In The European Union’s Artificial Intelligence Act and Trust: Towards an AI Bill of Rights in Healthcare?, 17 Law, Innovation & Tech. 318 (2025) Barry Solaiman notes his AI Bill of Rights proposal “is intended to encourage debate.” This analysis is offered in that light.

I review Solaiman’s proposal through two prisms. The first is the AI Life Cycle Core Principles (AILCCP). Now in its third year of development, the AILCCP is a comprehensive framework containing 37 principles organized across 10 pillars, supported by 48 controls, and mapped to 10 life cycle phases. It offers a structured methodology for building, deploying, and operating AI systems that are defensible, compliant, and aligned with organizational, regulatory, and societal expectations. Each AILCCP principle, pillar, and life cycle phase is a formally defined concept enriched with objectives, rationale, key questions, controls, evidence requirements, and life cycle guidance, hence their capitalization as defined terms. Second, the Procedural Self-Consumption (PSC) lens. This is a legislative review framework that identifies seven diagnostic patterns through which technology legislation produces process rather than governance outcomes.

I. Procedural Self-Consumption Analysis

The AI Act Through the PSC Lens

Solaiman critiques the AI Act for inadequate trust-building but does not systematically examine whether the Act’s operative provisions produce governance outcomes or merely generate process. Applying the PSC framework to the provisions that Solaiman discusses reveals patterns he identifies intuitively but does not name. The PSC framework contains seven diagnostic patterns. Four apply to the material Solaiman addresses.

 Pattern 1 (Procedural Self-Consumption): Article 95, one of only two articles in the AI Act that mention “trust,” creates an obligation to encourage development of voluntary codes. Not to adopt them. Not to enforce them. The provision generates further process (code development) rather than governance outcomes (binding standards). The AI Act builds trust by asking someone else to build trust later.

 Pattern 2 (Unanimity Without Convergence): Recital 27 invokes seven non-binding principles from the High-Level Expert Group on AI (AI HLEG) Guidelines, which form the basis of the Act’s trust conception. “Human agency and oversight” and “diversity, non-discrimination and fairness” are not operative standards. They are consensus placeholders. The principles achieve unanimity precisely because they are undefined. Solaiman notes that this basis is “not captured in the resulting law” but does not frame the observation as a diagnostic pattern, which limits its explanatory force.

 Pattern 6 (Procedural Perfectionism): The stacked conformity assessment regime Solaiman describes, where Medical Device Regulation (MDR) conformity is followed by AI Act conformity, each with its own procedural prerequisites, illustrates how individually defensible steps accumulate into disabling sequences. Each step is justified. The sequence delays governance to the point of irrelevance for a technology whose innovation cycle outpaces the regulatory pipeline.

 Pattern 7 (Meta-Regulatory Irony): The AI Act creates notified bodies whose fee-for-service incentive structure, as Solaiman documents, may align them with the industry they audit rather than the public they protect. The trust-building mechanism reproduces the trust deficit it was designed to remedy.

Solaiman’s Own Proposal Through the PSC Lens

Solaiman’s proposed “AI Bill of Rights for healthcare” is itself vulnerable to the patterns he diagnoses.

 Pattern 1 again: Solaiman proposes a voluntary code within the AI Act’s framework. A voluntary code creates no enforceable obligation. The test is straightforward: if every healthcare institution in the EU faithfully adopted Solaiman’s Bill of Rights, what would change? The existence of a document, not the existence of accountability. Patients would possess a charter. They would not possess a cause of action.

 Pattern 2 again: The Bill of Rights would enshrine values for trust, including consent, medical liability, data accuracy, privacy, bias, security, efficacy, safety, and transparency. Solaiman does not define what compliance with these values looks like for any of them. The very unanimity problem he diagnoses in the AI Act, principles endorsed without operative content, reappears in his proposed remedy.

 Timeline Projection: Solaiman’s proposal begins as a voluntary code. He envisions incorporation into national patient rights charters. In the EU’s legislative architecture, this means: (1) the AI Act encourages codes (already enacted); (2) someone drafts a healthcare-specific Bill of Rights (unspecified timeline); (3) EU member states choose whether to incorporate it into national frameworks (optional, no deadline); (4) national implementation varies by healthcare system (unbounded). The minimum elapsed time from enactment to first enforceable patient-facing obligation is functionally indefinite.

