What GAIP Actually Is (and Isn’t)

The Good AI Practice framework emerged from a $12M ARPA-H award to Black Mesa in early 2026 under the DeepMesa track of the CATALYST program (Complex Data Analytics for Trial Advancement, Yielding Safety and Therapeutics).1 The stated goal is a framework and set of technical methods that let regulated organizations use AI in a way that upholds data integrity under 21 CFR expectations, modeled explicitly after Good Laboratory Practice and Good Manufacturing Practice.2

That framing matters, because it tells you what GAIP is trying to be and what it is not. GAIP is a quality system for AI, not a technology, not a platform, and not a certification. It is meant to sit alongside GLP, GCP, and GMP as a companion practice that governs how AI-derived data and AI-produced work get admitted into decisions that regulators later review.

The distinction to hold in your head as you prepare to implement it: GAIP does not replace GAMP 5, ISPE’s July 2025 AI Guide, or EU GMP Annex 22.3 It complements them. GAMP tells you how to validate the system. ISPE’s AI Guide tells you how to think about the AI lifecycle. Annex 22 tells you what is off-limits in critical GMP applications. GAIP is the operating quality practice that ties those together into how your organization actually behaves on any given Tuesday morning when a scientist wants to use a model.

What sets GAIP apart from most of the AI governance material circulating in the industry is that it is deliberately practitioner-scoped. The FDA/EMA principles are directional. The ISPE AI Guide is comprehensive, and at 290 pages that is both a strength and a burden. GAMP 5 Second Edition covers AI but embeds it inside a broader validation framework. Annex 22 is still in draft. What has been missing, until GAIP, is a compact quality practice that a QA director in a mid-cap organization can hand to a team on a Monday and expect them to be running by the end of the quarter. That is the gap Black Mesa’s ARPA-H work is filling, and it is the gap most mid-cap operators are quietly desperate to close.

There is also a second, subtler reason GAIP is landing at the right moment. Every mid-cap pharma organization we speak to is already running AI. In some cases it is sanctioned pilots. In most cases it is a mix of sanctioned pilots, unsanctioned experiments in the notebooks of individual scientists, and vendor tools that arrived through procurement without a quality review. The organizations that assume they are still in a pre-adoption phase are mistaken. They are already in adoption. What they are missing is the framework that would let them see and control what they are already doing. GAIP is designed to close exactly that gap.

The frame that works with senior leaders: GAIP is to AI what GLP was to preclinical toxicology in the late 1970s. Not a new science. A quality wrapper around a practice that had outgrown its informal controls and was starting to produce regulatory findings.

The Eight-Domain GAIP Structure

The public GAIP materials organize the framework into eight practice domains. The exact wording will continue to evolve through the ARPA-H project period, but the domain structure has stabilized enough that mid-cap organizations can safely design against it now. Below is the working structure we use when scoping GAIP implementations.

DOMAIN 1

Purpose and Context of Use

Every AI use case is anchored to a defined question of interest and a documented context of use, mirroring the FDA’s 2025 credibility-assessment approach. If you cannot state the COU in one paragraph, the model is not ready for a regulated decision.

DOMAIN 2

Data Provenance and Integrity

ALCOA+ applied to training, tuning, and evaluation data. Sources, transformations, versions, and consent status are traceable. Applies whether the data is internal experiments, third-party datasets, or public corpora.

DOMAIN 3

Model Development and Documentation

Design history for the model itself. Architecture choices, hyperparameters, feature engineering, and known limitations are captured with the same rigor a validated system would receive under GAMP 5.

DOMAIN 4

Verification and Credibility Assessment

Evidence that the model performs credibly for its context of use, at a level of rigor commensurate with the risk. Test sets, holdouts, and performance thresholds are pre-declared, not chosen after results are in.

DOMAIN 5

Deployment and Change Control

Formal release, versioning, and change-control gates. Includes deliberate handling of dynamic behavior: retraining, fine-tuning, prompt updates, and vendor model changes are treated as controlled changes, not silent updates.

