infrastructure sensitivity	Optimized for high-resource settings	Validated under bandwidth constraints (0–50 Mbps)
Contextual validation	Generic deployment assumptions	Simulated within the LMIC healthcare environment

The AAIF was evaluated using more than 280,000 healthcare-relevant network events derived from benchmark intrusion detection datasets (CICIDS2017, CSE-CIC-IDS2018, DARPA r6.2). Simulated adversarial scenarios included ransomware attacks, phishing intrusions, insider misuse, and IoMT device compromise. The evaluation focused on both technical performance metrics and governance-related indicators. Table 2 presents selected performance outcomes. The evaluation suggests that embedding governance constraints did not compromise detection performance. On the contrary, improvements were observed in response time, recovery rate, and adaptability. Importantly, governance-specific metrics, including ethical compliance and escalation accuracy, were measurable and auditable within the system architecture. While the AAIF provides a demonstrative case, the Governance Protocol proposed in this brief is not limited to a single technical instantiation. The principles articulated here may be implemented through diverse architectural approaches, depending on institutional and regulatory contexts.

Table 2. Performance evaluation of governance-embedded agentic AI architecture (AAIF case).

Performance metric	Baseline systems	Agentic AI implementation	Observed outcome
Response time	180 ms	117 ms	34.8% reduction
Recovery rate	58.7%	83.1%	41.6% increase
Adaptability	Conventional baseline	+27.5% improvement	Improved response to evolving threats
Detection accuracy	92.4%	96.8%	Higher detection reliability
Ethical compliance rate (ECR)	Not measured	0.99	High rule adherence
False escalations	Not measured	0.0000	No unnecessary human escalation
Decision latency	Not reported	35 ms	Real-time governance enforcement

These findings indicate that governance-embedded AI architectures can reconcile technical resilience with accountability mechanisms, even in bandwidth-constrained environments. While the AAIF represents a single implementation case, it demonstrates that the integration of ethical rule matrices, explainability components, and escalation protocols within AI decision loops is operationally feasible. The broader implication is that governance need not be treated as an external supervisory function; it can be architecturally internalized within agentic AI systems without sacrificing performance efficiency.

Implications

The Governance Protocol for Ethical Agentic Artificial Intelligence has implications that extend beyond the specific operational case presented. Embedding governance within AI cybersecurity architectures represents a structural shift in how institutions conceptualize accountability, autonomy, and resilience in digital health systems.

First, the protocol reframes governance from an external compliance function to an internal design condition. Traditional regulatory models rely on documentation, audits, and after-the-fact evaluation of system behavior. Governance-embedded AI architectures, by contrast, incorporate ethical constraints, escalation logic, and policy alignment directly within operational decision loops. This shift responds to a widely recognized limitation in contemporary AI governance discourse: the gap between principle articulation and practical implementation (Mittelstadt, 2019; Whittlestone et al., 2019). Embedding governance within system architecture has the potential to reduce regulatory lag and improve institutional responsiveness to evolving threat landscapes. However, it also requires regulators to develop new forms of technical literacy capable of evaluating system-embedded governance mechanisms rather than solely reviewing procedural compliance.

Second, the protocol highlights a tension between autonomy and oversight. Agentic AI architectures are designed to operate with minimal human intervention in time-sensitive threat environments. Yet healthcare settings demand accountability, transparency, and proportionality. Embedding structured human-in-the-loop escalation mechanisms offers a potential balance, but trade-offs remain. Excessive human intervention may reduce operational efficiency, while insufficient oversight risks ethical and legal exposure. Institutions must therefore calibrate escalation thresholds according to risk tolerance, clinical criticality, and regulatory context. This tension reflects broader debates in responsible AI concerning the appropriate distribution of authority between automated systems and human governance structures (Floridi et al., 2018).

Third, the integration of ethical rule matrices introduces questions regarding value alignment and normative interpretation. Ethical constraints are not culturally or legally neutral; they reflect institutional priorities and societal norms. As governance-embedded AI systems are deployed across diverse jurisdictions, differences in regulatory regimes and ethical expectations may require contextual adaptation. Harmonization efforts at regional or international levels may therefore become increasingly important, particularly in cross-border healthcare networks. The global diversity of AI ethics frameworks documented in comparative analyses further underscores the need for context-sensitive governance implementation (Jobin, Ienca, & Vayena, 2019).

