Why Proportionate Risk, Not Uniform Risk

Every mature quality system in pharma already operates on proportionate risk. ICH Q9(R1), the international standard for quality risk management, is explicit that “the level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk”2. Yet when AI arrives, teams frequently abandon that principle and default to one of two extremes: either they treat every model as an experimental science project outside the quality system, or they apply the full GxP validation package to everything, including tools that would never touch a patient or a batch record.

The regulatory signals point firmly toward proportionality. The FDA’s January 2025 draft guidance on AI in drug and biological product regulation introduces a seven-step credibility framework built on the concept of a “context of use,” where the required evidence scales with the model’s risk to the regulatory decision it informs3. The joint FDA-EMA Guiding Principles of Good AI Practice in Drug Development, released January 14, 2026, name “a risk-based approach” as one of ten foundational principles4. The EMA’s draft Annex 22 to EU GMP, published in July 2025, states directly that manufacturers should perform a risk assessment consistent with ICH Q9 for each AI use case and let that assessment inform how much validation and review are documented in the AI quality plan5.

83% of organizations already use AI tools, but only 25% have implemented strong governance frameworks6
Aug 2 2026 date the EU AI Act’s high-risk system requirements become fully applicable1
53% of businesses using generative AI say they actively mitigate AI risks, per McKinsey’s 2026 survey7

Proportionality is not just about efficiency. It is about credibility. If your risk assessment produces the same output for a marketing copy generator and a pharmacovigilance signal detection model, inspectors and auditors will conclude that the assessment is not actually assessing anything. A proportionate framework, by contrast, produces a defensible narrative: this model earned that level of scrutiny for these documented reasons, and the reasoning can be traced from category scores to control decisions.

The Sakara Digital Perspective

The organizations we see doing this well share one habit: they treat the AI risk assessment as a small, standardized artifact that every model owner completes, rather than a bespoke exercise. Standardization does not mean rigidity. It means the same seven categories, the same 1-5 scales, and the same escalation triggers, so that a portfolio-level view of AI risk actually rolls up. Without standardization, you cannot compare two models, and you certainly cannot manage a portfolio of hundreds.

The Seven Risk Categories for Pharma AI

The categories below are the ones we have found most useful when adapting general AI risk management frameworks like NIST AI RMF and Deloitte’s Trustworthy AI Framework8 to pharma-specific contexts. They map to what regulators, quality units, security teams, and business owners each need to see, and they align with the trust characteristics named in the joint FDA-EMA principles and the AI TRiSM market Gartner has been defining since 20239.

Category 1: Patient Safety Impact

The most consequential category. This asks: if this model produces a wrong output, could a patient be harmed? Direct harm includes AI that informs dosing, adverse event triage, pharmacovigilance signal detection, or diagnostic support. Indirect harm includes AI that gates manufacturing releases, manages cold chain, or controls a critical process parameter. Even models that seem administrative can carry patient safety weight if they feed decisions that eventually touch a patient.

Category 2: Regulatory Exposure

This category asks whether the model sits inside a regulated activity, and if so, under which framework. A model that informs a drug submission, a GMP release decision, a GCP monitoring plan, or a GVP case triage will be examined against GxP validation expectations, the FDA’s credibility framework, EMA Annex 22 in the EU, and potentially the EU AI Act’s high-risk system requirements if it functions as a safety component of a medical device or in vitro diagnostic. Models used purely internally for exploratory research generally carry lower regulatory exposure, though intellectual property and confidentiality obligations still apply.

Category 3: Financial Materiality

What is the financial consequence if this model produces wrong or biased outputs? A pricing model, a forecasting model that drives production planning, a claims analytics model, or an AI that scores commercial opportunities can have direct revenue implications. A model that supports fraud detection in speaker programs or hub services can trigger settlement exposure. Financial materiality does not just mean the size of the bet; it also means how quickly a wrong output could accumulate loss before it is caught.

