Why Most AI Governance Frameworks Are the Wrong Fit for Pharma


Most pharmaceutical organizations now have some form of AI governance. On paper, that sounds reassuring. In practice, it often means a policy document, a review committee, a list of approved tools, and a set of principles about transparency, accountability, and responsible use.

That is a start. It is not enough.

The hard truth is that much of what currently passes for AI governance in pharma was not designed for the regulatory environment pharma actually operates in. It was adapted from generic enterprise models built for broad applicability across industries. Those models help organizations think about AI in general terms. They do not, by themselves, create a governance structure that can stand up to the realities of pharmaceutical regulation, regulated data, GxP expectations, inspection readiness, or the growing complexity of overlapping AI-related obligations.

That gap is becoming harder to ignore.

If a regulator asked for evidence of your AI governance program tomorrow, what could you produce immediately? Not a vision statement. Not a slide deck. Not a committee charter. Actual evidence: a complete inventory of AI systems in use, risk classifications aligned with applicable regulations, validation documentation, change control records, monitoring logs, oversight decisions, audit trails, and a defensible explanation of why each system is governed as it is.

In many organizations, the answer is still incomplete. There may be fragments of governance in place, but not a connected architecture. There may be oversight at the tool level, but not at the level of behaviour, use case, or regulatory impact. There may be risk language, but not risk classification that maps to pharmaceutical regulatory categories. There may be intent, but not evidence.

That is the core issue. Pharma does not need a more eloquent AI policy. It needs a governance architecture built for how AI is actually used in a highly regulated industry.

This is not a semantic distinction. It is an operational one. And increasingly, it is a strategic one as well.

The Problem: Governance Looks Complete, but Is Structurally Misaligned

The pattern is understandable. In many pharmaceutical companies, AI entered through data science teams, innovation programs, business functions, and vendor relationships – not through regulatory strategy. Governance followed the same path. It arrived late, was framed as a general risk-management issue, and was often built using generic enterprise AI frameworks.

Those frameworks are not wrong. Accountability, transparency, oversight, explainability, and bias management all matter. But they are too general for the realities of pharmaceutical regulation.

Pharma does not operate in a generic compliance environment. AI may affect regulatory submissions, pharmacovigilance, clinical evidence generation, medical information, promotional review, manufacturing, or quality operations. Each of those areas carries different regulatory consequences. A governance model designed for broad enterprise use will often miss those distinctions.

I had a brilliant conversation with Nuno Valério, the Head of Innovation and Organizational Effectiveness at Merck Group, and one thing he said was the perfect test for pharma AI governance that I cannot stop thinking about.

He described the moment an auditor walks in.

They don’t ask “Show me your AI policy.”

They ask:
“How was this specific AI-assisted decision made on this specific batch, on March 14th at 7:55 PM? Walk me through it. Can you reconstruct the data lineage? Can you show the model version that was running? Can you produce the validation evidence? Can you demonstrate the human decision trail that wraps all of it up?”

That is the real audit.

And most organisations are nowhere near ready for it, and it takes time, and that time is ticking!

Nuno framed it beautifully: the policies, the committees, the risk frameworks, the model registers – these are the visible 20%. Important? Absolutely. But not what an auditor will come for. The other 80% lives in the operational layer. The traceability. The logs. The version control. The documented human oversight baked into actual workflows.

The result is a common but dangerous illusion: governance that looks mature from the outside but is the wrong shape for the environment it must satisfy.

Why Is the Issue Now Urgent

 

The reason this matters so urgently right now is that the regulatory landscape for pharmaceutical AI has changed more in the last eighteen months than in the previous five years combined. What was once a landscape of advisory guidance and emerging principles has become a landscape of mandatory obligation with defined timelines and significant penalties.

The EU AI Act is the most visible element of this shift. High-risk AI obligations under Annex III apply from December 2, 2027, and the Digital Omnibus agreement of May 2026 adjusted timelines without changing the substantive obligations. Annex I obligations for AI embedded in regulated products, including medical devices, apply from August 2028. Non-compliance penalties reach up to €35 million or 7% of global annual turnover.