Fourth, the protocol underscores the importance of infrastructural readiness. Governance-embedded AI cannot compensate for systemic weaknesses such as inadequate cybersecurity staffing, fragmented regulatory authority, or under-resourced digital infrastructure. The successful deployment of agentic AI architectures depends on parallel investments in institutional capacity, governance literacy, and certification mechanisms. In resource-constrained contexts, insufficient governance capacity may exacerbate technological dependency and limit institutional autonomy (Couldry & Mejias, 2019; Birhane, 2020).

Fifth, the case illustration suggests that embedding governance constraints does not necessarily degrade technical performance. Nonetheless, performance trade-offs remain possible. For example, strict proportionality rules may delay automated containment actions in ambiguous threat scenarios. Conversely, aggressive automated responses may protect data integrity while disrupting clinical continuity. Continuous evaluation and auditing mechanisms are therefore essential to monitor unintended consequences and recalibrate system parameters, consistent with emerging calls for systematic algorithmic auditing practices (Raji et al., 2020).

Finally, the protocol raises broader questions concerning trust and legitimacy in the age of autonomous systems. Public confidence in digital health infrastructures depends not only on technical robustness but also on the visibility of accountability structures. Governance-embedded AI architectures may enhance legitimacy by making ethical compliance measurable and auditable. However, transparency mechanisms must themselves be accessible and interpretable to non-technical stakeholders, ensuring that explainability does not become a purely symbolic exercise. These implications suggest that governance-embedded AI should not be understood merely as a technological enhancement, but as an institutional transformation. The integration of ethical reasoning, regulatory alignment, and adaptive learning within cybersecurity systems reshapes the relationship between automation and accountability in healthcare environments.

Actionable recommendations

The Governance Protocol for Ethical Agentic Artificial Intelligence is directed not at a single institution, but at the broader digital health and cybersecurity ecosystem. Its implementation requires coordinated action across regulatory, institutional, and professional domains.

First, regulatory authorities should move beyond documentation-based compliance models toward measurable governance benchmarks for AI-driven cybersecurity systems. This may include defining minimum standards for explainability, ethical compliance monitoring, structured escalation pathways, and auditability mechanisms. Embedding such criteria within procurement and certification frameworks can incentivize the development of governance-aligned AI architectures.

Second, healthcare institutions should integrate governance literacy into their cybersecurity strategy. Multidisciplinary training initiatives that bridge clinical practice, AI system design, cybersecurity management, and regulatory policy can strengthen institutional capacity to oversee autonomous systems effectively. Governance-embedded AI requires informed oversight rather than passive reliance on technical vendors.

Third, policymakers and standards bodies should encourage the development of evaluation frameworks that incorporate governance metrics alongside technical performance indicators. Ethical compliance rates, escalation accuracy, proportional response calibration, and decision transparency should become part of routine assessment practices. Continuous evaluation can help mitigate unintended consequences and maintain public trust.

Fourth, controlled testing environments such as regulatory sandboxes or pilot deployments may facilitate iterative refinement of governance-embedded AI architectures before large-scale implementation. Such environments allow institutions to calibrate autonomy thresholds and ethical constraints within real-world operational contexts while managing systemic risk.

Finally, regional and international coordination mechanisms should be strengthened to harmonize governance standards across jurisdictions. Given the cross-border nature of cyber threats and digital health infrastructures, collaborative frameworks can support interoperability while respecting national data sovereignty and regulatory diversity. Together, these recommendations emphasize that governance-embedded AI is not solely a technical innovation but a systemic reform. Aligning autonomous cybersecurity systems with ethical accountability and regulatory coherence requires coordinated institutional commitment, adaptive oversight mechanisms, and sustained investment in governance capacity.

Conclusion

The accelerating digital transformation of healthcare systems has created unprecedented opportunities for improved clinical coordination, data-driven decision-making, and expanded access to care. At the same time, it has introduced new layers of systemic vulnerability. As cyber threats grow in sophistication and scale, reliance on conventional reactive cybersecurity measures may prove insufficient. The integration of artificial intelligence into healthcare cybersecurity architectures is increasingly inevitable; the critical question is not whether AI will be deployed, but how it will be governed.

