Why Regulatory Authoring Is a Different Validation Problem

Traditional computerized system validation was built around determinism. The same input produces the same output. Audit trails assume a stable relationship between an action and its result, and change control assumes discrete releases with fixed behavior between them. Generative AI breaks each of those assumptions in ways that matter to the FDA, the EMA, and any quality unit accountable for the record.

The EMA’s Reflection Paper on the use of Artificial Intelligence in the medicinal product lifecycle, adopted by CHMP and CVMP in September 2024, is blunt about the risk: generative language models are prone to include plausible but erroneous output, and quality review mechanisms must be in place to ensure that all model-generated text is both factually and syntactically correct.5 A published clinical safety framework for LLM-generated medical text observed a 1.47 percent hallucination rate and a 3.45 percent omission rate across 12,999 clinician-annotated sentences, even when the model was well-tuned for the task.6 Those numbers sound small. They are catastrophic if any of them land in an efficacy summary or a Table 14.

What makes regulatory authoring genuinely difficult, from a validation perspective, is the intersection of three properties:

  • Non-determinism. A temperature setting above zero, model updates, and even minor prompt variations can shift outputs. Two runs on the same protocol can produce different narrative summaries.
  • Opacity. Foundation models cannot be inspected the way a rules-based extractor can. Explanations are approximations, not source code.
  • Shared accountability. The vendor controls the model. The pharma organization controls the prompts, the source documents, and the review workflow. Both influence output quality, and only one signs the record.7

None of these properties disqualify GenAI from GxP use. They do force the validation program to move away from a pass-or-fail acceptance test and toward a lifecycle model that treats the AI system, its prompts, and its human review layer as a single validated unit.

180 to 80 Hours to author a first-draft CSR before and after gen AI at Merck1
1.47% Hallucination rate observed in a published clinical text LLM safety framework6
20 to 30% Deloitte estimate of medical writer effort reduction from AI-driven automation8

GAMP 5 Second Edition and the Category 5 Treatment of GenAI

The ISPE published GAMP 5 Second Edition in July 2022. It modernised the guide for cloud, agile, open source, and delivered a first pass at AI/ML through Appendix D11. In July 2025 the ISPE followed with the standalone GAMP Guide: Artificial Intelligence, a 290-page framework intended to be used in parallel with GAMP 5 Second Edition specifically for AI-enabled GxP systems.23

How the category assignment works

A GenAI system used to author regulatory documents lands in Category 5, the custom or configurable software category. The foundation model is not custom code written by the pharma company. What sits on top of it — the prompt library, the retrieval-augmented generation pipeline, the document templates, the review workflow, the integration with the eTMF or the regulatory information management system — is configured for the specific intended use. That configuration is where most of the validation effort lives.10

There is a temptation, especially when the underlying model is a hosted commercial service, to assign the tool to Category 4 (configured products) on the grounds that “we are just calling an API.” That framing misreads what the AI Guide actually asks the sponsor to control. The moment the pharma company designs prompts, curates a grounding corpus, defines an output specification, and stitches the model into a document review workflow, the system is behaving as configurable custom software. The sponsor is not choosing between menu options in a packaged application; the sponsor is composing a bespoke pipeline whose behavior is inseparable from decisions the sponsor made. Category 5 is the honest classification.

What the AI Guide adds on top

The 2025 AI Guide overlays additional lifecycle activities that GAMP 5 alone does not address in depth. The guide emphasises Quality Risk Management (QRM) as the central mechanism for ensuring patient safety, product quality, and data integrity when the system is AI-enabled. It identifies AI-specific risks — data bias, algorithmic error, model drift — and outlines how to identify and mitigate them. Critically, the guide describes an iterative development lifecycle that begins at the concept phase with prototyping, moves through evaluation of performance and formal verification, and transitions into ongoing monitoring, with performance indicators evaluated against suitable data throughout the model’s life.3

SD Perspective. The temptation is to treat the GenAI writing tool as a shiny new Category 5 configured system and validate it once. That is a validation approach designed to age badly. Foundation models change. Prompt libraries evolve. Retrieval pipelines get retrained. The validation program has to be built to absorb those changes with proportionate re-verification, not to be redone from scratch every quarter.