Category 4: Data Privacy

Does the model process personal data, and if so, of what kind? Models that touch patient-level real-world data, clinical trial data, HCP data with identifiable prescribing patterns, or employee data carry both GDPR and HIPAA weight. Even models that only see aggregated or anonymized inputs need this category assessed, because re-identification risk in genomic or rare-disease datasets is not zero and is often underestimated. Cross-border data flows amplify this category significantly.

Category 5: Security

What is the attack surface, and what would an adversary gain by manipulating this model? Generative AI systems accessible to external users create new prompt-injection and data-exfiltration risks that traditional application security programs do not fully address. Gartner has predicted that through 2026, at least 80% of unauthorized AI transactions will come from internal violations of policy rather than external attacks10, which means the security category needs to cover insider misuse as much as external breach. Models that pull sensitive documents into a retrieval pipeline are particularly exposed.

Category 6: Operational Continuity

What happens to the business if this model becomes unavailable, or if its outputs need to be paused? Some models are enrichments to processes that could revert to manual work; others sit on the critical path for high-volume decisions that cannot easily be done by humans in the required time window. This category is where third-party AI dependencies show up: if the model relies on a foundation-model API whose availability, terms of use, or output distribution can change, the operational risk lives here. Concentration risk on one provider is worth naming explicitly.

Category 7: Model Drift

How sensitive is the model to changes in its inputs, its operating environment, or the phenomenon it is trying to predict, and how would you detect a problem? A model trained on 2023 prescribing patterns will not remain accurate in 2027 without monitoring and retraining. A generative model whose underlying foundation model version changes will not produce identical outputs across versions. Industry guidance now treats explainability and drift detection as formal requirements for AI-enabled systems, not optional enhancements11. The drift category is where you name what you will monitor, how often, and what the tripwires are.

A note on category boundaries

Some organizations add categories for ethics and bias, environmental impact, or workforce impact. We generally recommend keeping the seven-category structure and treating those concerns as sub-elements inside patient safety (for bias affecting outcomes in specific populations), operational continuity (for environmental and compute cost), and regulatory exposure (for employment-law implications of workforce AI). More categories look thorough on paper but slow down real assessments and dilute focus on the highest-consequence dimensions.

Scoring Rubrics: Turning Judgement Into Numbers

A category is only useful if two independent assessors would score the same model similarly. The rubrics below give a 1-5 scale for each category, with anchor descriptions at each level. The point is not mathematical precision. It is repeatability: the ability to defend a score by pointing to a specific rubric level and explaining why the model matches it.

Patient Safety Impact Rubric

ScoreLevelAnchor Description
1NegligibleModel output does not influence any clinical, dosing, safety, quality, or manufacturing decision. Example: internal knowledge search across public marketing content.
2LowModel output informs administrative or business processes with no path to patient impact even under stacked failures.
3ModerateModel output could indirectly affect patient safety through a long chain of downstream decisions, all of which include independent human review.
4HighModel output directly informs a decision that could affect patient safety, but is always reviewed by a qualified human before any action.
5CriticalModel output directly drives or automates a decision that affects patient safety, product quality, or GxP release, with no independent human review in the loop, or human review that would not realistically catch model errors in time.

Regulatory Exposure Rubric

ScoreLevelAnchor Description
1NegligibleModel sits fully outside regulated activities; no GxP, no submission relevance, no EU AI Act high-risk classification.
2LowModel touches regulated activities peripherally, e.g., internal training-content drafting for regulated commercial teams.
3ModerateModel contributes to regulated processes but not to final regulated decisions or submissions.
4HighModel output is included in or influences regulated submissions, GxP decisions, or pharmacovigilance case processing.
5CriticalModel qualifies as high-risk under EU AI Act (safety component of a medical device/IVD), or produces evidence that will be presented to a regulator to support approval, licensing, or lot release.

Financial Materiality Rubric

ScoreLevelAnchor Description
1NegligibleFinancial exposure below $100K annually under realistic worst case.
2LowFinancial exposure $100K to $1M; recoverable within one quarter.
3ModerateFinancial exposure $1M to $10M; disclosable in management reporting.
4HighFinancial exposure $10M to $100M; material to segment reporting.
5CriticalFinancial exposure exceeds $100M or would be material to consolidated financial statements.