Before any US-headquartered organization files that away as a European matter, the position needs to be stated plainly: the EU AI Act applies to any AI system placed on the EU market or whose output is used in the EU, regardless of where the deploying organization is headquartered. Commercial operations in Basel, regulatory teams in Dublin, clinical trial sites in Germany, manufacturing in Italy, partnership relationships with European pharma – all of these bring AI systems supporting those operations into scope. US pharma with European operations is in this conversation, whether it recognises that or not.

But the EU AI Act is not the only framework in play, and this is where the governance challenge becomes genuinely complex. The FDA published draft guidance in January 2025 on the use of AI to support regulatory decision-making for drug and biological products, and that guidance is now in finalization.

The EMA adopted its reflection paper on AI in the medicinal product lifecycle in September 2024. The FDA, Health Canada, and MHRA have joint guidance on Good Machine Learning Practice for medical devices with subsequent papers on Predetermined Change Control Plans. GAMP 5 second edition includes specific Appendix D11 provisions on AI and ML systems, and the ISPE published a dedicated 290-page AI guide in July 2025. ISO/IEC 42001, NIST AI RMF, 21 CFR Part 11, ALCOA+, and ICH Q9(R1) all apply with overlapping but unmapped controls.

The critical point that most governance programmes miss is that these frameworks are not pre-aligned to each other. They use different terminology. They have different documentation requirements. They approach risk classification differently. They have different requirements for validation, change control, and audit trails. Building compliant AI governance in pharma means mapping all of them simultaneously to your organization’s actual AI footprint – not selecting the most familiar framework and hoping it covers the gaps the others address.

Five Structural Failures That Repeatedly Undermine Pharma AI Governance

When you look across pharmaceutical organizations, the same governance weaknesses appear again and again. They are rarely obvious internally because each one can look, on the surface, like responsible governance. But under scrutiny, they reveal structural gaps.

1. Governance over tools rather than use cases

As already noted, many organizations approve platforms without fully governing the use cases that sit on top of them. The result is a governance model that tracks software but not actual operational impact.

This becomes especially risky when a tool spreads across departments. One team may use it for low-risk internal productivity. Another may begin using it to support content that touches regulated activity. Without use-case-level controls, governance becomes too blunt to distinguish between them.

2. Risk classification that does not reflect pharma reality

Generic AI risk models tend to classify systems according to broad dimensions such as data sensitivity, financial exposure, reputational harm, or general human impact. Those dimensions matter, but they do not capture the full regulatory logic of pharma.

In pharmaceutical settings, risk is also shaped by function. AI used in pharmacovigilance is not the same as AI used in sales forecasting. AI used in clinical operations is not the same as AI used for internal knowledge search. AI used to support medical information or promotional content is not the same as AI used to assist with coding internal meeting summaries.

The issue is not merely whether a model is technically complex or whether it handles sensitive data. The issue is what regulated process it touches, what decisions it may influence, what records it may affect, and what obligations attach to that context.

A governance model that cannot reflect those distinctions will either under-govern high-risk uses or over-govern low-risk ones. Usually it does both at once.

3. Change control is designed for traditional software, not adaptive behaviour

Traditional change control assumes deliberate modification. A release is proposed, documented, approved, tested, and implemented. That model works reasonably well for static software applications.

AI complicates that assumption.

A model’s behaviour can shift because data inputs change, usage patterns evolve, prompt structures drift, retrieval sources expand, vendors update model versions, or downstream business processes change around the model. In some cases, no one has made a formal local system change, yet the practical behaviour of the system has altered in ways that matter.

This means change control for AI cannot rely only on discrete release events. It also needs monitoring mechanisms capable of detecting behavioural drift, changes in performance, emerging failure modes, and mismatches between approved and actual use.

Without that capability, organizations are left with a dangerous blind spot: systems that appear unchanged in documentation but have changed materially in operation.

4. Documentation that signals intent but cannot prove control

Many organizations have governance documents that read well. They describe policy intent, responsible use principles, review forums, and expected behaviours. They may even define roles and high-level escalation paths.

What they often do not provide is sufficient operational evidence.

Evidence in a regulated environment means documented review decisions, validation records, approved intended use statements, change logs, issue records, monitoring outputs, training completion where relevant, role accountability, and data integrity controls that show who did what, when, and why. It means an organization can do more than say, “We govern AI.” It can show how a specific system was assessed, why a specific control model was chosen, what approvals were given, how performance is reviewed, and what happens when the system behaves unexpectedly.

