Most pharma AI initiatives do not fail because the technology does not work. They fail because no one can clearly answer a much more basic question: Who owns it? The proof of concept runs. The use case is compelling. The model performs as expected. And then progress slows to a crawl. QA waits for a validation strategy. IT waits for stable requirements. The business waits for someone to make a decision. By the time ownership is clarified, momentum is gone and the organization quietly returns to familiar, manual ways of working.
This happens far too often, and under the new regulatory framework, the consequences will become harder to ignore. EU GMP Annex 22 makes one thing very clear: AI governance in pharma is inherently cross-functional. It cannot sit with a single department, be handed off to a vendor, or be treated as a compliance exercise completed at the end of a project.
In regulated environments, AI requires business, QA, and IT to work together from the earliest discussions about intended use all the way through to decommissioning. That represents a significant organizational shift, and many leadership teams still underestimate its impact.
Annex 22 is unusually explicit about accountability. Responsibility for intended use sits with the process Subject Matter Expert: the person who understands the business process the AI supports. That individual defines the intended use, expected accuracy, and acceptance criteria. It is not a responsibility that can be transferred to QA or outsourced to a vendor.
The regulation is equally clear that accountability always remains with the regulated organization. A cloud-based deployment does not change that. Neither does a vendor-built model or an AI capability embedded in third-party software. Companies must still be able to explain, document, and defend the system using their own evidence and governance processes.
Across Annex 22, four principles appear consistently:
Qualified people with named, documented responsibilities
None of these can can be achieved by a single function operating alone.
Many organizations still try to assign AI ownership to one department. In practice, that creates blind spots.
When QA owns AI in isolation, governance often becomes documentation-heavy while losing touch with technical reality. QA can define compliance expectations, but usually lacks the depth to assess model architecture, data pipelines, or integration risks with ERP, MES, or LIMS platforms. The outcome is a well-documented solution that may never have been designed correctly in the first place.
When IT owns AI alone, validation is frequently treated as a final project milestone instead of an ongoing lifecycle responsibility. The system works technically, but validation only begins afterward. In GMP environments, retrospective validation is not acceptable. Without business and QA involvement from the start, intended use remains vague, acceptance criteria are weak, and auditability suffers.
When the business drives AI initiatives without QA and IT, implementation moves quickly but controls remain thin. Change management feels like bureaucracy, audit trail requirements are overlooked, and monitoring becomes inconsistent. When issues eventually arise, the organization struggles to reconstruct what happened and why.
Each function brings a critical perspective. Remove one, and governance gaps appear. In regulated environments, those are exactly the gaps inspectors focus on.
A cross-functional model is not a steering committee that reviews updates once a month. It is business, QA, and IT working together from day one.
Business defines the process and expected outcomes. What decision is the AI supporting? What level of performance is acceptable? Which decisions must remain under human judgment?
QA defines the compliance framework. Which steps are GxP-critical? Where are human review gates required? What needs to be captured in the audit trail? What does validation mean for this use case?
IT designs the architecture that keeps the system controllable and defensible. Which steps must remain deterministic? Where can AI safely assist? How are logging, monitoring, access control, and failure handling managed?
The overlap between these functions matters as much as the handoffs. Intended use cannot be finalized without business and QA aligned. Validation scope cannot be defined without QA and IT working together. Architecture decisions fail when IT lacks a deep understanding of the process itself.
This model also exposes a challenge many organizations are only beginning to recognize: the shortage of people who can work across disciplines. Pharma companies need QA professionals who understand AI validation requirements, IT architects who can speak fluently about GxP risk, and business leaders who understand why human oversight cannot simply be removed for efficiency. These profiles are still rare.
Without hybrid competence, teams often talk past one another. Each function produces documentation that satisfies its own requirements, but the pieces never connect into a coherent governance model. Closing that gap takes time. It requires cross-functional training, rotational experience, and deliberate collaboration between regulatory, technical, and business teams. There is no shortcut around it.
Before selecting technology or vendors, leadership teams should be able to answer five core questions:
One of the most important lessons from Annex 22 and from practice is this: the process and the intended use come first. The model or the vendor comes second. AI is the enabler, not the foundation. Organizations that lock themselves prematurely into a single vendor or model architecture risk building governance structures that depend on that vendor’s roadmap rather than regulatory expectations. Technology will evolve. Governance must be able to evolve with it.
The GxP AI Readiness Checklist was built around exactly the kind of cross‑functional questions the
triad must answer together. It covers governance, validation, human‑in‑the‑loop controls, auditability, data quality, cybersecurity, and lifecycle management across 50 structured questions.
Download the GxP AI Readiness Checklist