Defining Intended Use and Sizing the Risk

Every downstream decision in the validation program flows from a precise statement of intended use. Vague intended use produces bloated validation packages and, worse, gaps that show up in an inspection.

Write the intended use like a regulator will read it

A well-scoped intended use statement for a GenAI regulatory authoring system answers four questions concretely:

  • What document types will the system draft? (Protocol synopses, full protocols, Investigator Brochures, CSR sections 9 through 16, CTD Module 2.5 summaries, response-to-question drafts.)
  • What source documents ground the drafts? (SAP, protocol, TFL package, historical CSRs in the therapy area, previous regulatory correspondence.)
  • What is the human review model? (Draft-then-review with sentence-level attestation, section-level attestation, full rewrite permitted, and so on.)
  • What decisions does the output support? (Internal draft only, external submission, regulatory correspondence, labeling.)

Intended use is also where legacy validation habits do the most damage. Teams accustomed to configured off-the-shelf products tend to write intended use in generic terms — “the system will assist medical writers in drafting clinical documents” — and rely on downstream URS and FRS documents to carry the specificity. That approach falls apart for GenAI because the specificity is what controls the model’s behavior, not just what documents it. If the intended use does not name the document classes, the source documents, and the human review model, then the risk assessment cannot be sharp, the test corpus cannot be representative, and the audit trail cannot capture what future reviewers need.

Size the risk before choosing the controls

The FDA’s January 2025 draft guidance on AI to support regulatory decision-making introduces a seven-step, risk-based credibility assessment framework. Steps 1 and 2 define the AI model’s role and scope. Step 3 assesses model risk based on the influence the AI has on the decision and the consequence of an error. Steps 4 through 6 produce and execute a credibility assessment plan. Step 7 evaluates adequacy for the specific context of use.4 Applied to a document authoring system, the framework forces a pharma organization to be explicit that a first-draft CSR narrative reviewed by two experienced writers is a low-influence, medium-consequence use, and to demonstrate that the plan is proportionate.

MODEL INFLUENCE

How much of the final output is authored by AI?

A system that produces a 90 percent complete draft that a writer edits is different from a system that suggests three-word completions. Higher influence increases the burden of demonstration.

DECISION CONSEQUENCE

What happens if the output is wrong?

Internal-only working documents carry less risk than text destined for the eCTD. Consequence drives the depth of test coverage and the seniority of the reviewer.

SOURCE FIDELITY

Is the AI grounded in specific source documents?

Retrieval-augmented generation grounded in the SAP and protocol is materially less risky than freeform generation. Validation should verify the grounding actually holds.

CHANGE FREQUENCY

How often does the underlying model update?

A hosted foundation model that updates monthly requires different change control than a fine-tuned model held at a fixed version. Frequency drives the monitoring cadence.

Prompt Library Governance as a Configuration Artifact

Prompts are configuration. That is the single most important framing shift for a quality unit stepping into GenAI validation. A prompt library is not a document repository or a marketing asset. It is a set of configuration parameters that materially controls system behavior, and it needs to be governed with the same rigor as any other configuration.

What a governed prompt library looks like

A defensible prompt library has, at minimum, the following properties:

  • Version control. Every prompt has a unique identifier, a version number, an owner, an effective date, and a superseded date. Changes flow through a change record.
  • Purpose statement. Each prompt has a short, plain-English description of what it does, which document type it applies to, and which model it is validated against.
  • Test evidence. Each prompt is linked to the test set that qualified it and the current pass rate against that test set.
  • Access control. Not every user can edit every prompt. Authoring prompts for a CSR are gated to trained regulatory writing users; safety-narrative prompts to safety writers.
  • Audit trail. Prompt edits are recorded with actor, timestamp, before-and-after content, and rationale.