Data Privacy, Security, Operational Continuity, and Model Drift Rubrics

The same 1-5 structure applies to the remaining four categories. For data privacy, anchors run from “no personal data touched” through “aggregated data only” to “large-scale processing of sensitive-category data including patient health data.” For security, from “isolated internal use, no external inputs” to “internet-exposed generative AI with sensitive data in retrieval context.” For operational continuity, from “outage of any duration has no impact” to “outage of one hour creates unrecoverable business loss.” For model drift, from “static rules with no drift risk” to “high-dimensional foundation model with rapidly changing inputs and no drift monitoring in place.” The full anchor set is worth putting on a single laminated card that every model owner keeps at hand.

What “5” really means

A score of 5 in any category should trigger an immediate escalation to the highest governance body in your escalation matrix. In practice, most models will score 5 in at most one category. If a model scores 5 in three or more categories, the appropriate response is usually not more controls; it is a serious question about whether AI is the right approach for that use case at this time. Do not let the checklist become a way to argue yourself into unacceptable risk.

The AI Risk Register: What It Actually Contains

The AI risk register is a living document that consolidates every model your organization runs, along with its risk scores, controls, owners, and monitoring commitments. If your existing enterprise risk register is where board-level risks are tracked, the AI risk register is a specialized instance that feeds into it. Regulators, auditors, and inspectors increasingly expect one to exist and to be current12.

At minimum, each row in the AI risk register should carry the following fields.

FieldPurpose
Model ID and NameUnique identifier that ties to the AI model registry entry.
Context of UseOne-sentence description of what decision this model informs and how.
Business OwnerNamed accountable individual, not a team or a title.
Technical OwnerThe individual accountable for model performance and drift monitoring.
Category ScoresSeven scores (1-5), each with a one-sentence justification.
Composite Risk TierOverall tier (Tier 1 through Tier 4) derived from category scores.
Inherent RiskRisk before controls, based on category scores.
Applied ControlsThe mitigations in place: validation package, human-in-loop, monitoring, etc.
Residual RiskRisk after controls are applied and effective.
Key Risk Indicators (KRIs)Metrics that trigger review if breached, e.g., accuracy drift, false positive rate.
Last Review DateWhen the risk assessment was last refreshed.
Next Review DateWhen the next assessment is due, based on risk tier.
StatusDevelopment, Pilot, Production, Retired.

The composite risk tier is where scores collapse into a decision. Different organizations will weight categories differently, but a defensible starting rule is: any category score of 5 sets the model at Tier 1; any two category scores of 4 or higher set it at Tier 2; average category score of 3.0 or higher sets it at Tier 3; everything else is Tier 4. Whatever formula you choose, document it and apply it consistently. Do not let the tier be argued case by case, or the register loses its integrity.

TIER 1 — CRITICAL

Full validation, board oversight

Any category scored 5. GxP-grade validation package. Named executive owner. Quarterly review by AI governance board. Independent audit annually.

TIER 2 — HIGH

Enhanced validation, governance review

Two or more category scores of 4+. Formal validation with documented test evidence. Semi-annual governance review. Continuous drift monitoring.

TIER 3 — MODERATE

Standard validation, functional review

Average score 3.0+. Documented testing proportionate to context of use. Annual functional review. Baseline monitoring metrics with defined thresholds.

TIER 4 — LOW

Lightweight controls, self-attestation

All scores below 3. Self-attested assessment by model owner. Annual refresh. Basic monitoring appropriate to the use case.

Integrating With ERM and ICH Q9 Quality Risk Management

An AI risk assessment that lives outside your existing enterprise risk management (ERM) and quality risk management (QRM) programs will be brittle. It will duplicate work, create parallel governance conversations, and eventually be quietly deprioritized when leadership attention moves on. The organizations that make this stick treat the AI risk assessment as a specialized input to the risk systems that already exist, not as a competing program.