This policy brief has proposed a Governance Protocol for Ethical Agentic Artificial Intelligence as a structural response to the emerging governance gap in autonomous cybersecurity systems. By embedding ethical constraints, explainability mechanisms, regulatory alignment, and escalation logic directly within AI decision loops, governance becomes an architectural feature rather than an external supervisory function. The operational illustration suggests that governance-embedded architectures are technically feasible. More broadly, governance-embedded AI represents a shift in institutional design. It redefines the relationship between automation and accountability, requiring new forms of regulatory literacy, certification standards, and interdisciplinary collaboration. As healthcare systems increasingly rely on autonomous digital infrastructures, the legitimacy and resilience of those systems will depend not only on technical robustness but on visible and measurable accountability mechanisms.

Global health resilience in the coming decade will hinge on the ability of institutions to align innovation with ethical stewardship. Embedding governance within AI architectures offers one pathway toward reconciling technological advancement with public trust. The transition from compliance-driven oversight to governance-integrated system design may prove foundational to the next generation of secure and trustworthy digital health ecosystems.

Data availability

Underlying data

Repository name: Agentic Artificial Intelligence Framework (AAIF) Evaluation Dataset.

Figshare. https://doi.org/10.6084/m9.figshare.31400445 (Adabara, I. (2026)).

The project contains the following underlying data required to replicate the findings reported in this article:

• aaif_performance_metrics.csv – Raw evaluation outputs underlying the reported performance results, including response time (ms), recovery rate (%), adaptability scores, detection accuracy (%), Ethical Compliance Rate (ECR), false escalation counts, and decision latency values. These files contain the values underlying the summary statistics reported in Table 2.
• aaif_escalation_logs.csv – Structured logs of automated decisions and human-in-the-loop escalation triggers generated during simulated adversarial scenarios.
• aaif_simulation_parameters.json – Configuration parameters defining bandwidth constraints (0–50 Mbps), threat scenario categories (ransomware, phishing, insider misuse, IoMT compromise), and system response thresholds used during evaluation.

Extended data

Repository name: Agentic Artificial Intelligence Framework (AAIF) Evaluation Dataset.

Figshare. https://doi.org/10.6084/m9.figshare.31400445 (Adabara, I. (2026)).

The project contains the following extended data supporting the interpretation of results:

• Ethical_Rule_Matrix_ER01-ER05.pdf – Documentation of governance constraints embedded within the AI decision loop, detailing ethical rule definitions and proportionality conditions.
• Supplementary_Evaluation_Tables.xlsx – Expanded performance metrics across adversarial scenarios and bandwidth conditions supporting the summary statistics presented in the manuscript.
• System_Architecture_Diagram.png – Visual representation of the governance-embedded agentic decision loop architecture.

Data are available under the terms of the Creative Commons Attribution 4.0 International (CC BY 4.0) license. The datasets are publicly accessible and are not subject to embargo or login restrictions.

References

Adabara I: Agentic Artificial Intelligence Framework (AAIF) Evaluation Dataset. [Data set]. Figshare. 2026. Publisher Full Text
Birhane A: Algorithmic colonization of Africa. SCRIPTed. 2020; 17(2): 389–409. Publisher Full Text
Couldry N, Mejias UA: Data colonialism: Rethinking big data’s relation to the contemporary subject. Telev. New Media. 2019; 20(4): 336–349. Publisher Full Text
European Union: Artificial Intelligence Act (Regulation (EU) 2024). Official Journal of the European Union; 2024. Reference Source
Floridi L, Cowls J, Beltrametti M, et al.: AI4People—An ethical framework for a good AI society: Opportunities, risks, principles, and recommendations. Mind. Mach. 2018; 28: 689–707. PubMed Abstract | Publisher Full Text | Free Full Text
Hevner AR, March ST, Park J, et al.: Design science in information systems research. MIS Q. 2004; 28(1): 75–105.
Jobin A, Ienca M, Vayena E: The global landscape of AI ethics guidelines. Nature Machine Intelligence. 2019; 1: 389–399. Publisher Full Text
Kruse CS, Frederick B, Jacobson T, et al.: Cybersecurity in healthcare: A systematic review of modern threats and trends. Technol. Health Care. 2017; 25(1): 1–10. PubMed Abstract | Publisher Full Text
Mittelstadt B: Principles alone cannot guarantee ethical AI. Nature Machine Intelligence. 2019; 1: 501–507. Publisher Full Text
OECD: OECD principles on artificial intelligence.2019. Reference Source
Raji ID, Smart A, White RN, et al.: Closing the AI accountability gap: Defining an end-to-end framework for internal algorithmic auditing. Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency. 2020; pp. 33–44. Publisher Full Text
Whittlestone J, Nyrup R, Alexandrova A, et al.: The role and limits of principles in AI ethics: Towards a focus on tensions. Proceedings of the AAAI/ACM Conference on AI, Ethics, and Society. 2019; pp. 195–200. Publisher Full Text

