The technology is moving. The question for most companies is not whether to use AI, but how to use it in a way that regulators will accept and inspectors will not challenge. That question is complicated by the fact that the regulatory framework is still being written.
The Regulatory Framework is Still Being Written
The EU is building a comprehensive and increasingly detailed regulatory framework for AI in life sciences. But it is doing so through multiple instruments that are evolving simultaneously, and not always in the same direction.
In force since August 2024
EU AI Act
In force since August 2024, with obligations phasing in over four years. AI literacy requirements already apply (since February 2025). General-purpose AI model obligations since August 2025. Most high-risk AI obligations for standalone systems apply from August 2026. For AI embedded in medical devices (MDR/IVDR), the high-risk obligations apply from August 2027, though the Digital Omnibus Package (November 2025) proposes pushing this to August 2028, with standards readiness as a condition. A competing DG SANTE proposal would remove medical device AI from the high-risk framework entirely by moving MDR/IVDR from Annex I Section A to Section B. The outcome is not yet settled.
Draft, July 2025
EU GMP Annex 22
Published for consultation in July 2025, this is the first dedicated EU GMP guidance on AI/ML in pharmaceutical manufacturing. The position is conservative: only static, deterministic AI/ML models are permitted for GMP-critical applications. Dynamic or continuously learning models, probabilistic outputs, and generative AI (including LLMs) are excluded from critical GMP functions. Generative AI may be used for non-critical tasks with human-in-the-loop oversight. This was published alongside a substantially expanded Annex 11 (from 5 to 19 pages, now covering cloud, AI, and SaaS) and a revised Chapter 4 (data lifecycle, ALCOA++, hybrid systems). Final versions expected in 2026/2027.
Adopted September 2024
EMA Reflection Paper and Joint Principles.
The EMA adopted its reflection paper on AI in the medicinal product lifecycle in September 2024. It takes a risk-based approach: black-box models are not automatically excluded, but full model architecture and training data may be required in some contexts. In January 2026, EMA and FDA jointly published ten guiding principles covering human-centric design, fitness for purpose, risk proportionality, data governance, transparency, and accountability. These are non-binding but signal the direction of future expectations.
June 2025
MDCG Guidance
The EMA adopted its reflection paper on AI in the medicinal product lifecycle in September 2024. It takes a risk-based approach: black-box models are not automatically excluded, but full model architecture and training data may be required in some contexts. In January 2026, EMA and FDA jointly published ten guiding principles covering human-centric design, fitness for purpose, risk proportionality, data governance, transparency, and accountability. These are non-binding but signal the direction of future expectations.
Where the Practical Difficulties Lie
The regulatory documents describe what is expected. The harder problem is doing it. Three areas cause the most difficulty in practice.
Governance is deployed unevenly.
Sanofi has publicly disclosed the most detailed AI governance framework in the industry: a Responsible AI Working Committee, an internal policy integrated into employee and vendor codes of conduct, a multi-disciplinary review body for high-risk use cases, a standardised risk classification tool, and a global awareness campaign reaching 15,000+ employees. Among other major pharma companies (Roche, Novartis, AstraZeneca, Pfizer, J&J), AI adoption is extensive but publicly disclosed governance frameworks are largely absent. For small and mid-size companies, the gap is wider: AI infrastructure, data science expertise, and regulatory clarity are all more limited. The Digital Omnibus Package acknowledges this with simplified QMS obligations for SMEs and regulatory sandbox access, but practical barriers remain.
Off-the-shelf AI tools are not regulatory-ready.
We tested this directly. In an experiment presented at the regulanet 2026 conference, we evaluated several commercial AI assistants on regulatory Q&A tasks across the EU AI Act, MDR, and the EMA reflection paper. The findings: all assistants performed well on style (clarity, tone) but approximately 30% of substantive answers received the lowest possible grade, meaning they were severely incomplete, incorrect, or cited the wrong legal references. The difficulty of the question did not predict the quality of the answer. The problem is not limited to general-purpose LLMs. Purpose-built, domain-specific AI tools can also fail when they are developed without sufficient involvement of regulatory and scientific experts who understand the tasks the tool is meant to support. General-purpose assistants may help with non-critical tasks, but they cannot be relied upon for regulatory decision-making without expert oversight and documented controls.
Validation has no industry consensus (yet).
Industry frameworks exist, but no single methodology has been universally adopted for validating AI/ML models in GxP use. GAMP 5 Second Edition (2022) introduced Appendix D11 for AI/ML lifecycle, and the standalone ISPE GAMP Guide: Artificial Intelligence (July 2025, 290 pages) is the most comprehensive industry framework available. The FDA’s final guidance on computer software assurance (September 2025) formally endorses risk-based validation proportional to impact on product quality and patient safety. But in practice, most companies are still working out how to document AI validation to a level that will satisfy inspectors.
The Distinction That Matters
Not all AI use in life sciences faces the same regulatory requirements. The general distinction is between AI as a tool, AI as a regulated product/dossier component, and AI used in drug development leading to AI-generated evidence being submitted. Conflating these can lead to either over-engineering internal tools or under-preparing products that will be reviewed by regulators.
AI-enabled tools.
AI that assists a human-led process: drafting regulatory documents, triaging safety cases, predicting manufacturing parameters, classifying legacy documents. The regulatory burden sits within the company’s QMS. These tools need risk classification, validation evidence, governance, vendor qualification, change control, and audit trails. They do not typically require conformity assessment by a Notified Body, but they must be defensible in audits and inspections. This is where most companies start, and where most governance gaps exist.
AI as a regulated product/dossier component.
