AI Governance & Compliance
Artificial intelligence is already part of pharmaceutical and medical device workflows. It helps identify targets, predicts toxicology, optimises manufacturing parameters, triages safety cases and drafts regulatory content. We help your teams adopt and govern AI in these regulated contexts, so that it is compliant, documented, and defensible in audits, inspections, and submissions.
Examples of How We Support
These are just examples to illustrate the kind of work we do day to day. The fastest way is usually a short call to understand your situation and discuss how we can help.
AI in regulatory writing
Your team has started using an AI tool to draft regulatory content and you need to know whether it is compliant and how to document it for inspectors.
AI governance gap
AI tools have been introduced across several departments without unified oversight. Quality is expected to defend AI use in inspections but has limited visibility of how models were selected, validated, or maintained.
AI vendor qualification
You are evaluating AI vendors for a GxP process and need a structured qualification, including data handling, validation evidence, bias checks, and contractual controls.
AI inspection readiness
AI is in scope for an upcoming audit or inspection and you need to be sure the documentation, validation evidence, and governance are defensible.
EU AI Act classification
You need to classify your AI systems against the EU AI Act risk tiers and understand what obligations apply, before deadlines arrive.
Understanding AI Governance & Compliance
Not every AI tool used in pharma and medtech falls into the EU AI Act's “high-risk” category. A drafting assistant or an internal search tool may not trigger formal obligations under the Act. But when an AI tool influences a GxP-regulated process or a regulatory decision, it carries risk, whether or not the AI Act classifies it as high-risk. A PV triage model that flags safety signals, a process control algorithm that sets release parameters, an AI tool that drafts submission content: these directly affect patient safety and regulatory decisions, and regulators will treat them accordingly.
That is why most life sciences companies are applying a high-risk-like governance approach by default, documenting, validating, and governing AI tools because regulators will ask the same questions either way. This page covers what that approach involves and how and where we can support.
What We Do
We help organisations adopt AI safely and defend their AI use when regulators, auditors, or assessors ask questions.
We do not build algorithms or sell AI tools. We ensure that any model used in these contexts is classified correctly, validated, documented and integrated into your quality system.
Our Workstreams
We organise our AI support into specific workstreams. They can run standalone or be combined into a broader program.
Current State Assessment
Map AI tools and use cases in scope; classify risks and regulatory impact; gap analysis against EU AI Act, GxP/CSV, and EMA expectations; prioritised remediation plan.
AI Governance and Policies
Review existing policies, SOPs, and responsibilities; guidance on allowed vs. restricted uses of general-purpose AI tools; governance framework design; role-based training plans integrated into the quality system.
EU AI Act Classification and Compliance
Classify AI systems against EU AI Act risk tiers; determine obligations per system; plan conformity assessments; support registration in the EU AI database for high-risk systems.
Vendor Scouting and Qualification
Due-diligence assessment of vendor data handling, model evidence, and compliance posture; vendor qualification memo; acceptance criteria for go-live; ongoing oversight requirements (monitoring, audit trail, vendor change notifications).
Validation
Risk assessment and mitigation for AI/ML systems in GxP contexts; validation documentation per GAMP AI guide; performance benchmarking and bias analysis; lifecycle control including change control, drift monitoring, and re-qualification triggers.
Inspection and Submission Readiness
Mock inspections focusing on AI documentation, validation, and governance; readiness reports with gaps and corrective actions; briefing packs for QA and regulatory teams; packaging AI evidence for assessor review in submissions.
AI Literacy and Training
Role-specific AI awareness sessions covering allowed and restricted uses, output supervision, documentation requirements, and Article 4 obligations; training materials and competence records.
Where This Fits in the Development Journey
AI touches different parts of the lifecycle with different compliance implications. This overview shows where AI governance and compliance support typically applies.
Discovery & Concept
Governance for AI-driven target identification, compound design, and in silico modelling tools. Early risk classification and acceptable-use policies.
Preclinical
Validation and documentation of predictive toxicology models and QSAR tools. Vendor qualification for AI-enabled preclinical platforms.
Design & Development
AI governance for process development tools (e.g., predictive process parameters, design space modelling). GAMP AI validation for manufacturing-related AI/ML systems.
Clinical
Compliance framework for adaptive trial designs, digital endpoints, and AI-assisted patient stratification. Documentation and evidence packaging for submission-relevant AI outputs (e.g., synthetic control arms).