The ERM Integration

ERM is where your organization tracks risks that could affect strategic objectives, financial performance, reputation, and regulatory standing at the enterprise level. The AI risk register should feed into ERM via a documented process: any model at Tier 1 or Tier 2 should have a corresponding entry in the ERM register with the same risk owner and control statements. When ERM reports go to the audit committee, the AI risk register should be a named data source, not a separate presentation. This aligns with the emerging view that ERM is quietly becoming pharma’s AI control tower, linking GRC, validation, and regulatory readiness13.

The QRM Integration

QRM under ICH Q9(R1) applies to any activity that could affect product quality, patient safety, or data integrity. Every AI model with a patient safety score of 3 or higher, or a regulatory exposure score of 3 or higher, needs to be visible in the QRM system. Practically, that means the same category scores flow into the site or global QRM committee’s review cadence, and any change to the model that would materially affect the scores triggers a QRM review, not just an IT change record. This is how Annex 22’s requirement to perform a risk assessment consistent with ICH Q9 for each AI use case is operationalized5.

The AI Management System Integration

Organizations pursuing ISO/IEC 42001 certification for their AI management system will find that the risk assessment described here maps neatly to the standard’s requirements. ISO/IEC 42001 explicitly requires organizations to conduct AI impact assessments, maintain risk registers, and implement risk-based controls proportionate to the AI system’s impact14. Structuring the risk assessment this way from the start means the ISO certification effort becomes a documentation exercise, not a rebuild.

What good integration looks like in practice

In the organizations that have this working, a business owner sponsoring a new AI use case fills out a two-page risk assessment as part of the intake. The assessment feeds a single system of record that generates records in the model registry, the ERM register, the QRM change control system, and the AI management system evidence repository. No one has to remember to update four separate places. When any category score changes, the downstream records refresh automatically. The value of this integration is not the automation itself; it is that risk decisions become impossible to hide from the systems that are supposed to be governing them.

The Full Assessment Checklist

The checklist below is the working document a model owner completes for every AI system before it moves out of development, and refreshes on a cadence tied to its risk tier. It is deliberately short. Long checklists are ignored; short ones with real teeth get completed.

1

Context of Use Statement

Write one sentence describing what decision this model informs, who acts on the output, and what happens if the output is wrong. If you cannot write this sentence, you cannot risk-assess the model.

2

Score the Seven Categories

Assign a 1-5 score in each category using the rubrics. For each score, write one sentence explaining why. Scores without justifications are audit findings waiting to happen.

3

Determine the Tier

Apply the organization’s tier rules. Do not override the tier without documented approval from the AI governance body. Overrides are legitimate but must be visible.

4

Confirm Named Owners

Business owner and technical owner must be individuals, not roles. Owners must have accepted accountability in writing. Empty owner fields block tier assignment.

5

Map Controls to Risks

For each category scored 3 or higher, name at least one control that mitigates the risk and identify who owns operating it. Categories scored 4 or 5 need documented control effectiveness evidence.

6

Define Key Risk Indicators

Identify three to five KRIs that would signal a problem: accuracy drift beyond threshold, prediction distribution shift, elevated false positive rate, latency degradation, unusual query patterns. Name the threshold and the response owner.

7

Confirm Human Oversight Design

For any model with a patient safety score of 3 or higher, document exactly how a human catches a model error before harm occurs. “The user will notice” is not oversight design.

8

Set Review Cadence

Tier 1 quarterly, Tier 2 semi-annually, Tier 3 annually, Tier 4 annually or on change. Add a trigger: any category score change of one or more points requires an off-cycle review.

9

Confirm Regulatory Fit

Confirm the model’s fit with FDA credibility framework expectations (if in a submission), EMA Annex 22 (if in EU GMP), EU AI Act high-risk requirements (if applicable), and internal SOPs. Named legal or regulatory reviewer sign-off is required for Tier 1 and Tier 2.

10

Escalate If Needed

Apply the escalation matrix. Do not launch a model whose tier requires a decision from a body that has not yet decided. This is the single most common breakdown, and the single most useful discipline to enforce.

The Escalation Matrix: Who Decides at Each Risk Level

An escalation matrix names, in advance, who has decision authority at each risk tier. This is the part of the framework that people most want to skip and most regret skipping. When a Tier 1 model reaches launch readiness, no one wants to be the person deciding on the fly who signs it off. The matrix removes that friction and, more importantly, creates a defensible record that the right level of oversight was applied.

