Good AI Practice (GAIP): What the FDA/EMA Joint Guidance Means for Your QMS

The Emerging Good AI Practice Framework

“Good AI Practice” is a working term, not a published regulation. It captures the practical convergence of guidance from multiple regulators on what responsible AI use looks like in pharma. The phrase parallels GxP — Good Manufacturing Practice, Good Clinical Practice, Good Laboratory Practice — and reflects a growing recognition that AI deserves a similar discipline of standards.

The driving documents include FDA’s Good Machine Learning Practice principles (2021) and the more recent guiding principles for Good AI Practice in drug development, EMA’s 2024 reflection paper on the use of AI in the medicinal product lifecycle, ICH discussions on AI in CMC and clinical contexts, and ISO standards including ISO/IEC 42001 (AI management systems) and ISO/IEC 23894 (AI risk management). Together, these create a coherent direction even though no single document yet integrates them.

Pharma quality leaders who wait for a single, consolidated regulation before extending their QMS are accepting a real risk: the regulatory direction is already clear enough to act on, and inspections increasingly reflect it.

The pattern is not new. GMP, GCP, and GLP all emerged through similar convergence — multiple regulator inputs, industry practice, and standards bodies aligning over time around a coherent expectation set. Pharma quality leaders who lived through earlier convergences recognize the pattern and act on the direction of travel rather than waiting for the destination.

The FDA Perspective

FDA’s published positions on AI are pragmatic and increasingly specific. The 2021 GMLP principles, jointly issued with Health Canada and the UK MHRA, established ten core principles covering data quality, model selection, performance, lifecycle management, and human oversight. These principles were originally framed for software-as-medical-device but their applicability has expanded.

FDA’s 2024-2025 publications on AI in drug development have extended the framework to AI use in clinical trials, pharmacovigilance, manufacturing, and submissions. The agency’s stated direction includes risk-based oversight aligned with use case context, lifecycle management with provisions for model updates, transparency expectations for sponsor submissions, and human oversight commensurate with risk.

What’s specifically expected:

• Risk-based classification of AI use cases by regulatory and patient impact
• Documentation of model development, validation, and performance
• Lifecycle management with change control for material updates
• Bias and fairness assessment for use cases with patient-impact dimensions
• Human oversight commensurate with the autonomy of the AI system
• Transparency in submissions where AI is materially used

Predetermined Change Control Plans

One of FDA’s most consequential conceptual contributions is the Predetermined Change Control Plan (PCCP) for software-as-medical-device. The PCCP allows sponsors to define in advance the kinds of model changes that will occur during the lifecycle, the validation that will accompany them, and the conditions under which they trigger regulatory action. The principle has implications well beyond medical devices — pharma sponsors using AI in regulated workflows can apply analogous thinking to model lifecycle management within their QMS, even where the regulatory path is different.

The EMA Perspective

EMA’s reflection paper on AI in the medicinal product lifecycle (published in draft in 2023, finalized in 2024) is more comprehensive than FDA’s published guidance to date. It covers the full lifecycle from drug discovery through post-marketing pharmacovigilance.

The reflection paper organizes AI use cases by regulatory impact tier and articulates expectations for each. The high-impact tier — including AI in clinical decision-making and submissions evidence — receives the most stringent expectations: full validation, human oversight, transparency to regulators, and ongoing monitoring. Lower-impact tiers face proportionally lighter expectations but are not exempt from QMS coverage.

EMA has also been more explicit than FDA about expectations for model lifecycle management — specifically, that changes to AI models that materially affect output behavior trigger change-control obligations comparable to other system changes in regulated environments.

The EU AI Act overlay

EMA’s expectations sit on top of, not separate from, the broader EU AI Act regime. AI use cases in pharma may fall into the EU AI Act’s high-risk classification depending on context, with corresponding documentation, conformity assessment, and post-market monitoring obligations. Pharma quality leaders operating in Europe need to understand the interaction between EMA-specific expectations and EU AI Act obligations — they overlap but are not identical, and managing both efficiently requires deliberate framework design rather than parallel parallel streams of work.

Where the Two Are Converging

Despite different formats and timing, FDA and EMA are converging on a recognizable set of expectations:

The convergence is real enough that pharma organizations operating in both jurisdictions can reasonably build a single QMS framework that satisfies both. Diverging where the agencies actually differ — and there are some differences in emphasis around generative AI and post-market surveillance — should be the exception, not the rule.