II. AILCCP Principle Mapping

Scoped Principle Set

Given the paper’s focus on healthcare AI, trust, the EU AI Act, and the doctor-patient relationship, the following AILCCP pillars and principles are contextually relevant:

Transparency & Explainability: Transparency, Explainability (XAI), Accessibility

Oversight & Accountability: Accountability, Governance, Metrics, Track Record

Reliability & Robustness: Accuracy, Trustworthy, Reliability

Fairness & Equity: Bias, Equity

Privacy & Consent: Consent, Privacy

Safety & Security: Safety, Security

Ethics: Ethics, Fundamental Rights

Human-Centered & Workforce: Human-Centered

Data & Process: Data Stewardship

Excluded from scope: R&D, Efficiency, Sustainable, Workforce Compatible, Wherewithal, Permit, Resilience, Robust. While organizational capability principles (Wherewithal, Sustainable) bear some relevance to healthcare institutions deploying AI, Solaiman’s paper does not engage institutional capacity, making their inclusion forced.

Principles Advanced

Transparency and Explainability (XAI): Solaiman’s discussion of informed consent and the black box problem in Section 4.2 (pp. 331-332) engages these AILCCP principles directly. His call for “meaningful disclosure of information that experts can access” maps to the AILCCP requirement for audience-appropriate explanations. The treatment remains at the level of aspiration rather than specification. He acknowledges that explainability is “easier said than done” and that post hoc rationalizations may not illuminate inner workings, but he does not specify what “meaningful disclosure” operationally requires.

Consent: The paper’s treatment of informed consent as a trust-building mechanism in healthcare, drawing on Hall’s “predicated” and “supportive” stances toward trust (p. 321), engages a recursive relationship the AI Act does not address. Consent is both derived from and constitutive of trust in healthcare settings. The AI Act treats consent as a downstream disclosure obligation. Solaiman’s framing treats it as a structural precondition.

Privacy and Data Stewardship: Solaiman identifies the deidentification/reidentification problem and notes that patients do not trust governance systems to maintain confidentiality (p. 332). His reference to the European Health Data Space (EHDS) as a potential solution engages Data Stewardship but does not assess whether the EHDS itself operationalizes the principle or merely invokes it.

Bias: Solaiman’s discussion of training data bias affecting demographic accuracy engages this principle, though his treatment is cursory. He calls for “additional checks and verification” (p. 332) without specifying what form those checks would take, who would perform them, or what standards would govern their execution.

Accountability: The paper’s discussion of liability gaps, the withdrawn Artificial Intelligence Liability Directive (AILD), and the uncertainty of the revised Product Liability Directive (PLD) engages Accountability (p. 332). Solaiman’s proposal for a “human point of reference” and standing committees to examine AI incidents is more operationally concrete than the paper’s other suggestions, though it still lacks enforcement architecture.

Principles Engaged but Not Operationalized

Safety: Solaiman asserts in Section 4.2 that AI outputs should be “accurate and safe for the context in which they are applied” (p. 333). The AILCCP principle of Safety demands more than aspirational assertions. It requires specified testing protocols, defined performance thresholds, and continuous monitoring mechanisms. None appear here.

 Trustworthy: The entire article circles this principle without landing on it. The AILCCP principle requires that an AI system demonstrates, through verifiable evidence, that it warrants confidence. Solaiman’s critique of the AI Act is that it treats risk classification as a proxy for Trustworthiness. His proposed Bill of Rights substitutes a different set of aspirational values without specifying how Trustworthiness would be verified. The proxy changes. The absence of verification does not.

Principles Neglected

Metrics: The paper’s most consequential omission. Trust is not simply a relational concept. It can be measured, benchmarked, and tracked. The AILCCP principle of Metrics requires defined indicators for system performance, compliance, and impact assessment. Solaiman’s critique of the AI Act’s trust framework would gain substantial force if he specified what trust metrics in healthcare AI would look like. Patient satisfaction scores with AI-assisted diagnoses. Error rate comparisons between AI-augmented and unaugmented clinical decisions. Disclosure compliance rates. Algorithmic audit frequency. Without Metrics, the Bill of Rights becomes a statement of aspiration indistinguishable from the ethics guidelines Solaiman dismisses (citing Munn) as “useless.”

Track Record: The AILCCP principle requires evaluation of an AI system’s historical performance and the deploying organization’s history of responsible AI practices. Solaiman’s discussion of Conformité Européenne (CE) marking’s evidentiary weakness (safety evidence deferred to post-market) raises Track Record concerns implicitly but does not propose that a Bill of Rights require transparent performance histories accessible to patients or clinicians.

Governance (as an AILCCP principle): Solaiman proposes institutional mechanisms (standing committees, responsible persons) but does not articulate the broader oversight architecture. Who oversees the standing committees? What is their reporting obligation? How is their independence secured? The Governance principle requires institutional controls that are themselves subject to review. Solaiman’s proposal has no second-order oversight.

Life Cycle Phase Coverage

Solaiman’s analysis clusters around two AILCCP phases: Pre-Deployment Review (conformity assessment) and Deployment & Release (point-of-care rights). This is characteristic of a market-access regulatory framework. It leaves gaps in the phases where regulation, institutions, and patients intersect.

