AI in governance.
Governance has to absorb AI · not deploy on top of it. The 30-year QMS playbook (lock-and-validate, deterministic test, point-in-time qualification) does not survive contact with non-deterministic systems. iFeed frames the absorption as an immunity model: pre-immunisation, active immunity, adaptive immunity. Five governance shifts, three immunity stages, one operating philosophy.
Why governance must absorb AI.
Not a new tool · a new substratePharma quality systems were designed against a deterministic substrate: an SOP runs the same way on Monday and Thursday, a chromatograph integrates the same peak both days, a release decision is reproducible. AI/ML systems are non-deterministic by construction: model weights drift, input distributions drift, deployment context drifts. Governance does not get to choose whether to engage. It engages either by absorbing the new substrate (treating AI as just another component of the QMS) or by reacting to it (a parallel "AI committee" bolted to the side). The absorbing posture is the only one inspectors will accept by 2028.
The iFeed methodology frames this absorption as an immunity problem. The body that is the QMS encounters a foreign agent that is the AI system. It can reject (parallel governance, doomed). It can succumb (no governance, also doomed). Or it can immunise: recognise, neutralise, remember. The immunity framing maps cleanly onto the regulator workplan and onto the lifecycle obligations of EU AI Act, ISO/IEC 42001, EMA Reflection Paper, and FDA PCCP.
The five governance shifts AI forces.
From / to · the structural changeFive governance behaviours change permanently when an AI system enters the QMS surface. Each is documented in regulator text already published or in late draft.
Validation of non-deterministic systems.
To statistical performance envelope · tolerance bands · threshold KPIs
You cannot test every input on a non-deterministic system. Validation becomes a sampling argument: did the model perform within tolerance on a representative population. ICH M10 v2 narrow-scope acceptance, FDA PCCP scope. ISO/IEC 42001 §6.1 risk-based controls. The vocabulary of validation borrows from process performance qualification (PPQ) rather than from CSV.
Continuous monitoring · not lock-and-validate.
To validate the plan · monitor the performance · revalidate on drift
FDA PCCP (final Dec 2024) is the legal bridge. EU AI Act Art 17 QMS obligation requires post-market monitoring for high-risk AI providers. EMA Reflection Paper introduces "monitor and update" as a regulatory verb. The QMS must operate KPIs in real time, not in annual reviews.
Training-data lineage as governance artefact.
To training-data manifest · provenance · bias profile
Training data is the new raw material. It needs the same governance: source identification, sampling provenance, representativeness, exclusion rationale, version control. EU AI Act Art 10 mandates data governance for high-risk AI. ISO/IEC 42001 §8 controls. NIST AI RMF Map 4 alignment. Inspectors will request training-data manifests by 2027.
Model-update lifecycle via PCCP.
To predetermined change envelope · trigger-based retraining
FDA PCCP final guidance Dec 2024. EU GMP Annex 22 (concept paper EMA/INS/GMP/606234/2024) extending PCCP analogue into manufacturing. The retraining trigger, the revalidation scope, the human approval point all need to be defined upfront, not at the moment of change.
Human-in-the-loop as architectural requirement.
To human review at named decision points · escalation thresholds
EU AI Act Art 14 human oversight. ICH Q9(R1) human-judgement preservation in risk-based decisions. WHO ethics & governance of AI for health (Oct 2023). Generative authoring of CAPA, deviation, validation reports remains unacceptable through 2030. Inspector posture: where is the human signature, what did the human review, what was the human authorised to override.
Old QMS vs AI-era QMS.
A side-by-sideThe structural change is not in the QMS clauses but in how each clause is operated. ISO 9001, ISO 13485, 21 CFR 820 / QMSR all retain their text. What changes is what each clause demands when an AI component is in scope.
The iFeed immunity model for AI governance.
Pre-immunisation · active · adaptiveThe iFeed methodology presents AI governance through an immunity lens. The published landing page on the methodology has it; the vaccine-and-antidote note frames it. This is the public-facing version. Three stages map onto how a QMS encounters an AI system and how it builds durable resistance.
Pre-immunisation.
Before the AI system is deployed in the regulated process. The QMS learns to recognise it: identifies the AI surface, classifies the risk under EU AI Act tiering and ISO/IEC 42001 risk treatment, defines the predetermined change envelope, writes the model card, structures the training-data manifest, sets the KPIs that will run continuously.
Outputs: AI inventory, risk register entry, PCCP scaffold, model card, training-data manifest, monitoring KPI list. Inspector touchpoint: pre-deployment qualification.
design-timeActive immunity.