The QMS Additions That Matter Most

Pharma QMS systems were designed in an era when “computerized system validation” largely meant validating deterministic software. AI introduces dimensions the original frameworks didn’t anticipate. The QMS additions that matter most:

1. AI use case inventory and classification

A maintained inventory of all AI use cases in the organization, with each classified by risk tier. The inventory should include status, owner, validation evidence, and last review date. This is the single most foundational QMS addition; without it, no other GAIP discipline is possible. The inventory has to capture vendor-embedded AI features as well — the AI capabilities in Microsoft Copilot, Salesforce Einstein, or ServiceNow that are quietly active in your environment also belong in the inventory, even if you didn’t deploy them as standalone use cases.

2. Tiered validation framework for AI

A documented validation methodology that aligns with use case tier. Tier 1 (low-risk, productivity) gets a lighter framework; Tier 2 (decision support) gets a structured framework with performance, bias, and ongoing monitoring; Tier 3 (autonomous or GxP-impacting) gets full validation comparable to other regulated systems.

3. Model lifecycle and change control

SOPs that define how model updates, vendor-driven changes, and configuration adjustments are evaluated, approved, and documented. Material changes trigger revalidation. Minor changes are tracked but don’t require full revalidation. The decision tree for distinguishing the two needs to be explicit. Vendor-driven changes need particular attention because they happen on the vendor’s schedule, not yours, and the QMS has to accommodate that asymmetry.

4. Performance monitoring and drift detection

Ongoing measurement of model performance against defined benchmarks, with thresholds that trigger investigation or revalidation. The monitoring approach scales with tier — Tier 3 use cases get continuous monitoring with formal review; Tier 1 use cases get periodic spot checks.

5. Human oversight requirements

Clear definitions of where humans are required in the loop, what their role is, and how their oversight is evidenced. For high-tier use cases, the human oversight requirement should be designed in, not bolted on. Inspectors will increasingly ask not just whether oversight is required, but how it’s evidenced — sign-offs, audit trails, documented rationale for accepting or rejecting AI output.

6. Bias and fairness assessment

Where applicable — particularly for use cases that affect patients or patient populations — documented assessment of bias, fairness, and representativeness. Re-assessment when models change or populations shift.

7. Vendor and model provenance documentation

Documentation of model provenance, vendor relationships, training data lineage where available, and contractual provisions for change notification and validation cooperation.

8. Incident management for AI

Often overlooked: a defined incident management procedure specific to AI failures. AI incidents look different from traditional software incidents — they may involve performance drift, unexpected outputs, bias revealed in production, or vendor-side issues that affect output quality. The QMS needs an incident pathway designed for these patterns, with appropriate triage, root cause analysis, and CAPA mechanisms.

Validation Alignment Under GAIP

Validation under emerging GAIP expectations differs from traditional CSV in several specific ways:

• Statistical rigor. AI performance is measured statistically; validation evidence reflects probability distributions rather than binary pass/fail.
• Lifecycle, not point-in-time. Validation is an ongoing activity, not a single event. Performance monitoring becomes part of the validated state.
• Human factors integration. The validated state includes the human oversight workflow, not just the AI component.
• Population representativeness. Validation evidence has to address whether the model performs adequately across relevant population segments.
• Transparency expectations. Validation documentation has to be intelligible to inspectors who may not have AI specialization.

Validation strategy should be developed in close partnership between Quality, IT, the use case owner, and where applicable Regulatory. Validation strategy that’s developed in isolation by any single function tends to miss requirements from the others.

What “validated” means for a probabilistic system

A subtle but important point: traditional CSV produces a binary answer (validated or not) about a deterministic system. AI validation produces evidence about a probabilistic system whose performance can be characterized but never reduced to binary. The QMS framework has to accommodate this conceptually — what does it mean to say a Tier 3 AI system is “in a validated state”? Typically, it means the system’s performance has been characterized to a standard appropriate for the use case, monitoring is in place to detect material drift, and a defined response procedure exists if drift is detected. This is a richer concept than traditional CSV produced, and the QMS language has to evolve to capture it accurately.