Data Preparation. Solaiman raises training data bias as a trust concern in Section 4.2 but does not connect it to data pipeline oversight. Bias originates in this phase. His Bill of Rights proposes to address it at the point of care. By then it is baked in.

Evaluation & Red Teaming. The AI Act contemplates deployer-side testing obligations, and Solaiman’s own ecosystem argument implies that evaluation cannot occur solely at the developer level. A healthcare institution deploying AI against a specific patient population has an independent obligation to test. The Bill of Rights does not address this.

Operations & Monitoring. Solaiman’s standing committee proposal implicitly touches this phase, but continuous monitoring of system performance is not addressed. Trust erodes if a deployed system degrades and nobody is watching.

Incident Response. Solaiman proposes a right to redress, which implies a triggering event, which implies a protocol. The Bill of Rights does not specify one.

Decommissioning & Archiving. Not addressed. What are the patient’s rights regarding decisions made by a healthcare AI system that has been retired?

The Socio-Technical Ecosystem Argument and Its Unfinished Work

Section 4.1 argues, drawing on Unver et al., that trust must derive from the operation of the entire socio-technical ecosystem within which AI exists as one component. Trust in AI as a “standalone device” is, on this account, conceptually incoherent because liability systems rest on the responsibility of the clinician or employer, not the tool. “Trust in AI” as a standalone object is a category error. The meaningful locus of trust is the clinician, provider, or institution that stands behind the tool in a web of legal and ethical obligations.

The Bill of Rights does not carry this insight forward. It reproduces the very reductionism the article criticizes.

The rights in Section 4.2 are framed as claims against “the AI” or its immediate use, not as relational claims allocated across institutional actors in the ecosystem. There is no parallel articulation of duties for providers (deployment, monitoring, override, decommissioning), developers (updating, post-market surveillance, data stewardship), or regulators (transparency of notified bodies, management of misaligned incentives). Solaiman’s argument establishes that trust is ecosystem-dependent, then proposes a remedy addressed to a single technology layer. The Bill of Rights silently inherits the AI Act’s system-centric orientation, the same orientation Section 4.1 identifies as structurally inadequate.

The socio-technical framing also strengthens the PSC critique. If trust is ecosystem-level, then the AI Act’s market-access conformity model, which evaluates a product at a single point in time before deployment, is even more inadequate than a product-level critique would suggest. A voluntary Bill of Rights layered on top of that model inherits its structural limitations. Section 4.1’s own logic undermines Section 4.2’s remedy.

Solaiman’s socio-technical ecosystem argument maps naturally onto a life cycle view of AI. Trust is not established once at market entry and preserved automatically. It must be maintained through continuous oversight, incident response when things go wrong, and managed transitions when systems are updated or retired. If those phases are ungoverned, trust formed at the point of deployment will erode.

This means an ecosystem-aligned Bill of Rights cannot simply declare patient-facing values. It must allocate specific duties to specific actors. Hospitals, clinicians, developers, vendors, auditors, and regulators each play a role in sustaining trust across the AI life cycle. The Bill of Rights should specify what each owes, through mechanisms like performance reporting, independent oversight, and patient contestation rights.

Section 4.1 points toward this recognition. Section 4.2 does not deliver on it. The prescriptive proposal retreats to a static list of values addressed to a single technology layer, abandoning the ecosystem logic that Section 4.1 established.

Standards Context

Solaiman references standards from the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) in passing (through the AI HLEG Guidelines) but does not engage specific ones. ISO/IEC 42001:2023 (AI management systems) bears directly on the oversight architecture his Bill of Rights would require. ISO/IEC 23894:2023 (AI risk management) bears on his risk-versus-trust argument. The absence of standards engagement weakens the paper’s prescriptive force.

III. Argumentative Assessment

Thesis Architecture

Solaiman’s thesis is that trust in healthcare AI “could be better fostered” through a Bill of Rights. The conditional mood is telling. The thesis hedges where it should assert. A stronger formulation: the AI Act structurally cannot produce trust in healthcare because trust is a domain-specific, relational phenomenon and the Act is a horizontal, technical regulation. The Bill of Rights is not a “could be” improvement. It is a necessary supplement if the regulatory regime is to achieve its stated aims.

The thesis is also overbroad. It promises to examine what trust means in healthcare, how the AI Act incorporates trust, whether its provisions enhance trust, and what should be done to bridge the gap. That is four distinct arguments in a seventeen-page paper. Section 2 (the concept of trust in healthcare) receives approximately two and a half pages (pp. 320-322). Section 3 (trust and the AI Act) spans approximately six pages (pp. 322-327). Section 4.1 (systemic considerations) receives three pages (pp. 328-331), developing the socio-technical ecosystem argument that the paper then abandons. Section 4.2 (values for trust), the prescriptive core, receives approximately two and a half pages (pp. 331-333) to articulate the entire Bill of Rights proposal. The descriptive groundwork in Section 3 may be necessary. But Section 4.2 is underdeveloped relative to the weight the paper asks it to bear. Two and a half pages to specify a new governance instrument is not enough, especially when the paper’s own Section 4.1 establishes that trust is ecosystem-dependent and therefore requires duties allocated across multiple institutional actors.