A common failure mode. Teams stand up an internal wiki page called “prompt library” that anyone can edit. Six months in, no one can tell which version of the “narrative summariser” prompt is in production, and the QA lead cannot show an inspector a controlled document. Treat the prompt library like SOPs. If it can be changed by anyone, it cannot be relied on by regulators.

Prompt qualification testing

Every prompt destined for a validated workflow should be qualified against a curated test set before it enters production. That test set includes representative source documents, expected output characteristics, known adversarial inputs, and known edge cases (missing data, contradictory data, out-of-scope requests). The qualification report becomes part of the prompt’s audit record.

Qualification is not a single event. Prompts drift into and out of appropriateness as underlying models change, as the retrieval corpus grows, and as the organisation’s own conventions evolve. A pragmatic cadence is: full qualification on initial release, targeted regression testing after any material model or retrieval change, and periodic recertification (annual is a reasonable default) even when nothing has visibly changed. The recertification cycle catches slow drift that the change-triggered tests miss.

Retrieval quality is part of prompt quality

Most defensible GenAI writing implementations depend on retrieval-augmented generation: the prompt draws in specific passages from the SAP, the protocol, prior CSRs, or the TFL package before the model composes an answer. The quality of the retrieval step is often what determines the quality of the output, and it should be tested and monitored separately from the model itself. Metrics worth tracking include retrieval hit rate against known-good source passages, grounding failure rate (the model asserts a claim not present in the retrieved passages), and passage relevance scores. If retrieval quality degrades, every downstream prompt degrades with it — and the quality unit needs to see that signal early.

A Hallucination Testing Methodology That Holds Up

Hallucination is not a bug to be squashed. It is a statistical property of the model, and the validation task is to bound it, measure it, and detect it in production. A published clinical safety framework distinguishes between two categories that both matter for regulatory documents: hallucination (a claim in the output not supported by the source) and omission (a material claim in the source not carried through to the output).6 Both need test coverage.

Build a graded test corpus

A defensible hallucination test methodology begins with a curated test corpus. For a CSR authoring system that corpus should contain:

  • Golden set: real historical CSRs where the source documents (protocol, SAP, TFLs) and the human-authored output are known and quality-assured. This is the primary benchmark.
  • Adversarial set: inputs designed to trigger known failure modes (ambiguous efficacy data, negative studies, safety signals, missing tables).
  • Boundary set: inputs that sit at the edge of intended use (unusual therapy areas, non-standard endpoints).
  • Regression set: a fixed subset held constant across releases so trends over time can be tracked.

Score with a taxonomy, not a thumbs-up

A binary “acceptable” score hides the information the quality unit needs to make decisions. A workable taxonomy separates errors into categories with different downstream consequences: factual hallucination, omission of material content, misattribution to a source, statistical misinterpretation, tone or style deviation, and formatting error. Each category gets a target rate, a threshold, and a documented review action.

1

Generate outputs on the fixed test corpus

Run the prompt library and the current model version against the golden, adversarial, boundary, and regression sets. Record raw outputs, timestamps, and model version metadata.

2

Annotate at sentence level

Trained clinical or regulatory writers annotate each sentence against the taxonomy. Naive claim-checking dramatically overestimates hallucination rates in narrative text; inference-aware evaluation grounded in clinical judgment aligns better with expert review.6

3

Compute rates and confidence intervals

Report hallucination rate, omission rate, and error rate by taxonomy category with confidence intervals. Compare against pre-defined acceptance thresholds. Fail-open is not appropriate for CTD-bound content.

4

Root-cause investigate outliers

Every threshold breach gets a documented investigation: was it a prompt defect, a source data gap, a retrieval failure, a model regression? The finding drives a change record.

5

Publish the qualification report

The report includes the test corpus manifest, the taxonomy, sentence-level results, aggregated rates, root-cause findings, and the residual-risk statement. It is signed by the process owner and the quality unit.