Comments on this article Comments (0)

Version 1

VERSION 1 PUBLISHED 13 Mar 2026

Author details Author details

¹ Computing, Kampala International University - Western Campus, Bushenyi, Western Region, Uganda
² Electrical, Telecommunication and Computer Engineering, Kampala International University - Western Campus, Bushenyi, Western Region, Uganda

IBRAHIM ADABARA
Roles: Conceptualization, Formal Analysis, Methodology, Project Administration, Software, Validation, Visualization, Writing – Original Draft Preparation

Bashir Olaniyi Sadiq
Roles: Supervision, Validation, Writing – Review & Editing

Aliyu Nuhu Shuaibu
Roles: Methodology, Validation, Writing – Review & Editing

Yale Ibrahim Danjuma
Roles: Data Curation, Formal Analysis, Investigation, Software

Venkateswarlu Maninti
Roles: Data Curation, Investigation, Resources

Mutebi Joe
Roles: Data Curation, Investigation, Visualization

Competing interests

No competing interests were disclosed.

Grant information

The author(s) declared that no grants were involved in supporting this work.

Article Versions (1)

version 1

Published: 13 Mar 2026, 15:400

https://doi.org/10.12688/f1000research.178567.1

Copyright

© 2026 ADABARA I et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Download

Export To

metrics

	Views	Downloads
F1000Research	-	-
PubMed Central Data from PMC are received and updated monthly.	-	-

Citations

0

SEE MORE DETAILS

CITE

how to cite this article

ADABARA I, Olaniyi Sadiq B, Nuhu Shuaibu A et al. Policy Brief: Ethical Governance for Healthcare Cybersecurity: A Protocol for Agentic Artificial Intelligence [version 1; peer review: 2 approved with reservations]. F1000Research 2026, 15:400 (https://doi.org/10.12688/f1000research.178567.1)

NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.

track

receive updates on this article

Track an article to receive email alerts on any updates to this article.

Open Peer Review

Version 1

VERSION 1

PUBLISHED 13 Mar 2026

Views

5

Reviewer Report 26 Mar 2026

Oluwaseun Oladeji Olaniyi, University of the Cumberlands, Williamsburg, Kentucky, USA

Approved with Reservations

https://doi.org/10.5256/f1000research.196969.r468121

Summary of the article
This policy brief argues that governance should be embedded directly into AI systems used in healthcare cybersecurity rather than applied after deployment. It proposes a Governance Protocol for Ethical Agentic AI built on procedural principles ... Continue reading

