Drug Discovery & Clinical Trial Acceleration — Governance

PDUFA VII codified FDA commitments around AI/ML in drug development — confirm which workflows touch those commitment areas and have a plan for each.

EMA published a reflection paper in 2024 on AI/ML use across the drug lifecycle; confirm program alignment where EU submissions are planned.

Each AI model's intended use, inputs, outputs, and risk class must be documented — the COU drives the regulatory validation burden.

EU AI Act (Regulation 2024/1689) entered into force 2024 with staged applicability; AI used in medicinal product lifecycle may fall into high-risk or general-purpose categories requiring documentation and oversight.

Systems generating GxP records (GLP 21 CFR 58, GMP 21 CFR 210/211, GCP ICH E6(R3)) must be validated; FDA's computer software assurance guidance is the current frame.

Electronic records: secure audit trail recording operator, timestamp, action, and before/after state for every GxP-relevant change.

Electronic signatures on AI-derived records must meet Part 11 identity verification, unique-to-individual, and non-repudiation requirements.

ICH E6(R3) Good Clinical Practice (finalized 2024–2025) introduced updated expectations around data integrity, risk-based quality management, and technology use in trials.

E8(R1) Quality by Design principles apply to trial design including AI-assisted matching — identify critical-to-quality factors and monitor.

Bioresearch Monitoring inspections extend to computerized systems; data lineage from AI prediction through filing must be reconstructable for an inspector.

BAAs with every processor touching PHI, minimum-necessary principle, documented TPO or research authorization basis for each data flow.

IRB-approved protocols, informed consent aligned with AI use, and waiver documentation where applicable.

Article 9 special-category data requires a specific lawful basis; research exemptions vary by member state and must be confirmed per site.

HIPAA Expert Determination or k-anonymity review; document residual risk and ongoing monitoring.

Map governance practices to NIST AI RMF 1.0 functions (Govern, Map, Measure, Manage) — increasingly referenced in FDA guidance and sponsor AI governance frameworks.

Every model version in a submission package must be reproducible: weights, training data snapshot, hyperparameters, evaluation results, and known limitations.

Every model must ship with a known-limitations document — not just performance metrics, but the regimes where the model is known to fail.

Multi-billion-dollar AI platform deals have elevated AI governance to board attention; AI risk and performance should be reported at the same cadence as clinical and commercial risk.