DOMAIN 6

Human Oversight and Decision Records

Documented human-in-the-loop protocols, override logs, disagreement rationale, and periodic sampling of AI-produced work by qualified reviewers. This is where regulators are focusing hardest in 2026.

DOMAIN 7

Ongoing Monitoring and Drift Management

Live monitoring of input distributions and output performance, with pre-defined thresholds and response playbooks. Aligned with GAMP 5 2nd Edition Appendix D11 guidance on dynamic systems.

DOMAIN 8

Governance, Roles, and Training

Named accountable roles, standing AI governance body, competency requirements, and periodic requalification of the people making AI-related decisions. This is the domain that determines whether the other seven actually happen.

Each domain generates a small set of controls, and each control needs an owner, a procedure, and evidence. The practical work of GAIP implementation is standing those up in a way that fits the existing quality management system rather than parallel to it.

A useful mental model is that the eight domains form two clusters. Domains 1 through 4 are the pre-use domains, covering everything that has to be true before an AI system is admitted into a regulated workflow. Domains 5 through 8 are the in-use domains, covering everything that has to remain true while the system is in operation. Most mid-cap implementations under-invest in the second cluster. It is tempting to build a strong intake process and then assume the system will take care of itself once it is in production. That is precisely where regulators are focused, and precisely where drift, silent vendor updates, and shifting user behavior create risk. Budget accordingly.

The other structural point worth internalizing: no domain is optional. A mid-cap organization can and should apply proportionality within each domain, so that a low-risk internal-productivity use case receives lighter treatment than a high-risk regulatory application. But you cannot skip Domain 7 (monitoring) for low-risk cases just because the tier is low. Every registered use case needs at least a minimal monitoring signal, if only because that is how you catch a use case whose risk tier changed while no one was looking.

Mapping GAIP to Existing SDLC and CSV

The fastest way to lose the room in a mid-cap organization is to propose GAIP as a new, standalone quality system. Nobody wants a fourth PDF library and a fifth training curriculum. The move is to map the eight domains against the frameworks Quality and IT already run, then extend rather than duplicate.

For most mid-cap pharma organizations, the anchoring frameworks are GAMP 5 Second Edition, an internal SDLC standard for custom development, and a CSV master plan tied to 21 CFR Part 11 and EU GMP Annex 11.4 GAIP maps cleanly against all three.

GAIP DomainPrimary Existing AnchorWhat Extends
Purpose and Context of UseURS / intended use statementAdd COU narrative, question of interest, risk tier
Data Provenance and IntegrityALCOA+ data governanceExtend to training and evaluation datasets
Model Development and DocumentationSDLC design historyAdd model cards, architecture rationale, limitations register
Verification and Credibility AssessmentCSV IQ/OQ/PQLayer in performance thresholds, holdouts, fairness/robustness tests
Deployment and Change ControlChange management SOPRecognize model retraining and vendor updates as changes
Human Oversight and Decision RecordsReview and approval proceduresFormalize override logs, disagreement rationale, sampling plans
Ongoing Monitoring and Drift ManagementPeriodic review under GAMP 5 2E App D11Add drift thresholds and response playbooks
Governance, Roles, and TrainingQMS and training curriculaAdd AI-specific competencies and standing governance body

Sakara Digital perspective: The organizations that adopt GAIP well are the ones that decide, up front, to treat it as an extension of the existing QMS rather than a parallel program. The organizations that struggle are the ones that let it sit in a Center of Excellence detached from Quality. Ownership should live with the QA function from day one, with technical support from data science and IT.

The Objections You Will Hear, and How to Answer Them

In every implementation, the same objections arrive in roughly the same order. They surface from Quality first, Legal second, IT third, Regulatory Affairs fourth, and R&D last. The pattern is almost universal. Below are the ten we hear most often, with the shape of a defensible answer for each.