Summary of the article
This policy brief argues that governance should be embedded directly into AI systems used in healthcare cybersecurity rather than applied after deployment. It proposes a Governance Protocol for Ethical Agentic AI built on procedural principles such as ethical rule enforcement, explainability, and human oversight, alongside infrastructural elements like governance literacy and certification. The paper introduces an illustrative framework (AAIF) and reports improvements in system performance and governance-related outcomes. It concludes that governance-integrated AI can strengthen cybersecurity resilience while maintaining accountability and trust.
1. Accessibility and contextual overview
Answer: Partly
The paper clearly outlines the problem and presents a structured framework. However, accessibility is limited by frequent use of technical terminology without plain-language explanation. The implementation context is also somewhat abstract, lacking a concrete real-world example to anchor the discussion. The reference to low- and middle-income settings is not sufficiently developed, making it unclear how the framework adapts to resource constraints.
Improvements: Define key terms in simple language, include a short real-world scenario early in the paper, and clarify how the protocol specifically applies to resource-constrained environments.
2. Discussion of implications and use of literature
Answer: Partly
The implications are relevant and logically organized, covering accountability, governance design, and institutional readiness. However, they rely heavily on general AI ethics literature and less on domain-specific healthcare cybersecurity governance. Some claims, such as improved regulatory responsiveness, are not fully explained or supported with clear mechanisms.
Improvements: Incorporate more healthcare cybersecurity governance sources, clarify how key outcomes would be measured, and distinguish between evidence-based findings and forward-looking claims.
3. Recommendations
Answer: Yes
The recommendations are clear, balanced, and aligned with the paper’s arguments. They appropriately emphasize measurable governance, pilot testing, and institutional capacity. The tone is realistic and avoids overstatement.
Improvements: Provide more implementation detail, such as examples of regulatory sandboxes and clearer prioritization of recommendations.
Key issues requiring resolution

Clearly state the paper’s original contribution.
Define baseline systems used for performance comparisons.
Provide formal definitions for governance metrics.
Justify dataset relevance to healthcare contexts.
Strengthen domain-specific literature.
Clarify or narrow the LMIC framing.

Addressing these points is necessary to ensure the paper is scientifically robust and practically useful.

Does the paper provide a comprehensive overview of the policy and the context of its implementation in a way which is accessible to a general reader?

Partly
Is the discussion on the implications clearly and accurately presented and does it cite the current literature?

Partly
Are the recommendations made clear, balanced, and justified on the basis of the presented arguments?

Yes

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Information governance, cybersecurity, data privacy, AI governance, data analytics, risk management, blockchain technology, compliance and regulatory frameworks, enterprise security strategy, digital transformation

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

CITE

Report a concern

Respond or Comment

Views

8

Reviewer Report 25 Mar 2026

Anjali Bhadre, Information Technology, G H Raisoni Institute of Engineering and Technology Pune, Nashik, Maharashtra, India

Harshvardhan Ghongade, Brahma Valley College of Engineering and Research Institute, Nashik, India

Approved with Reservations

https://doi.org/10.5256/f1000research.196969.r469503

Key Requirements for Scientific Soundness of Paper:
Define the contribution of the paper clearly differentiating it from prior AAIF papers.
State the baseline system on which all quantitative comparative claims were made (or remove them).
Define ... Continue reading

Key Requirements for Scientific Soundness of Paper:
Define the contribution of the paper clearly differentiating it from prior AAIF papers.
State the baseline system on which all quantitative comparative claims were made (or remove them).
Define formally all custom governance metrics with operational criteria and provide the equation for each.
Justify why CICIDS2017, CSE-CIC-IDS2018, and DARPA r6.2 are relevant to health care (or state it is a limitation).
Fill out Tables 1 and 2 completely.
Cite existing cybersecurity governance frameworks in the implications section.
Clarify LMIC framing -- either operationalize it in the protocol or substantively change the framing.
Recommended Improvements To Enhance The Manuscript:
Provide a specific real-world example in the introduction to anchor the concepts.
Provide plain language definitions for technical terms.
Benchmark the 35 ms decision latency against hardware specifications and industry benchmarks.
Refer to existing regulatory sandbox programs in the recommendations.
Explain feasibility and costs of implementing this in resource-constrained environments.
Remove redundancy in the implications section.

Does the paper provide a comprehensive overview of the policy and the context of its implementation in a way which is accessible to a general reader?

Partly
Is the discussion on the implications clearly and accurately presented and does it cite the current literature?

Partly
Are the recommendations made clear, balanced, and justified on the basis of the presented arguments?

Yes

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Artificial Intelligence and Machine LearningHealthcare Informatics and Digital Health SystemsCybersecurity and Network SecurityAI Ethics, Governance, and Responsible AIPolicy Analysis and Regulatory Frameworks

We confirm that we have read this submission and believe that we have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however we have significant reservations, as outlined above.