What “acceptable” actually means. There is no regulatory or industry consensus threshold for an acceptable hallucination rate in regulatory writing. That is a decision each organization has to make, tied to the intended use, the depth of human review, and the risk tolerance of the affected document class. What is not acceptable is having no measured rate at all.

Human Oversight, Review Design, and Sign-Off

Human oversight is the single most important compensating control for a GenAI authoring system, and it is the control regulators will probe hardest. The EMA reflection paper explicitly requires quality review mechanisms to ensure model-generated text is factually and syntactically correct. Independent guidance on human-in-the-loop AI validation emphasises that oversight has to be genuine — the reviewer needs the training, the time, and the access to source materials required to actually catch an error.57

Design the review, do not assume it

Human-in-the-loop is a design pattern, not a policy statement. The validation team should specify:

  • Reviewer qualifications. Who is qualified to review AI-generated regulatory content, and how is that qualification documented and refreshed?
  • Review depth. Sentence-level attestation is different from section-level attestation is different from document-level sign-off. The design has to match the intended use and the risk tier.
  • Source access. The reviewer needs one-click access to the specific source passage the AI drew from. If the tool does not surface that link, review is theatre.
  • Time allocated. A CSR narrative reviewed in 15 minutes is not really reviewed. Time expectations should be measured and defended.
  • Override capture. Every reviewer edit is logged, with rationale, so the organisation learns where the model consistently fails.

Automation bias is a real quality risk

The published human-in-the-loop literature is consistent: reviewers who see a plausible AI-generated draft accept more of it than they should. The mitigations are structural, not motivational. Force the reviewer to open the source before signing off. Randomise a small percentage of drafts as intentional negatives to keep review muscle sharp. Report reviewer edit rates as a leading indicator of quality slippage.

A quiet but important design decision is what the reviewer sees first. If the tool presents a polished, well-formatted draft with confident citations, the reviewer’s cognitive bias tilts toward acceptance. If the tool presents the same draft alongside the source passages and any flagged low-confidence sentences, the reviewer’s attention is directed to where errors are most likely. The user interface is not incidental to compliance; it materially shapes the quality of oversight the organisation actually gets.

Second-line review is not optional for high-consequence documents

For documents destined for the eCTD or for direct regulatory correspondence, a single reviewer signing off on an AI-generated draft is a thin control. A defensible design pattern layers a second reviewer, often from a different function (regulatory affairs, medical affairs, biostatistics, safety), whose remit is to check specific risk categories rather than repeat the first-pass review. The intended-use risk assessment should specify which document classes require a second-line review and what that reviewer is specifically accountable for confirming.

What good review design looks like. A leading medical writing platform’s AI Tasks pane logs user feedback and edit rationale at the sentence level, creating a traceable audit trail that supports both immediate quality review and downstream model improvement. That structure — traceable, sentence-level, rationale-bearing — is the design pattern the validation program should require, whether the tool is bought or built.11

Change Control for Underlying Models and Ongoing Monitoring

The single hardest problem in validating a GenAI system is change control for a foundation model that a vendor updates on a schedule the pharma company does not control. Traditional change control assumes discrete releases with defined behavior. Foundation models are updated silently, sometimes with performance improvements, occasionally with regressions on specific tasks. The validation program has to be built to accommodate that reality.

Learn from the PCCP model

The FDA’s 2024 final guidance on Predetermined Change Control Plans for AI-enabled device software provides the most mature regulatory model for planned, bounded change. A PCCP describes the modifications the sponsor plans to make, the protocol for implementing and controlling them, and the impact assessment for those changes. The 2024 final guidance adds recommendations for describing how real-world performance monitoring will be provided to users, at what frequency changes to safety and effectiveness will be monitored, and a roll-back plan to return to a previous version if performance degrades.12

A PCCP applies formally to medical devices, not to a GenAI writing tool used internally. But the underlying pattern — define the changes you expect, define the tests you will run when they happen, define the roll-back plan — is directly transferrable to a pharma company’s internal change control for a GenAI authoring system.