1. Quality: “GAIP isn’t a regulation. Why are we volunteering for extra requirements?”

The answer is not “because it’s the right thing to do.” That reads as naive. The answer is that Annex 22 is in draft, the FDA credibility framework is guidance, and the FDA/EMA Joint Principles are non-binding5, and yet inspectors are already asking pointed questions about AI use in the sites they walk into. GAIP is the operating framework that lets you answer those questions with evidence rather than improvisation. Choosing not to implement it does not remove the obligation to demonstrate control. It just means you will demonstrate control worse.

2. Quality: “This doubles our CAPA and deviation workload.”

Only if you treat every AI event as a formal deviation. The better structure, which we have seen work at three mid-cap implementations, is a tiered event register with three levels: monitoring signals that do not escalate, quality events that trigger review but not CAPA, and formal deviations that follow standard CAPA. Fewer than fifteen percent of AI events in a well-run program actually rise to CAPA. The rest are absorbed by the AI governance body’s standing review. Load is manageable if you tier correctly.

3. Legal: “The IP and confidentiality risks from foundation models are unquantified.”

They are quantifiable, and the January 2026 FDA/EMA Joint Principles explicitly assume that companies will address them.6 The mitigation is a three-part structure. First, an approved-tool list that specifies which foundation models, hosted where, under what data-processing terms, are permitted for what classes of information. Second, contractual protections in the vendor agreements, including no-training clauses on customer inputs and audit rights. Third, technical controls: data classification tags, DLP, and prompt-monitoring where warranted. Legal’s role is not to block AI. Legal’s role is to make sure those three layers are in place before the tool goes on the approved list.

4. Legal: “If a model produces a wrong result, who is liable?”

The person who approved the AI-derived decision. That is not a change from how liability already works for any decision-support tool in a regulated environment. The AI does not carry a license; the reviewer does. What GAIP adds is the decision record that shows the reviewer engaged with the output rather than rubber-stamping it. Ironically, GAIP reduces liability exposure by producing the artifacts that would otherwise be missing in litigation. This point moves Legal from opposition to advocacy faster than any other framing.

5. IT: “We cannot validate a system that changes itself.”

You do not have to. GAMP 5 Second Edition Appendix D11 already addresses dynamic systems and points to a lifecycle approach rather than a single-point validation.7 The ISPE AI Guide, published July 2025, extends that approach with practical patterns for prototype, iterative development, formal verification, deployment, and ongoing monitoring across the AI lifecycle.8 Static models get treated like traditional Category 4 or 5 software. Dynamic models get an additional monitoring and change-control envelope, with clear rules about when retraining triggers requalification. Neither pattern requires you to invent new science. Both are documented.

6. IT: “Our identity, access, and audit-trail architecture is not ready for LLM traffic.”

Usually correct, and it is the single most under-scoped item in mid-cap AI programs. The right response is not to slow down GAIP. The right response is to bring identity, access, DLP, and audit-trail coverage into the Domain 5 (deployment) and Domain 8 (governance) scope from day one, with a named IT owner. If you launch GAIP without those, you are building a governance layer on top of infrastructure that cannot prove what it says it is proving.

7. Regulatory Affairs: “None of this appears in the current dossier requirements.”

It appears everywhere in the current dossier requirements, just implicitly. Any AI-derived data used to support a regulatory decision has to satisfy the same source-data quality expectations as any other data. The January 2025 FDA draft guidance on AI in drug and biological product development makes this explicit through the risk-based credibility assessment framework, and the seven-step approach it describes is the working expectation for AI evidence in submissions.9 GAIP produces exactly the artifacts that framework calls for. Regulatory Affairs should be the loudest internal advocate for GAIP once they see the mapping.

8. Regulatory Affairs: “We do not want to be the first inspection case study.”

You will not be. FDA has issued more than 160 data-integrity warning letters between 2017 and 2022 under GMP and 21 CFR Part 11 expectations, and the pattern of enforcement suggests the case studies will come from organizations that used AI without documented controls, not from organizations that adopted a structured framework and can show it.10 Being early on GAIP is the safer position, not the riskier one.