CITE

Report a concern

Respond or Comment

Comments on this article Comments (0)

Version 1

VERSION 1 PUBLISHED 13 Mar 2026

Open Peer Review

Reviewer Status

Reviewer Reports

	Invited Reviewers
	1	2
Version 1 13 Mar 26	read	read

Anjali Bhadre, G H Raisoni Institute of Engineering and Technology Pune, Nashik, India

Harshvardhan Ghongade, Brahma Valley College of Engineering and Research Institute, Nashik, India
Oluwaseun Oladeji Olaniyi, University of the Cumberlands, Williamsburg, USA

Comments on this article

All Comments(0)

Add a comment

Sign up for content alerts

Browse by related subjects

Back to all reports

Reviewer Report

5 Views

26 Mar 2026 | for Version 1

Oluwaseun Oladeji Olaniyi, University of the Cumberlands, Williamsburg, Kentucky, USA

5 Views Cite this report Responses(0)

Approved With Reservations

Summary of the article
This policy brief argues that governance should be embedded directly into AI systems used in healthcare cybersecurity rather than applied after deployment. It proposes a Governance Protocol for Ethical Agentic AI built on procedural principles such as ethical rule enforcement, explainability, and human oversight, alongside infrastructural elements like governance literacy and certification. The paper introduces an illustrative framework (AAIF) and reports improvements in system performance and governance-related outcomes. It concludes that governance-integrated AI can strengthen cybersecurity resilience while maintaining accountability and trust.
1. Accessibility and contextual overview
Answer: Partly
The paper clearly outlines the problem and presents a structured framework. However, accessibility is limited by frequent use of technical terminology without plain-language explanation. The implementation context is also somewhat abstract, lacking a concrete real-world example to anchor the discussion. The reference to low- and middle-income settings is not sufficiently developed, making it unclear how the framework adapts to resource constraints.
Improvements: Define key terms in simple language, include a short real-world scenario early in the paper, and clarify how the protocol specifically applies to resource-constrained environments.
2. Discussion of implications and use of literature
Answer: Partly
The implications are relevant and logically organized, covering accountability, governance design, and institutional readiness. However, they rely heavily on general AI ethics literature and less on domain-specific healthcare cybersecurity governance. Some claims, such as improved regulatory responsiveness, are not fully explained or supported with clear mechanisms.
Improvements: Incorporate more healthcare cybersecurity governance sources, clarify how key outcomes would be measured, and distinguish between evidence-based findings and forward-looking claims.
3. Recommendations
Answer: Yes
The recommendations are clear, balanced, and aligned with the paper’s arguments. They appropriately emphasize measurable governance, pilot testing, and institutional capacity. The tone is realistic and avoids overstatement.
Improvements: Provide more implementation detail, such as examples of regulatory sandboxes and clearer prioritization of recommendations.
Key issues requiring resolution

Clearly state the paper’s original contribution.
Define baseline systems used for performance comparisons.
Provide formal definitions for governance metrics.
Justify dataset relevance to healthcare contexts.
Strengthen domain-specific literature.
Clarify or narrow the LMIC framing.

Addressing these points is necessary to ensure the paper is scientifically robust and practically useful.

Does the paper provide a comprehensive overview of the policy and the context of its implementation in a way which is accessible to a general reader?

Partly
Is the discussion on the implications clearly and accurately presented and does it cite the current literature?

Partly
Are the recommendations made clear, balanced, and justified on the basis of the presented arguments?

Yes

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Information governance, cybersecurity, data privacy, AI governance, data analytics, risk management, blockchain technology, compliance and regulatory frameworks, enterprise security strategy, digital transformation

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

Respond to this report

Responses (0)

Back to all reports

Reviewer Report

8 Views

25 Mar 2026 | for Version 1

Anjali Bhadre, Information Technology, G H Raisoni Institute of Engineering and Technology Pune, Nashik, Maharashtra, India

Harshvardhan Ghongade, Brahma Valley College of Engineering and Research Institute, Nashik, India

8 Views Cite this report Responses(0)

Approved With Reservations

Key Requirements for Scientific Soundness of Paper:
Define the contribution of the paper clearly differentiating it from prior AAIF papers.
State the baseline system on which all quantitative comparative claims were made (or remove them).
Define formally all custom governance metrics with operational criteria and provide the equation for each.
Justify why CICIDS2017, CSE-CIC-IDS2018, and DARPA r6.2 are relevant to health care (or state it is a limitation).
Fill out Tables 1 and 2 completely.
Cite existing cybersecurity governance frameworks in the implications section.
Clarify LMIC framing -- either operationalize it in the protocol or substantively change the framing.
Recommended Improvements To Enhance The Manuscript:
Provide a specific real-world example in the introduction to anchor the concepts.
Provide plain language definitions for technical terms.
Benchmark the 35 ms decision latency against hardware specifications and industry benchmarks.
Refer to existing regulatory sandbox programs in the recommendations.
Explain feasibility and costs of implementing this in resource-constrained environments.
Remove redundancy in the implications section.