The change events you must be ready for

Change Event Trigger Required Verification
Foundation model version update Vendor release note or API version change Regression run against fixed test set, threshold comparison to prior baseline, quality unit sign-off before release to production
Prompt library edit Change request from process owner Prompt qualification against relevant test set, peer review, controlled release
Retrieval index refresh New source documents ingested or reindexed Retrieval quality tests, sample document draft review, index version log entry
Fine-tuning cycle Scheduled retraining or dataset addition Full qualification test corpus rerun, drift analysis, formal release under change control
New document type onboarding Business need to draft an additional document class New intended use assessment, new test corpus, incremental validation package

Ongoing performance monitoring

Validation does not end at release. The AI Guide is explicit that ongoing monitoring is a lifecycle activity, not a one-time check. Manufacturers of AI-enabled devices are expected to continuously monitor real-world performance by collecting usage data, watching for drift in key performance indicators, and reporting trends.12 The same principle applies to an internal GenAI authoring tool, even though it is not a regulated device. The organisation is still relying on the output to feed regulated processes, and that reliance has to be earned every quarter, not just at go-live.

A GenAI writing tool should be monitored on at least the following:

  • Reviewer edit rate by document class and by prompt.
  • Sentence-level rejection rate and rationale category.
  • Time-to-first-draft and reviewer time-to-sign-off (both leading and lagging indicators).
  • Retrieval hit rate and grounding failure rate.
  • Periodic regression run against the fixed test corpus (at minimum quarterly, and after every underlying model change).

Mapping GenAI Authoring to 21 CFR Part 11

21 CFR Part 11 remains the anchor regulation for electronic records and electronic signatures, and it applies wherever a GenAI system creates, modifies, maintains, archives, retrieves, or transmits an electronic record required by a predicate rule. The threshold question is unchanged. The application is not.13

What Part 11 requires and where GenAI has to earn it

Part 11 Control How GenAI Authoring Has to Meet It
Validation of systems to ensure accuracy, reliability, consistent intended performance GAMP 5 Second Edition Category 5 validation package plus the AI Guide’s lifecycle overlays: intended use, risk assessment, qualification, monitoring
Ability to generate accurate and complete copies of records Draft artifacts, reviewer edits, and final signed record must be reconstructible, including prompt version, model version, and source citations
Audit trails independent of the operator Prompt used, model version, retrieval sources, timestamps, and reviewer actions all captured immutably. Non-determinism means the audit trail must record enough context to explain why the record looks the way it does13
Operational and authority checks Only qualified users can invoke prompts against specific document classes. Only qualified reviewers can sign off. Role-based access enforced at the tool and prompt level
Electronic signatures with authentication The reviewer who signs off is the accountable party. The AI does not sign. Signatures capture the specific record version and the underlying prompt-plus-model-plus-source configuration
Training of personnel Users of the GenAI tool and reviewers of its output must be trained not just on the tool but on its failure modes and the reviewer’s specific accountability

The audit trail problem is the one to solve first

The most common Part 11 gap in GenAI implementations is the audit trail. A traditional audit trail records that a user changed field X from value A to value B at time T. A GenAI audit trail has to record which prompt, which model version, which retrieved passages, which reviewer edits, and which rationale. If a regulator asks in three years why a specific paragraph in a CSR reads the way it reads, the audit trail has to reconstruct the answer without depending on a foundation model that may no longer exist.

Practically, that means the record has to capture immutable snapshots of the inputs that produced each drafted passage: the retrieved source passages, the prompt version, the model identifier, and any relevant configuration parameters (temperature, seed, safety settings). It also means retention policies have to be designed with the understanding that foundation models are ephemeral. A model version referenced in an audit trail may be deprecated by the vendor within twelve to twenty-four months, so the audit trail must record enough context about behavior at the time of use that a future reviewer can understand the record even when the exact model can no longer be re-invoked.