9. R&D: “This is going to slow every experiment down.”

It slows the ones that matter and speeds the ones that do not. For low-risk applications, GAIP prescribes a lightweight review path that adds hours, not weeks. For high-risk applications, where an AI output could influence a submission or a critical process parameter, it adds the review cycle you would want in place regardless. The scientists we have worked with resist GAIP for about ten weeks and then start requesting it, because it is the thing that lets them defend AI-derived findings to their own leadership.

10. R&D: “Our best people will leave if we treat AI like a validated system.”

They will leave if you treat every experimental notebook prompt like a validated system. They will not leave if the framework distinguishes between an exploratory AI use, which sits under a lightweight sandbox policy, and a regulated AI use, which follows the full lifecycle. Domain 1 (purpose and context of use) is the domain that keeps this distinction alive. The failure mode is when Quality applies GAIP flat across everything. Do not do that.

One additional pattern is worth flagging because it shows up in almost every implementation: an eleventh objection, unspoken, from the executive layer. It usually sounds like “this feels like a compliance program, and we need it to feel like a strategic capability.” The response is that GAIP does both, but only if the leadership team narrates it that way. A framework that only ever gets discussed in Quality Council meetings will land as a compliance burden. A framework that shows up in board updates alongside pipeline milestones, that is referenced in earnings prep when analysts ask about AI, and that appears in the annual report’s risk and opportunity sections, will land as a strategic asset. The framework is the same. The framing determines how the organization experiences it.

The objection you should worry about most: the one that never gets voiced. When a function goes quiet on GAIP, they are either not engaged or actively planning to route around it. Silence from Legal, Regulatory Affairs, or R&D at the design stage means the objection will surface at the wrong time. Draw them out during scoping, on the record.

Resourcing the Program at Mid-Cap Scale

A common early mistake is to size a GAIP program against a large-pharma model and conclude it is unaffordable. A mid-cap organization with revenue between $500M and $5B and roughly 30 to 80 AI use cases in the first eighteen months does not need a large-pharma structure. What it needs is a small standing team, clear ownership across existing functions, and a governance body that meets often enough to move at the pace of the use cases.

Below is the shape of a workable mid-cap resourcing model in the first year, based on the implementations we have supported.

2.5 Full-time equivalents dedicated to GAIP program office in year one
~$800K Total year-one program cost range, inclusive of tooling and outside advisory
30-80 AI use cases a mid-cap organization typically registers in the first 18 months

Program office (2.5 FTE)

A named GAIP program lead sitting inside QA, a technical lead sitting in the AI/data team who owns the Domain 2 through 5 practices, and a half-time regulatory affairs partner. This is not a Center of Excellence, and it is not the whole team. It is the standing kernel.

Governance body (part-time)

A standing AI governance council chaired by the QA program lead, with named representatives from Legal, IT, Regulatory Affairs, Clinical, Manufacturing (if relevant), and R&D. Meets every two weeks in the first year, monthly once mature. Handles use-case admission, tier assignment, risk register review, and periodic recall of prior decisions. This body is where most of the actual GAIP work happens.

Distributed accountability (embedded)

Each business function that uses AI names a GAIP liaison, usually a senior scientist or operations lead who already has QMS familiarity. They handle intake, provide first-pass documentation support, and escalate to the governance body. The right liaisons are people who were already the informal quality voice in their function.

External support (bounded)

An outside advisor who has run this before, engaged for scoping, framework mapping, first three tier decisions, and quarterly reviews. This role is deliberately time-boxed. Its purpose is to accelerate the first six months and then step back. Programs that keep external support permanently are usually a signal that internal ownership never fully landed.

Tooling (right-sized)

Mid-cap organizations consistently over-invest in tooling in the first year. The instinct is to purchase an AI governance platform, an evaluation tool, and a monitoring stack all at once. The better sequence is to run the first three pilots using the tools you already have: your existing document management system for records, your existing ticketing system for the governance body’s decisions, and a lightweight spreadsheet for the AI register. When those workflows start to feel painful because the volume has genuinely grown, that is the signal to introduce purpose-built tooling. Selecting tools before you understand the shape of your own workflow guarantees you will buy the wrong thing.