Does the paper provide a comprehensive overview of the policy and the context of its implementation in a way which is accessible to a general reader?

Partly
Is the discussion on the implications clearly and accurately presented and does it cite the current literature?

Partly
Are the recommendations made clear, balanced, and justified on the basis of the presented arguments?

Yes

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Artificial Intelligence and Machine LearningHealthcare Informatics and Digital Health SystemsCybersecurity and Network SecurityAI Ethics, Governance, and Responsible AIPolicy Analysis and Regulatory Frameworks

We confirm that we have read this submission and believe that we have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however we have significant reservations, as outlined above.

Respond to this report

Responses (0)

[1] Adabara I: Agentic Artificial Intelligence Framework (AAIF) Evaluation Dataset. [Data set]. Figshare. 2026. Publisher Full Text

[2] Birhane A: Algorithmic colonization of Africa. SCRIPTed. 2020; 17(2): 389–409. Publisher Full Text

[3] Couldry N, Mejias UA: Data colonialism: Rethinking big data’s relation to the contemporary subject. Telev. New Media. 2019; 20(4): 336–349. Publisher Full Text

[4] European Union: Artificial Intelligence Act (Regulation (EU) 2024). Official Journal of the European Union; 2024. Reference Source

[5] Floridi L, Cowls J, Beltrametti M, et al.: AI4People—An ethical framework for a good AI society: Opportunities, risks, principles, and recommendations. Mind. Mach. 2018; 28: 689–707. PubMed Abstract | Publisher Full Text | Free Full Text

[6] Hevner AR, March ST, Park J, et al.: Design science in information systems research. MIS Q. 2004; 28(1): 75–105.

[7] Jobin A, Ienca M, Vayena E: The global landscape of AI ethics guidelines. Nature Machine Intelligence. 2019; 1: 389–399. Publisher Full Text

[8] Kruse CS, Frederick B, Jacobson T, et al.: Cybersecurity in healthcare: A systematic review of modern threats and trends. Technol. Health Care. 2017; 25(1): 1–10. PubMed Abstract | Publisher Full Text

[9] Mittelstadt B: Principles alone cannot guarantee ethical AI. Nature Machine Intelligence. 2019; 1: 501–507. Publisher Full Text

[10] OECD: OECD principles on artificial intelligence.2019. Reference Source

[11] Raji ID, Smart A, White RN, et al.: Closing the AI accountability gap: Defining an end-to-end framework for internal algorithmic auditing. Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency. 2020; pp. 33–44. Publisher Full Text

[12] Whittlestone J, Nyrup R, Alexandrova A, et al.: The role and limits of principles in AI ethics: Towards a focus on tensions. Proceedings of the AAAI/ACM Conference on AI, Ethics, and Society. 2019; pp. 195–200. Publisher Full Text

Policy Brief: Ethical Governance for Healthcare Cybersecurity: A Protocol for Agentic Artificial Intelligence

Abstract

Background

Methods

Results

Conclusions

Keywords

Introduction

Principles of the governance protocol for ethical agentic artificial intelligence

Procedural principles

Infrastructural principles

Operational illustration: The Agentic Artificial Intelligence Framework (AAIF) case

Table 1. Comparative characteristics of conventional AI cybersecurity systems and governance-embedded agentic AI architectures (AAIF implementation).

Table 2. Performance evaluation of governance-embedded agentic AI architecture (AAIF case).

Implications

Actionable recommendations

Conclusion

Data availability

Underlying data

Extended data

References

Comments on this article Comments (0)

Open Peer Review

Comments on this article Comments (0)

Open Peer Review

Reviewer Status

Reviewer Reports

Comments on this article

Browse by related subjects

Competing Interests Policy

Stay Updated