Governance Overview Pillars Substrate History · Evolution Current 2026 Future 2026-2035 AI lens Flow Players & stakeholders Signals
Library/Governance · Quality · QMS · Compliance/Players · stakeholders
chapter 08 · who runs the field

Players & stakeholders: governance.

Eight regulatory triggers that demand documented governance · five player categories that run the field · ten stakeholder roles with interest and leverage. Reading the politics of a QMS correctly means knowing whose lever fires when the inspection arrives.

/ 01

The eight regulatory governance triggers.

What activates the QMS surface for inspection

Governance is not a research activity. It is a regulatory activity triggered by specific findings, certifications, and effectiveness checks. The trigger determines the scope, the timeline, and the inspection regime that will eventually look at the response.

FDA · FMD-145 classification

OAI / VAI / NAI inspection findings.

Official Action Indicated, Voluntary Action Indicated, No Action Indicated. The classification of a closed FDA inspection. OAI triggers Warning Letter / Consent Decree pathway. VAI triggers commitment letter, follow-up inspection. NAI closes the file. The classification drives sponsor risk score for next inspection cadence.

EMA · non-compliance database

EMA non-compliance reports.

EMA EU compliance database publishes GMP non-compliance reports. National competent authority issues; EMA publishes. Triggers MAH (Marketing Authorisation Holder) supplier-control re-evaluation. Visible to all EU regulators · a sponsor cannot quietly remediate.

MHRA GxP DI · 2018

MHRA GxP DI inspection.

MHRA GxP Data Integrity guideline (March 2018, refreshed pattern). A widely used DI reference for GxP inspection readiness. ALCOA+ gives a practical evidence lens. Audit-trail review SOPs and recent-period reviews remain common review surfaces. Findings flow into MHRA compliance escalation pathway.

EU AI Act · Reg 2024/1689

EU AI Act conformity assessments.

High-risk AI conformity assessment under Annex III (eff. 2 Aug 2026) and Annex I (eff. 2 Aug 2027). Notified-body issued. Non-conformity becomes a market-access blocker for the relevant AI surface. Spillover into pharma supplier-control review by FDA from 2028.

ICH Q9(R1) · Step 4 Jan 2023

ICH Q9(R1) implementation.

Quality Risk Management revision, Step 4 endorsed January 2023. Adopted by EMA, FDA, PMDA, MHRA. Risk-based decision-making, formality-of-risk-management, subjectivity in risk assessment all explicit. Inspector posture: where is your risk register, when was it last refreshed, who reviews it.

ISO/IEC 42001 · Dec 2023

ISO 42001 certification audits.

AI Management System standard. Independent certification by UKAS- / ANAB-accredited bodies. Annual surveillance + 3-yearly recertification. Becomes the AI 9001 over 2026-2030. Pharma sponsors begin demanding it of AI vendors as a procurement gate.

IRB / IEC · clinical governance

IRB / IEC findings.

Institutional Review Board / Independent Ethics Committee findings on protocol adherence, informed consent, risk-benefit re-evaluation. ICH E6(R3) Step 4 (6 January 2025) refreshed expectations. Findings become a sponsor governance trigger for protocol amendment, root-cause investigation, CAPA.

ICH Q10 · §3.2.4

CAPA effectiveness verification.

The under-cited governance trigger. Effectiveness review reveals that a closed CAPA did not prevent recurrence. Re-opens the CAPA, re-engages the regulator file, can escalate a single deviation into systemic-failure citation. Inspector posture sharpening 2024-2026.

/ 02

The five player categories.

QA / RegOps · auditors · regulators · tech · standards

The governance ecosystem has five player categories. Sponsors set the strategy and pay; auditors and notified bodies execute the verification; regulators define the surface; GxP technology vendors own the QMS operating layer; standards bodies write the rules of the road.

QA & RegOps · sponsor-side functions
In-house QA (Quality Assurance) and RegOps (Regulatory Operations) functions. Quality Director, Compliance Officer, RegOps Lead, Validation Lead, Document-Control Manager, CAPA owner. Drive QMS strategy, write SOPs, run internal audits, host external inspections. Career path increasingly cross-trained across pharma, devices, AI under QMSR + EU AI Act.
Third-party auditors & notified bodies
BSI · TUV SUD · TUV Rheinland · DEKRA · DNV · SGS · Intertek · NSF. ISO 9001, ISO 13485, ISO/IEC 27001, ISO/IEC 42001, EU MDR / IVDR conformity assessment. Annual surveillance + 3-yearly recertification cadence. UKAS / ANAB / IAF accredited. