Who Owns AI in Pharma? Why Governance Must Be Cross‑Functional

Most pharma AI initiatives do not fail because the technology does not work. They fail because no one can clearly answer a much more basic question: Who owns it? The proof of concept runs. The use case is compelling. The model performs as expected. And then progress slows to a crawl. QA waits for a validation strategy. IT waits for stable requirements. The business waits for someone to make a decision. By the time ownership is clarified, momentum is gone and the organization quietly returns to familiar, manual ways of working.

This happens far too often, and under the new regulatory framework, the consequences will become harder to ignore. EU GMP Annex 22 makes one thing very clear: AI governance in pharma is inherently cross-functional. It cannot sit with a single department, be handed off to a vendor, or be treated as a compliance exercise completed at the end of a project.

In regulated environments, AI requires business, QA, and IT to work together from the earliest discussions about intended use all the way through to decommissioning. That represents a significant organizational shift, and many leadership teams still underestimate its impact.

What Annex 22 says about accountability

Annex 22 is unusually explicit about accountability. Responsibility for intended use sits with the process Subject Matter Expert: the person who understands the business process the AI supports. That individual defines the intended use, expected accuracy, and acceptance criteria. It is not a responsibility that can be transferred to QA or outsourced to a vendor.

The regulation is equally clear that accountability always remains with the regulated organization. A cloud-based deployment does not change that. Neither does a vendor-built model or an AI capability embedded in third-party software. Companies must still be able to explain, document, and defend the system using their own evidence and governance processes.

Across Annex 22, four principles appear consistently:

• Qualified people with named, documented responsibilities

• A white‑box understanding of the model’s behavior, not just its outputs
• Risk management proportionate to actual GxP risk, aligned with ICH Q9
• Accountability that stays with the regulated organization, not with suppliers

None of these can can be achieved by a single function operating alone.

Why single-function ownership ownership fails

Many organizations still try to assign AI ownership to one department. In practice, that creates blind spots.

When QA owns AI in isolation, governance often becomes documentation-heavy while losing touch with technical reality. QA can define compliance expectations, but usually lacks the depth to assess model architecture, data pipelines, or integration risks with ERP, MES, or LIMS platforms. The outcome is a well-documented solution that may never have been designed correctly in the first place.

When IT owns AI alone, validation is frequently treated as a final project milestone instead of an ongoing lifecycle responsibility. The system works technically, but validation only begins afterward. In GMP environments, retrospective validation is not acceptable. Without business and QA involvement from the start, intended use remains vague, acceptance criteria are weak, and auditability suffers.

When the business drives AI initiatives without QA and IT, implementation moves quickly but controls remain thin. Change management feels like bureaucracy, audit trail requirements are overlooked, and monitoring becomes inconsistent. When issues eventually arise, the organization struggles to reconstruct what happened and why.

Each function brings a critical perspective. Remove one, and governance gaps appear. In regulated environments, those are exactly the gaps inspectors focus on.

What the triad looks like in practice

A cross-functional model is not a steering committee that reviews updates once a month. It is business, QA, and IT working together from day one.

Business defines the process and expected outcomes. What decision is the AI supporting? What level of performance is acceptable? Which decisions must remain under human judgment? 

QA defines the compliance framework. Which steps are GxP-critical? Where are human review gates required? What needs to be captured in the audit trail? What does validation mean for this use case?

IT designs the architecture that keeps the system controllable and defensible. Which steps must remain deterministic? Where can AI safely assist? How are logging, monitoring, access control, and failure handling managed?

The overlap between these functions matters as much as the handoffs. Intended use cannot be finalized without business and QA aligned. Validation scope cannot be defined without QA and IT working together. Architecture decisions fail when IT lacks a deep understanding of the process itself.

The hybrid competence gap

This model also exposes a challenge many organizations are only beginning to recognize: the shortage of people who can work across disciplines. Pharma companies need QA professionals who understand AI validation requirements, IT architects who can speak fluently about GxP risk, and business leaders who understand why human oversight cannot simply be removed for efficiency. These profiles are still rare.

Without hybrid competence, teams often talk past one another. Each function produces documentation that satisfies its own requirements, but the pieces never connect into a coherent governance model. Closing that gap takes time. It requires cross-functional training, rotational experience, and deliberate collaboration between regulatory, technical, and business teams. There is no shortcut around it.

Five questions for your leadership team

Before selecting technology or vendors, leadership teams should be able to answer five core questions:

1. Who owns the intended use definition?
   This is a named individual, not a project team. That person is accountable if an inspector asks why the AI was deployed for this specific purpose.
2. Who is accountable for the validation lifecycle?
   A named person within your organization, someone who will own validation maintenance, performance monitoring, change control, and eventual decommissioning. This cannot sit with your vendor.
3. Where are the human decision gates?
   For every GxP-critical workflow, there must be a documented point where a qualified person reviews, decides, and signs off. Who is that person, what exactly are they approving, and what rationale are they required to document?
4. How will changes to the AI system be controlled?
   Model updates, configuration changes, data source changes, all of it needs to go through change control and trigger a revalidation assessment. Is that process designed and operational?
5. What is your retirement plan?
   Validation is a lifecycle commitment. What happens when the model is no longer fit for purpose? What's the decommissioning process? How is the transition managed? These questions need answers before go-live.

One more thing: stay technology-agnostic

One of the most important lessons from Annex 22 and from practice is this: the process and the intended use come first. The model or the vendor comes second. AI is the enabler, not the foundation. Organizations that lock themselves prematurely into a single vendor or model architecture risk building governance structures that depend on that vendor’s roadmap rather than regulatory expectations. Technology will evolve. Governance must be able to evolve with it.

The GxP AI Readiness Checklist was built around exactly the kind of cross‑functional questions the 
triad must answer together. It covers governance, validation, human‑in‑the‑loop controls, auditability, data quality, cybersecurity, and lifecycle management across 50 structured questions. 

Download the GxP AI Readiness Checklist