Total year-one program cost, inclusive of the FTEs, external advisory, and modest tooling investment, typically lands between $600K and $900K for a mid-cap organization. That figure is what CFO conversations should anchor on, and it is a fraction of the exposure created by any single warning letter, delayed submission, or contested claim in a labeling or promotional review.

Common Early Implementation Mistakes

Across the mid-cap GAIP implementations we have seen or supported, the same avoidable mistakes cost the most time. They are worth flagging directly.

1

Starting with the framework, not the use cases

Teams that spend the first three months writing SOPs before touching a single real AI system produce documents that no one uses. The right sequence is: pick three use cases across a range of risk tiers, work them end to end, and let the SOPs emerge from what actually worked. Framework-first almost always fails.

2

Flattening risk tiers

Applying the same rigor to a scientist summarizing a paper as to a model influencing a submission destroys credibility. Domain 1 exists to separate these. The first tier decision you make sets the tone for every subsequent one.

3

Ignoring vendor and platform choices

Foundation-model and platform selection decisions made outside GAIP produce landed AI systems the framework cannot govern. Procurement and vendor management need a GAIP-aware intake path from month one.

4

No sunset criteria

Programs that never retire AI systems accumulate a validated-in-name-only surface area that is unsupportable at year three. Every registered AI use case needs a documented retirement trigger from day one.

5

Treating shadow AI as a compliance failure instead of a design signal

The FDA/EMA Joint Principles specifically flag shadow AI use as a leadership issue, not a user problem.11 If your scientists are using ChatGPT outside sanctioned channels, that is a signal that your sanctioned path is too slow. Fix the path. Do not punish the users.

A 90-Day Pilot Plan

The most durable GAIP implementations we have seen start with a bounded 90-day pilot that produces three things at the end: a workable framework mapped to the existing QMS, three use cases running end to end at different risk tiers, and a governance body that has actually met and made decisions. The plan below is what that looks like in practice for a mid-cap organization.

1

Days 1-14: Scope and inventory

Stand up the interim governance body with named leads from QA, IT, Legal, Regulatory Affairs, and R&D. Run a rapid inventory of current AI use, including shadow use surfaced through amnesty. Map the eight GAIP domains against the existing QMS, SDLC, and CSV frameworks. Draft the tier definitions.

2

Days 15-30: Select and admit three pilot use cases

Pick three use cases that span the risk tiers. Typical mid-cap picks: an internal-productivity LLM (low tier), a preclinical predictive model or literature-review assistant (medium tier), and a regulatory-writing or QC-adjacent use case (high tier). Run each through the governance body’s admission process. Document the COU for each.

3

Days 31-60: Build the controls that actually work

For each pilot use case, produce the minimum viable artifacts across Domains 2 through 7. Data provenance record. Model or system documentation. Verification evidence at a rigor matching the tier. Deployment and change-control approach. Human oversight protocol. Monitoring plan. Where existing SOPs work, extend them. Where they don’t, write minimum-viable procedures.

4

Days 61-80: Operate the framework in the open

Run the governance body on its intended cadence. Bring at least two additional real use cases through admission. Handle a simulated deviation or drift event end to end. Invite internal audit to observe. This is where the framework earns credibility.

5

Days 81-90: Codify and scale

Convert the working artifacts into permanent SOPs. Publish the tier definitions and admission process. Set the year-one target for use-case registration. Announce the standing governance body. Confirm named accountable roles across Domain 8. Brief the board or executive committee on the framework and its regulatory alignment.

What good looks like at day 90: The organization can produce, on demand, a list of every registered AI use case, its tier, its named owner, its most recent monitoring signal, and its last governance-body decision. That single artifact is the single strongest inspection-readiness signal a mid-cap organization can generate in the current environment.