Risk Tier Approval Authority Required Consultations Cadence
Tier 1 — Critical Executive AI Governance Board with CMO, CQO, CIO, CISO, Chief Privacy Officer, and General Counsel present External regulatory affairs review; independent validation review; risk committee of the board notified Quarterly review; ad-hoc on any category score change of one or more points
Tier 2 — High Functional AI Governance Committee, chaired by CIO or head of digital, with Quality, Security, Privacy, and business function representation Named regulatory or medical affairs consultation; validation lead sign-off; security architecture review Semi-annual review; ad-hoc on any category score change of two or more points
Tier 3 — Moderate Business function head with delegation from AI Governance Committee, plus IT and Quality functional reviewers Standard validation, privacy, and security reviews per SOP Annual review; ad-hoc on any material change to context of use
Tier 4 — Low Model owner self-attestation, countersigned by direct manager Standard IT intake review only Annual refresh; on-change trigger

Two design principles are worth calling out. First, approval authority at Tier 1 must include roles with independent standing, meaning people who can say no without career risk. If the same executive owns both the delivery and the approval, the approval is not real. Second, the escalation matrix should include a route for whistleblowing or bypass concerns. Someone lower in the organization must be able to escalate a concern about a Tier 3 or Tier 4 model that they believe is misclassified, without going through the model owner. A quiet channel to the head of quality or the chief compliance officer works well in most organizations.

Common Mistakes and How to Avoid Them

Mistake 1: Treating All AI Models With Equal Risk

This is the mistake this article is really about. It shows up in two shapes. The first is over-controlling low-risk models: requiring the same validation package for a marketing copy generator as for a signal detection model, then quietly ignoring the process because it is impossibly expensive to apply at scale. The second is under-controlling high-risk models: waving them through because the organization has decided AI is a strategic priority and slowing down is politically difficult. Both are eventual audit findings. The proportionate framework in this article exists to make the difference between the two visible and defensible.

Mistake 2: Confusing the Model Registry With the Risk Register

A model registry is a catalog of models, their versions, their owners, and their technical characteristics. A risk register is a catalog of risks, their scores, their controls, and their governance decisions. They intersect (every model in production should appear in both), but they are different artifacts with different audiences. The registry answers “what do we have running.” The risk register answers “what could go wrong and what are we doing about it.” Merge them at your peril; you will end up with a document that satisfies neither engineering nor governance.

Mistake 3: Static Assessments

Industry guidance now treats AI validation as a lifecycle activity, not a one-time event15. Yet many organizations still run the risk assessment once, at launch, and never touch it again. The world moves. Foundation model versions change. Upstream data sources drift. The regulatory landscape evolves; a model that was Tier 3 in early 2026 may be Tier 2 after the EU AI Act’s high-risk provisions come into full force in August. The review cadence is not optional. If the cadence cannot be met with available governance capacity, that is a signal to either invest in capacity or narrow the AI portfolio, not to skip the reviews.

Mistake 4: Making the Assessment Too Long

The best AI risk assessment in the world is worthless if model owners avoid completing it. We have seen 40-page assessment templates that require six weeks to complete. Predictably, they are only filled out for the two or three models a year that leadership specifically pushes. Everything else runs unassessed. A short, high-signal assessment (the checklist in this article fits on two pages) gets completed. A long, comprehensive one becomes a bottleneck people route around.

Mistake 5: Confusing Validation With Governance

Validation asks whether the model works as intended. Governance asks whether the organization should be using this model at all, and how it will be overseen if the answer is yes. Both are necessary. Neither substitutes for the other. A model can be technically validated and still be governed poorly (no clear owner, no monitoring, no escalation path). A model can be governed well and still fail validation (poor training data, unrealistic performance claims). Keep the two conversations distinct, and make sure both happen for every Tier 1 and Tier 2 model.