In production. The QMS responds to drift, anomaly, and out-of-envelope events as they occur. Continuous monitoring runs against the KPI envelope. Drift triggers escalate to human review. Out-of-envelope drift triggers retraining + revalidation under PCCP. The AI surface is operating but the human signature is on every named decision point.
Outputs: drift telemetry, anomaly log, retraining records, override audit-trail, real-time KPI dashboards. Inspector touchpoint: routine inspection, post-market monitoring under EU AI Act Art 72.
in-lifeAdaptive immunity.
The system learns from its own incidents. CAPA actions feed back into the change envelope. Drift events update the monitoring KPIs. Population shifts update the training-data manifest. Management review folds the AI lifecycle telemetry into the QMS performance review. The QMS itself is evolving with the AI surface, and the regulator can see continuity of governance across the evolution.
Outputs: CAPA loops × AI, envelope revision history, management-review minutes referencing AI KPIs, periodic AIMS audit. Inspector touchpoint: management-review evidence, CAPA effectiveness on AI-rooted findings.
long-runWhere AI is being deployed inside governance.
QMS itself becomes AI-augmented · 2026 realityThe governance surface is itself becoming AI-augmented. Not as the regulated product, but as the QMS operating layer. Eight deployments are visible in 2026.
Audit-trail anomaly detection.
Veeva Vault, MasterControl, Sparta TrackWise extending audit-trail review with ML-based anomaly detection. ALCOA+ alignment. Inspector posture acceptable when human review SOP is documented.High
CAPA triage.
Classification, severity scoring, similar-event clustering. Reduces backlog. Human approval still mandatory before close-out.High
Document control.
SOP redline-detection, version-control conflict surfacing, retention-policy automation. Standard QMS-tool feature by 2025.High
Deviation RCA assist.
Pattern surfacing across deviation database. Generative authoring of investigation summary not yet acceptable to inspectors. Suggest, not draft.Medium
Inspection-readiness score.
Continuous-compliance dashboards calculating an inspection-readiness score from open findings, CAPA age, training compliance, audit closure. Internal use 2025-2027.Medium
Risk-register refresh.
ICH Q9(R1) implementation supported by AI-assisted risk-event surfacing. Sponsor-internal use predominantly.Medium
Generative authoring · finished output.
FDA / EMA / PMDA / MHRA private signal: generative authoring of validation reports, CAPA closures, deviation investigations remains unacceptable as finished record. Human-in-the-loop architecture required. Codification likely 2033+.High
Autonomous release decision.
AI-only release of a clinical batch / commercial batch unacceptable through any visible 2030 horizon. Named human approval required. Regulator position uniform.High
Regulator-grade governance for the AI era.
What "good" looks like in 2026 inspectionsAn organisation that has absorbed AI into its governance produces a recognisable inspection footprint. The footprint is the same regardless of whether the inspector is from FDA, EMA, MHRA, PMDA, or ANVISA, because it answers the same five questions every regulator now asks.
Where is your AI.
A current AI inventory: every AI/ML component in scope of the QMS, mapped to risk class (EU AI Act tier, ISO 42001 risk treatment, ICH Q9 risk score). Updated on each release. Inspector reads it cold and immediately knows the regulated surface.
Where is the PCCP.
For each high-risk AI surface: a predetermined change control plan documenting the change envelope, retraining triggers, revalidation scope, human approval thresholds. FDA-style PCCP or its EU AI Act equivalent.
Where is the training-data manifest.
Provenance, sampling rationale, representativeness analysis, bias profile, exclusion criteria, version-control. EU AI Act Art 10 alignment. Inspector should not need to ask twice.
What are the KPIs.
The continuous-monitoring KPI set: drift detection, performance bands, anomaly thresholds, escalation rules. Live data, not retrospective slides. Cadence at least monthly, ideally real-time.
Where is the human signature.
Named decision points, named approvers, override audit-trail, escalation log. EU AI Act Art 14 alignment. The human review step is non-removable.
How does the QMS consume it.
The bridge from AIMS into QMS: how does drift become a deviation, how does retraining become a change, how does the AI dashboard feed management review. The integration point is what distinguishes Stage 4 from Stage 3 maturity.
Governance as immunity · not committee.
The dominant 2024 industry response to AI was to set up an "AI committee". Inspectors are converging on the position that an AI committee is not governance · it is corporate art direction. Governance is what the QMS does on Tuesday at 14:30 when a model drifts. iFeed frames this as the immunity model: pre-immunisation prepares the surface, active immunity responds to drift, adaptive immunity learns from the response. Three stages, one operating layer, every clause of every QMS standard intact.