The Cost of Waiting

Some pharma organizations are waiting for fully consolidated GAIP guidance before extending their QMS. This is a real strategic choice with real costs:

• Inspection exposure. Active AI use cases in production today are within scope for inspection. Inspectors are increasingly asking targeted questions about AI governance, and “we’re waiting for clearer guidance” is not an inspection-grade answer.
• Compounding remediation cost. Every additional AI use case deployed without proper QMS coverage adds to the eventual remediation burden. Organizations that delay tend to face larger, more disruptive cleanups.
• Vendor leverage erosion. Organizations that haven’t operationalized GAIP are weaker negotiators with AI vendors on validation cooperation, change notification, and contractual protections.
• Strategic mispricing. AI ROI cases that don’t reflect real GAIP-aligned costs systematically overstate returns. Decisions get made on flawed economics.
• Talent signal. The pharma quality talent market is increasingly aware of which organizations are taking AI governance seriously. Lagging organizations have a harder time recruiting.

The corrective is to start now with a measured, risk-tiered QMS extension. Tier 3 use cases are addressed first; Tier 1 and 2 follow. The work doesn’t need to be complete before it starts adding value — even a published inventory and a tier classification SOP put the organization in a materially better position than the status quo.

Getting Started: A 90-Day Plan

For organizations beginning the QMS extension now, a workable 90-day plan looks like this:

• Days 1-30: Inventory and classification. Survey the organization for active AI use cases including vendor-embedded ones. Draft a tier classification SOP. Get cross-functional buy-in on the tier definitions.
• Days 30-60: Triage and prioritization. Apply the classification to all known use cases. Identify Tier 3 use cases with material gaps in current QMS coverage. Develop a remediation roadmap with sequencing.
• Days 60-90: First Tier 3 use case under formal governance. Bring the highest-priority Tier 3 use case into the new framework. Validate the framework against this real case. Adjust based on what’s learned.

By day 90, the organization should have a published tier classification SOP, a current AI use case inventory, an executive-visible roadmap for QMS extension, and at least one use case operating under the new framework. This is not “complete” GAIP coverage — that takes 18-24 months — but it’s a credible position for inspection and a foundation for the longer journey.

The organizations that will be best positioned over the next two to three years are the ones that started this work in 2024 or earlier. The organizations that wait until consolidated regulation lands will find themselves catching up under inspection pressure, which is materially harder than building the framework on their own timeline. The direction of travel is clear; the cost of acting on it now is far lower than the cost of acting on it later.

Inspection Readiness Under GAIP

Inspection readiness is the practical test of whether a GAIP-extended QMS holds up. Inspectors at major pharma facilities are increasingly asking AI-specific questions, even when AI is not the explicit focus of the inspection. The pattern of questions is becoming recognizable enough that organizations can prepare for it deliberately rather than reactively.

The questions inspectors are most likely to ask:

• “Show me your inventory of AI use cases in this facility, including vendor-embedded AI features.”
• “How are these classified by risk, and what’s the rationale for the classifications?”
• “Walk me through validation evidence for one of your higher-tier use cases.”
• “How do you handle changes — both the ones you initiate and the ones the vendor makes?”
• “Show me performance monitoring data for an AI system in production. What thresholds trigger investigation?”
• “Where is human oversight required, and how is it evidenced?”
• “What happens when the AI gets something wrong? Show me an incident record.”
• “How are training and competency for AI-augmented work being managed?”

None of these questions are exotic. They mirror the questions inspectors have asked about validated computerized systems for years, adapted for AI specifics. Organizations whose QMS extension is real produce specific, evidence-backed answers to each. Organizations whose extension is paper-only struggle to answer with the specificity inspectors expect.

Building inspection readiness into the framework

The most efficient inspection-readiness strategy is to build the readiness into the framework itself rather than to prepare for inspections separately. Practices that consistently pay back:

• Maintain the inventory continuously. An inventory that’s current at all times is inspection-ready by definition. An inventory updated only before inspections is fragile and often inaccurate.
• Document decisions with rationale at the time they’re made. Reconstructing rationale months or years after the fact is harder, less credible, and produces inconsistent documentation.
• Run simulated walkthroughs annually. Have a senior QA practitioner walk through the framework as if they were an inspector, looking for gaps. This surfaces issues before they’re surfaced by an actual inspector.
• Treat the documentation as a working asset. If the documentation is only opened during audits, it’s stale. If it’s used in normal operations, it stays current.
• Invest in inspector-facing summaries. Create concise summary documents for each governance area that allow inspectors to orient quickly. Inspectors who orient quickly tend to ask less probing questions.

The framework that works under inspection is the framework that works in normal operations. Inspection readiness is not a parallel discipline — it’s the visible manifestation of whether the QMS extension is real. Pharma organizations that internalize this distinction tend to have the smoothest inspection experiences and the most credible regulatory posture.

References