That is a fundamentally different standard from policy drafting.

The distinction can be put simply: policy explains what should happen. Evidence shows what happened. Pharma governance needs both, but evidence is what carries weight under scrutiny.

5. Governance built as a one-time design exercise

Some organizations treat AI governance as if it were a framework to be designed once and then maintained lightly. That may work for a static topic. It does not work for AI.

The regulatory environment is evolving. Vendor capabilities are changing. Business adoption is accelerating. The use cases themselves are becoming more ambitious. A governance model built eighteen months ago may already rest on assumptions that no longer hold.

This is why pharma AI governance must be treated as a living operating capability. It needs horizon scanning, periodic review, policy revision, control refinement, and a mechanism to reassess risk as both technology and regulation develop. Otherwise, governance freezes while the environment moves around it.

What a Pharma-Ready Governance Architecture Looks Like

If the current shape is wrong, what does the right shape require?

Not more complexity for its own sake. Not a larger committee. Not a thicker policy manual.

What is needed is a governance architecture with the right operating logic.

1. A complete inventory of the AI footprint

Everything starts here.

A serious governance model begins with a documented inventory of AI systems, models, tools, and use cases across the organization. That includes enterprise-approved tools, departmental pilots, embedded AI in third-party software, internally developed models, workflow automations that rely on AI, and unofficial or emergent usage where possible.

The point is not to create a static spreadsheet. The point is to build a living map of where AI exists, what it does, what data it touches, what outputs it generates, who uses it, and what regulated processes it may influence.

For many organizations, this is the first moment of real visibility. It is also where they discover how much shadow or semi-governed AI has already entered the business.

2. A pharma-specific risk classification model

Once the AI footprint is visible, each use case needs to be classified through a lens that reflects pharmaceutical reality.

That means moving beyond generic high, medium, and low labels unless those labels are backed by clear regulatory logic. A useful classification model should consider at least the following:
● Business function and workflow context
● Whether the AI touches GxP-relevant processes
● Whether it affects regulated content or records
● The degree of human review before action
● The nature of the data involved
● Whether the AI supports or influences decision-making
● The jurisdictions in scope
● Third-party dependencies and model update exposure
● Potential alignment to external risk categories, including applicable AI regulations

This is where governance becomes defensible. Instead of saying a tool is medium risk because it feels medium risk, the organization can explain exactly why a use case has a specific control profile.

3. Controls proportionate to risk

Once classification exists, controls should follow accordingly.

This sounds obvious, but it is where many governance models become inefficient or ineffective. If every AI use case is forced through the same review path, the organization creates friction without gaining meaningful control. If high-risk uses receive only lightweight review because they entered through an approved tool, the organization creates exposure without realising it.

A proportionate model distinguishes between categories of use and assigns controls accordingly. High-risk scenarios require strict governance; low-risk scenarios only need lightweight governance that is exempt from the full set of formal verification processes, and the intensity of governance rises as the risk level increases.

The principle is simple: governance should be strict where it needs to be and efficient where it can be.

4. Evidence-grade documentation

In pharma, governance that cannot be evidenced is fragile.

The required documentation will vary by use case, but a mature architecture typically includes:
● Intended use definitions
● Risk assessments and classification rationale
● Validation or fitness-for-use documentation
● Records of approval decisions
● Documentation of human oversight requirements
● Change control and monitoring records
● Issue, deviation, and incident logs where applicable
● Audit trail expectations
● Data handling and record integrity controls
● Retraining or user instruction material where relevant
● Periodic review and retirement criteria

This is not paperwork for its own sake. Documentation is the connective tissue between governance design and operational proof.

5. Operational authority and accountability

Governance cannot be purely advisory.

Someone, or some function, must have the authority to require controls, deny deployment, escalate gaps, and intervene when a use case exceeds the bounds of approved governance. Without that authority, governance becomes a discussion forum rather than a control function.