Counterargument Treatment

The paper’s most significant argumentative weakness is its failure to engage the strongest version of the opposing position. The position that risk regulation can produce trust indirectly deserves serious treatment. The strongest version of this counterargument: systematically reducing the probability of harm, even through technocratic mechanisms, creates conditions under which trust emerges through experience. People trust automobiles not because they read safety regulation. They trust automobiles because safety regulation reduced harm rates over decades. Solaiman’s implicit assumption that trust must be directly cultivated through rights-based mechanisms deserves interrogation. The paper does not provide it.

The Realist Gap

The paper does not examine what healthcare institutions would actually do with a voluntary Bill of Rights, and its own evidence makes this omission structurally damaging.

Solaiman cites Unver et al. for the proposition that trust requires “designating responsibilities for different staff, such as doctors and clinicians, and outlining how the safeguards govern workflows concerning diagnosis and treatment using AI tools” (p. 330). He then proposes a Bill of Rights that does not designate responsibilities for any specific staff, does not outline any workflow safeguards, and does not address the clinical settings in which the rights would be exercised.

Consider the following scenario. A mid-sized European hospital runs diagnostic imaging AI from one vendor, a clinical decision support system from another, and a patient monitoring platform from a third. Each system has different explainability characteristics, different data pipelines, different update cycles, and different contractual terms. Solaiman’s Bill of Rights proposes that the patient receive “meaningful disclosure of information that experts can access.” Which expert? The radiologist who uses the imaging AI, the information technology (IT) administrator who manages the platform, or the procurement officer who negotiated the contract? The Bill of Rights does not say. A “standing committee within the hospital setting convened to examine AI incidents” must be resourced, staffed, and given authority. Who funds it? From which budget line? What is its jurisdiction when the AI vendor’s terms of service disclaim liability for the output the committee is examining?

These questions are not rhetorical embellishments. They are the operational conditions under which the Bill of Rights would succeed or fail. Solaiman’s Section 4.1 establishes that trust is ecosystem-dependent. His Section 4.2 proposes a remedy that ignores every institutional actor in the ecosystem except the patient.

The incentive structure is also unaddressed. EU hospitals operate under resource constraints, national regulatory variation, and competitive pressure. A voluntary code imposes compliance costs (committee formation, disclosure infrastructure, staff training) with no corresponding enforcement benefit. Hospitals that adopt the Bill of Rights bear costs. Hospitals that ignore it face no consequence. In this environment, voluntary adoption is not a governance strategy. It is a selection mechanism for institutions already inclined toward compliance.

IV. Synthesis

The word “trust” appears twice in 245 pages of the AI Act’s articles, revealing that trust functions as a rhetorical frame for the regulation rather than an operative concept within it. The conflation of risk acceptability with trustworthiness, drawing on Laux, Wachter, and Mittelstadt, identifies a structural deficiency in the Act’s conceptual architecture. CE marking’s reliance on deferred evidence of safety and effectiveness compounds this deficiency in the healthcare domain.

The proposed remedy, however, reproduces the problem.

The Bill of Rights proposal reproduces the reductionism it diagnoses in the AI Act. It invokes values without operationalizing them. It endorses trust without specifying how to measure it. It proposes voluntary mechanisms when the argument’s logic demands binding ones. It frames rights as claims against the AI system rather than as relational obligations distributed across the ecosystem that Section 4.1 identifies as the actual locus of trust. And it treats AI as a product entering a market rather than a system traversing a life cycle.

From an AILCCP perspective, the paper’s most significant gap is Metrics. Without measurable indicators of trust, the Bill of Rights becomes precisely what Solaiman (citing Munn) accuses the AI HLEG Guidelines of being. From a PSC perspective, the proposal creates further process (charter development, voluntary adoption, national implementation) without a mechanism to ensure that process produces governance. The very trap the AI Act fell into.

The paper would benefit from engaging AILCCP’s life cycle model to recognize that trust is not established at a single regulatory moment (market access) but must be maintained across the entire AI life cycle, from Data Preparation through Decommissioning. It would also benefit from specifying concrete Metrics for healthcare trust, anchoring the Bill of Rights to ISO/IEC standards that provide implementable controls, and confronting the enforcement question honestly.

A voluntary Bill of Rights for AI in healthcare, absent enforcement mechanisms and measurable standards, is a document that trusts the healthcare system to do what it has historically resisted doing without compulsion. That is not a governance strategy. That is a hope.