The Jan 2026 FDA/EMA Joint Principles Alignment

The January 14, 2026 FDA/EMA joint publication of ten guiding principles for good AI practice in drug development was the most consequential regulatory event for pharma AI in years, not because it introduced new rules but because it aligned the two authorities that matter most.12 The principles are non-binding, high-level, and human-centric. They cover the full lifecycle from research to post-market safety and are the framing regulators will use.

The story to tell your board is that GAIP is not a competing framework. It is the operating quality practice that produces the evidence the FDA/EMA principles assume you have. The principles ask for a human-centric, risk-based approach. GAIP’s Domain 1 (purpose and context) and Domain 6 (human oversight) deliver it. The principles emphasize data quality and traceability. GAIP’s Domain 2 (data provenance) is designed around that expectation. The principles call for lifecycle governance. GAIP’s Domain 5 (deployment and change control) and Domain 7 (ongoing monitoring) provide it. The principles expect transparency about model limitations. GAIP’s Domain 3 (model documentation) covers it.

For an inspector or an auditor arriving in 2027 or 2028, the question will not be “did you adopt GAIP?” The question will be “how do you satisfy the FDA/EMA principles?” GAIP is a defensible answer to that question. Improvisation is not.

A second alignment story is worth telling: the story of how GAIP sits inside the broader regulatory stack. In the United States, the FDA’s January 2025 draft guidance on AI in drug and biological product development introduces a seven-step credibility assessment framework organized around the context of use. GAIP’s Domain 1 and Domain 4 are the operational instantiation of that framework, and an organization that has implemented GAIP well can produce the credibility-assessment artifacts the FDA expects almost as a byproduct of its normal workflow. In the European Union, Annex 22 (still in draft as of mid-2026) will set specific expectations for AI in GMP-regulated environments, with particular focus on dynamic and probabilistic models in critical applications. GAIP’s Domain 5 and Domain 7 give an organization the change-control and monitoring architecture Annex 22 will require. The EU AI Act, with its risk-tier classification and heavy documentation requirements for high-risk systems, maps against GAIP’s Domain 1 (tiering) and Domain 3 (documentation). ICH is expected to weigh in during 2027 and 2028, and any ICH guideline that lands will almost certainly ratify the same operating patterns GAIP prescribes.

The practical implication for a mid-cap operator is that GAIP is not a bet on one regulator’s approach. It is a bet on the shared operational logic that all of the major AI guidance documents already converge on: purpose, provenance, documentation, credibility, controlled deployment, human oversight, monitoring, and governance. Any framework that gets those eight things right will satisfy the substantive expectations of every AI guidance document currently in circulation. GAIP just packages them into a form a mid-cap can operate.

How to frame it in the board deck: The FDA/EMA principles define what regulators expect. GAIP is how we deliver it. Annex 22 (draft) tells us what is off-limits in critical GMP applications. ISPE’s AI Guide gives us the technical patterns. GAMP 5 2E gives us the validation approach. GAIP is the operating quality practice that ties all four together into how this company actually behaves.

Conclusion

Every mid-cap pharma organization is going to adopt something like GAIP over the next twenty-four months, whether it calls it GAIP or something else. The regulatory landscape has moved far enough that the choice is no longer between structured AI governance and unstructured AI governance. It is between structured AI governance you designed on your own terms, or structured AI governance imposed by an inspection finding, a warning letter, or a lost submission cycle. The organizations that move first will not just be safer. They will be faster, because the framework, once in place, is what lets scientists and operations leaders defend AI-derived work to their own internal reviewers.

Sakara Digital works with pharma and biotech organizations building this kind of AI quality practice, including mid-cap operators who need a framework that respects their scale rather than mimicking large-pharma structure. If you are exploring GAIP adoption, mapping the eight domains against your existing QMS and SDLC, or running the internal socialization needed to bring Quality, Legal, IT, Regulatory Affairs, and R&D onto the same page, we are happy to have that conversation.