In strong models, accountability is clear at several levels:
● Business ownership of the use case
● Technical ownership of the system
● Quality or compliance involvement where required
● Governance oversight authority
● Escalation routes for unresolved risk decisions

This is especially important in cross-functional AI deployments, where responsibility can otherwise fragment across digital, IT, legal, procurement, data, compliance, and business teams.

6. Monitoring for actual behaviour, not just approved design

Approval at launch is not enough. AI governance must also ask what happens after deployment.

Are outputs still being reviewed as expected? Is the tool being used outside its approved context? Has performance shifted? Are hallucinations, omissions, bias issues, or workflow workarounds appearing? Has a vendor updated the underlying model? Has the volume or importance of use increased to a level that changes the risk profile?

Monitoring closes the loop between design and reality. Without it, governance remains theoretical.

7. A mechanism for regulatory interpretation

Pharma organizations do not just need controls. They need the capability to interpret evolving obligations and translate them into internal practice.

That means someone has to track regulatory developments, assess which ones matter to the organization’s actual AI footprint, and convert them into changes in classification, documentation, oversight, or operating processes. This function can sit internally, externally, or in a hybrid model, but it has to exist.

Else, the organization is always reacting late.

What Leadership Teams Should Ask Now

For senior leaders, the most useful question is not, “Do we have an AI policy?” It is, “Can we defend our governance architecture under scrutiny?”

A practical leadership review might ask:

1. Do we know where AI is being used across the enterprise?
2. Can we distinguish low-risk productivity use from higher-risk regulated use?
3. Are we governing use cases, or just approving tools?
4. Can we show evidence of classification, oversight, and control?
5. Do we have AI-specific change monitoring, not just software release management?
6. Who has the authority to either halt or escalate the deployment of work related to relevant issues?
7. How to Update Governance Systems as Regulations Evolve?

If leadership cannot answer these questions clearly, the issue is not a lack of intent. It is a structural gap in governance.

Governance as Competitive Advantage

The case for building this architecture is not only a compliance case, though the compliance case alone is compelling given the penalty exposure and the timelines involved. It is also a competitive case.

The organizations that build robust, pharma-specific AI governance in the next twenty-four months are building something that competitors will find genuinely difficult to replicate quickly. Governance capability is not something that can be acquired off the shelf at the point of regulatory pressure. It requires accumulated organizational practice – the documentation standards, the institutional knowledge, the oversight processes, the regulatory relationships – that take time to build and embed.

More immediately, a clear and operational governance architecture removes one of the most significant brakes on AI adoption within pharmaceutical organizations right now. Governance uncertainty – not knowing what’s approved, what oversight is required, what needs to be documented, what the risk is if something goes wrong – slows AI deployment at the functional level regardless of how much strategic commitment exists at the top. A governance framework that gives teams a clear operational picture of what is permitted, what is required, and how to move forward removes that uncertainty and accelerates deployment rather than impeding it.

Conclusion

The pharmaceutical organizations that will lead in AI over the next decade are not simply those that build the most capable AI. They are those that build the most trustworthy AI – systems that regulators, payers, HCPs, and patients can rely on, deployed within governance structures that demonstrate that trustworthiness through operational evidence rather than simply asserting it in a policy document.

Governance is not the overhead of an AI programme. It is the foundation that makes AI deployable at scale, with confidence, in a regulated industry. And in an environment where the regulatory window is now measured in months, the time to build that foundation is now.

 

Found this article interesting?

If an inspector asked you tomorrow to reconstruct one AI-assisted decision — the data lineage, the model version, the validation evidence, the human sign-off — could you?

If the honest answer is “not yet,” that gap won’t close on its own, and December 2027 won’t move again. The Eularis AI Governance Readiness Assessment is a two-week, senior-level engagement that maps your actual AI footprint against your actual regulatory obligations – EU AI Act, FDA, EMA, GAMP 5 and the full overlapping stack – and tells you precisely what needs to be built, in what order. It’s the first step in a defined program that takes you from assessment to a fully operational, board-defensible governance architecture – delivered by a team with 23 years of pharma AI experience and no vendor to sell you.

Book your Readiness Assessment at eularis.com/ai-governance-in-biopharma — before the window is measured in weeks, not months.

For more information, contact Dr Andree Bates abates@eularis.com.

Contact Us

Write you name and email and enquiry and we will get right back to you as soon as we can.