Signature semantics need explicit thought

Part 11 electronic signatures carry legal weight. The reviewer who signs a GenAI-drafted record is attesting that they have reviewed it and that it accurately reflects the source. The organisation should be explicit in its SOPs about what the signature means when the underlying draft was AI-generated: the reviewer is not endorsing the AI, they are endorsing the specific text as fit for the specific use. That distinction matters when a downstream question arises, and it should be spelled out in the training and in the signature manifestation itself.

Validation Deliverables Checklist

The following deliverables constitute a defensible validation package for a GenAI regulatory authoring system. The list is not exhaustive, but a quality unit that can produce every item below to an inspector is in a strong position.

Planning and definition

  • Validation plan — scope, roles, risk approach, deliverables, acceptance criteria.
  • Intended use statement — document classes, source documents, human review model, decisions supported.
  • Risk assessment — model influence, decision consequence, failure modes, mitigating controls, residual risk.
  • Credibility assessment plan — aligned to the FDA seven-step framework for the specific context of use.4
  • Regulatory landscape mapping — traceability to GAMP 5 Second Edition, the ISPE AI Guide, EMA reflection paper, FDA draft guidance, and 21 CFR Part 11.

Design and configuration

  • System architecture description — model, retrieval pipeline, prompt library, review workflow, integrations, data flow.
  • Prompt library register — every prompt with owner, purpose, version, effective date, test coverage.
  • Data curation and grounding specification — which source documents ground which outputs and how quality is maintained.
  • Access control matrix — who can invoke which prompts, who can edit prompts, who can approve output.

Qualification and testing

  • Test corpus manifest — golden, adversarial, boundary, and regression sets, with provenance.
  • Hallucination taxonomy and scoring rubric — categories, thresholds, escalation actions.
  • Prompt qualification reports — one per production prompt.
  • End-to-end qualification report — model plus prompt library plus retrieval plus review workflow, aggregated results, residual risk statement, sign-off.
  • User acceptance evidence — writers and reviewers exercising the system on representative work with documented outcomes.

Operational controls

  • Standard operating procedure for authoring — user instructions, expected review behaviour, escalation.
  • Reviewer qualification and training record — role-specific training, competency assessment, refresher cycle.
  • Change control procedure for AI systems — foundation model updates, prompt edits, retrieval index refresh, fine-tuning, new document types.
  • Audit trail design specification — what is captured, retention, extraction, tamper evidence.
  • Ongoing monitoring plan — metrics, thresholds, review cadence, reporting to quality management review.

Governance and evidence

  • Roles and responsibilities matrix — process owner, system owner, quality unit, IT, vendor.
  • Vendor assessment — model provenance, training data disclosure, security posture, change notification commitments.
  • Periodic review schedule — validated state re-verification cadence, tied to change frequency.
  • Deviation, CAPA, and incident procedure — how model or prompt failures are documented, investigated, and closed.
  • Retirement plan — what happens when the underlying model is deprecated or the tool is decommissioned.

Conclusion

GenAI for regulatory document authoring is neither an emerging technology waiting to be tested, nor a solved problem. It is a validated system waiting to be built the right way. The regulatory frameworks now exist — GAMP 5 Second Edition, the ISPE AI Guide, the FDA and EMA guidances, and the joint FDA-EMA principles — and they converge on a recognisable pattern: define the intended use, size the risk, govern the configuration (including prompts), test the failure modes empirically, design human oversight that actually works, and manage change proportionately across the lifecycle. Organisations that treat their GenAI writing programme as a real Category 5 system with an AI overlay will move faster and defend more easily than those that treat it as an unregulated productivity tool.

The organisations that get this right will not be the ones with the most sophisticated models. They will be the ones with the clearest intended use statements, the best-governed prompt libraries, the most disciplined test corpora, and the most honest human oversight design. Every one of those is a quality and process problem, not a technology problem. The technology is available. The discipline is the differentiator.

Sakara Digital works with pharma and biotech organisations building GxP-compliant AI capability, including validation strategy for GenAI systems used in regulatory writing, clinical operations, and quality. If you are standing up a GenAI authoring programme and want an independent perspective on how to structure the validation package so it holds up under inspection, we are happy to have that conversation.