Mistake 6: Underestimating Third-Party and Foundation Model Risk

A material share of the AI running in pharma today is not built in-house. It is consumed via APIs from foundation model providers, embedded in SaaS applications, or delivered by specialized vendors. Yet risk assessments frequently treat these as if the risk stopped at the boundary of the enterprise firewall. It does not. When the foundation model behind your regulatory-document drafting tool is updated, the outputs your teams get change. When your vendor’s terms of service change to permit use of your prompts for model training, your data governance posture changes. When a critical AI-powered pharmacovigilance vendor experiences an outage during a signal review deadline, your operational continuity is affected regardless of who owns the model. The risk assessment needs to explicitly address third-party dependencies: which vendor, which model version, which contractual protections, which exit strategy if things go wrong. If this is not visible in the risk register, it is not being managed.

A Worked Example: Two Models, Two Very Different Tiers

Frameworks come alive when applied to concrete cases. Consider two AI models a mid-sized biopharma might deploy in the same quarter.

Model A is a generative AI assistant that helps commercial teams draft first-pass talking points for advisory board meetings. It reads publicly available scientific literature and internal, non-patient-level meeting summaries. Human reviewers always edit the output before use. It scores 1 on patient safety (no clinical decision path), 2 on regulatory exposure (commercial use only, no promotional claims generated), 2 on financial materiality (small productivity gain, no revenue exposure), 2 on data privacy (no personal data), 3 on security (external foundation model, sensitive commercial context), 2 on operational continuity (revert to manual drafting), and 3 on model drift (foundation model versioning). Average score: 2.1. Tier 4. The assessment takes a model owner about 45 minutes to complete, is self-attested, refreshed annually, and satisfies the governance requirement without slowing anything down.

Model B is a machine learning model that supports pharmacovigilance signal triage by scoring incoming case reports for probability of being a validated safety signal. It runs against real patient-level adverse event data. Safety scientists review every high-scored case, but the model’s ranking affects which cases get attention first. It scores 4 on patient safety (indirect impact via triage prioritization, human review present), 5 on regulatory exposure (GVP-regulated, direct submission relevance), 4 on financial materiality (missed signal exposure is material), 5 on data privacy (patient health data at scale), 3 on security (internal system, sensitive data), 4 on operational continuity (backlog builds rapidly if unavailable), and 4 on model drift (real-world drug and disease patterns shift). Any score of 5 sets it to Tier 1. Full validation, quarterly executive AI Governance Board review, independent annual audit, documented human oversight design, KRIs for triage accuracy and drift, external regulatory affairs review. Very different treatment, driven by the same framework.

The value of the framework is not that it produced these specific tier assignments. It is that two different assessors, working independently, would produce essentially the same tier for each model, and that the decision-makers at each level know in advance what they are being asked to sign off on. That is what a proportionate risk framework buys you: consistency, defensibility, and speed at the low end paired with genuine scrutiny at the high end.

The Sakara Digital Perspective

The pattern we see in organizations that get this right is boring: they pick a short, defensible framework, they socialize it across quality, IT, privacy, security, and the business, and they then apply it consistently for two years. The unglamorous consistency is what produces credible evidence for regulators and useful decision-making for leaders. Frameworks that get redesigned every six months never accumulate the track record that makes them worth anything. If you take one thing from this article, take that: pick a version of this framework you can live with, and start living with it now.

Conclusion

The AI models running in pharma today are not going to be governed by a heroic case-by-case act of judgement. They are going to be governed by a small number of standardized artifacts (a scored risk assessment, a risk register entry, an escalation record) applied consistently across a portfolio that will only grow. The seven categories, the 1-5 rubrics, the four-tier structure, and the escalation matrix in this article are a starting point, not the last word. Adapt them to your organization’s risk appetite, regulatory footprint, and existing governance vocabulary. The specific choices matter less than the fact of having a defensible, repeatable, proportionate framework you actually use.

Sakara Digital works with pharma and biotech organizations building this kind of proportionate, defensible AI risk assessment structure from the ground up, or shoring up assessments that have grown ad hoc. If you are exploring how to integrate AI risk assessment with your existing ERM and quality risk management programs and want an independent perspective on where to start, we are happy to have that conversation.