AI/ML embedded in a medical device or IVD. Subject to MDR/IVDR conformity assessment, and (from August 2027 or later) to the AI Act’s high-risk obligations. Requires technical documentation, risk management per ISO 14971, clinical evidence, and post-market performance monitoring. A fundamentally different regulatory pathway from internal tool deployment.
AI-generated evidence in regulatory submissions.
AI used during drug development to generate evidence submitted to authorities: synthetic patient populations, virtual control arms, AI-driven endpoint analysis, AI-designed molecules with in silico data packages. The AI system itself may not be a medical device, but the evidence it produces must be packaged for assessor review with clear rationale, limitations, traceability, and lifecycle control. The EMA reflection paper and the EMA-FDA guiding principles set the expectations here.
Platforms like CARA (Generis), Veeva Vault, and other regulatory information management systems are increasingly adding AI features for document classification, metadata enrichment, and content generation. These sit squarely in the “AI-enabled tools” category, where governance by architecture (AI inheriting permissions, audit trails, and compliance controls from the platform) is a practical model. But platform-level compliance does not replace the need for company-level governance and validation.
Platforms like CARA (Generis), Veeva Vault, and other regulatory information management systems are increasingly adding AI features for document classification, metadata enrichment, and content generation. These sit squarely in the “AI-enabled tools” category, where governance by architecture (AI inheriting permissions, audit trails, and compliance controls from the platform) is a practical model. But platform-level compliance does not replace the need for company-level governance and validation.
How We Work
We do not build AI models or sell tools. We ensure that AI used in regulated life science contexts is classified, validated, documented, and integrated into the quality system so that it is defensible in audits, inspections, and regulatory submissions.
A typical engagement starts with a current state assessment: mapping where AI is being used, what controls exist, and what gaps need to be closed. From there, the work may involve governance framework design, vendor qualification, validation documentation, inspection readiness, or preparing AI-generated evidence for regulatory submission. The scope depends on whether the company is deploying AI tools internally, embedding AI in a regulated product, or both.
We also build and maintain AI evaluation frameworks (Evals) for clients who need to measure and demonstrate the ongoing performance of AI systems in regulated contexts. This includes evaluation rubric design, benchmark dataset creation, automated scoring pipelines, and calibration against human expert judgment.
Key Services
These service areas are covered in detail on our AI Governance & Compliance service page. Below is a summary of what each covers.
Current State Assessment
AI tool inventory, risk classification, gap analysis against EU AI Act, GxP/CSV, and EMA expectations. Prioritised remediation plan.
Governance and Documentation
AI governance framework design, SOPs, roles and oversight structures, change control, acceptable use policies for general-purpose AI tools.
Vendor Qualification
Due diligence on training data provenance, validation evidence, bias/fairness, monitoring and drift strategy. Vendor qualification memo and contractual recommendations.
Validation and Lifecycle
Risk-based validation per GAMP 5 / GAMP AI Guide principles. Measuring model accuracy, precision, and reliability against predefined acceptance criteria. Bias analysis, drift monitoring, re-qualification triggers.
Inspection and Submission Readiness
Mock inspections, documentation stress-testing, briefing packs for QA and Regulatory teams. Packaging AI-generated evidence for assessor review.
AI Evaluation Frameworks (Evals)
Evaluation rubric design, benchmark dataset creation, automated scoring pipelines, LLM-as-a-judge calibration. Ongoing performance monitoring for deployed AI systems.
AI Literacy and Training
Role-specific training to meet Article 4 (EU AI Act) requirements. Covers allowed vs. restricted uses, output supervision, error recognition, documentation obligations.
Classification and Regulatory Strategy
AI system classification under EU AI Act categories. Regulatory pathway design for AI-embedded medical devices and IVDs, including AI Act conformity assessment planning.
Is Your AI Strategy Ready to Withstand Regulatory Scrutiny??
Tell us where AI sits in your workflows and what controls you need. We will assess the gaps and outline the practical next steps.
Speak with an ExpertFrequently Asked Questions (FAQ)
Can we use ChatGPT or similar tools in regulated work?
General-purpose AI tools can be used for non-GxP tasks if your governance framework permits it. For regulated tasks, you need a documented risk assessment, acceptable use policy, and controls around data handling, output review, and audit trails. Our governance quick check provides clarity on what is allowed, what is restricted, and what documentation is needed.
What does Annex 22 mean for AI in manufacturing?
Only static, deterministic AI/ML models are permitted for GMP-critical applications. Dynamic or continuously learning models, probabilistic outputs, and generative AI are excluded from critical GMP functions. This is a more conservative position than many companies expect. If you are deploying adaptive or learning models in manufacturing, they must either be frozen before use in critical processes or limited to non-critical applications with human oversight.
Do we need to disclose AI use in regulatory submissions?
There is no blanket requirement yet, but the direction of travel is clear. The EMA reflection paper expects transparency about AI use in the medicinal product lifecycle. If AI-generated evidence (e.g., synthetic data, AI-designed molecules, AI-driven endpoint analysis) is part of a submission, it should be documented with clear rationale, limitations, traceability, and lifecycle control. We help define a disclosure strategy as part of submission planning.
When does an AI tool become a medical device?
When it meets the definition of software as a medical device (SaMD) under MDR: software intended to be used for a medical purpose, on its own, not driving or influencing the use of a hardware device. Classification depends on intended purpose and risk. AI that assists clinical decision-making, provides diagnostic outputs, or monitors patients may qualify. We provide classification assessments and regulatory pathway design.
What should we be ready to show in an inspection?
Based on the current regulatory frameworks, AI systems used in regulated processes are expected to have documented risk classification, validation evidence, and change control. Responsibility for approving and monitoring the model should be clearly assigned, with defined human oversight. This area is evolving rapidly. As Annex 22 is finalised and the EU AI Act's high-risk obligations take effect, specific expectations will become more detailed.