Regulatory Submission & Approval
Packaging AI-generated evidence for assessor review. Inspection readiness for AI documentation, validation, and governance. Briefing packs for authority questions on AI use.
Post-Market & Lifecycle Management
Ongoing AI governance: drift monitoring, change control, re-qualification. AI literacy maintenance. EU AI Act post-market monitoring obligations for high-risk systems.
Sample Deliverables
These are examples of what we typically produce.
AI tool inventory and risk classification report mapping tools and use cases across the organisation against EU AI Act risk tiers. 
EU AI Act compliance gap analysis and remediation plan with prioritised actions and timelines. 
AI governance framework document, including SOPs and acceptable-use policies integrated into the quality system. 
Vendor qualification reports with data handling, bias, and change-control assessment. 
GAMP AI validation documentation covering risk assessment, performance benchmarks, and bias analysis. 
Inspection readiness report with corrective actions for AI documentation and governance. 
AI literacy training programme, materials, and competence records aligned with EU AI Act Article 4 obligations. 
AI evidence package for regulatory submission covering rationale, limitations, and traceability. 
AI output evaluation frameworks, test protocols, and performance benchmark reports for tool selection and quality assurance. Example Projects
Illustrative Example
Mid-Size EU Pharma: AI Governance Framework
A pharma company had introduced AI-assisted regulatory writing and PV triage tools across multiple departments without unified oversight. We mapped all AI use cases, classified risks against the EU AI Act, designed a governance framework with SOPs and role definitions, and delivered role-based AI literacy training. The company passed its next GMP inspection with AI in scope without findings.
Illustrative Example
Biotech: AI Vendor Qualification for Clinical Analytics
A biotech company was selecting an AI vendor for adaptive trial design and needed to qualify the tool for GxP use. We conducted vendor due diligence covering training data provenance, validation evidence, and bias analysis, prepared the qualification memo, and defined acceptance criteria and ongoing monitoring requirements.
Already Deploying AI or Looking at Introducing AI?
Tell us which process, tool, and timeframe you have in mind and we’ll set up a short call to discuss.
Speak with an AI Governance ExpertKey Regulations & Guidance
AI in regulated life science is governed by a combination of AI-specific legislation and existing GxP and quality frameworks. It is important to note that the regulatory landscape continues to evolve rapidly, with several guidances currently in consultation. The following guidelines and regulations inform our work:
Frequently Asked Questions (FAQ)
Do we need documentation if AI is “just drafting”?
Yes. If an AI tool influences clinical, CMC, or regulatory decisions, you must document how it works, how it was validated, and what controls are in place, regardless of whether the output is “final” or “just a draft.” The question that should be asked is not “does it make the decision?” but “does it influence the decision?”.
What should we be ready to show in an inspection?
Based on the current regulatory frameworks, AI systems used in regulated processes are expected to have documented risk classification, validation evidence, and change control. Responsibility for approving and monitoring the model should be clearly assigned, with defined human oversight.
How do we qualify a vendor AI tool?
Start with due diligence on the vendor’s training data, model evidence, and update practices. Review documentation and contracts. Classify the tool’s risk. Make sure you can demonstrate control over updates, performance monitoring, and bias. The depth of qualification depends on the GxP impact of the tool’s output.
What does “AI literacy” mean in practice?
Article 4 requires providers and deployers to ensure staff have sufficient AI literacy. In practice: people using AI tools in regulated work need to understand what the tool does, what it cannot do, how to spot errors, and how to document their interactions. We typically build role-specific training programs and maintain competence records as part of the governance framework.
When does a pilot become regulated use?
As soon as AI outputs influence decisions that affect patient safety, product quality or regulatory submissions, you must treat the tool as regulated and follow high-risk requirements.
How do we handle model updates and drift?
Treat it like any other change control. Define thresholds. Monitor performance. When the model drifts beyond what you validated, either retrain with documented rationale or retire it. Ideally a process is in place before the drift happens.
Can we use general-purpose AI tools (e.g., ChatGPT) in regulated work?
It depends on the task. For non-GxP work (internal brainstorming, non-regulated communications), general-purpose AI tools can be used if your governance allows it. For anything that feeds into a regulated process, you need policy guidance, a risk assessment, and documentation of how the output was reviewed and approved. Our governance quick check clarifies where the line sits for your organisation.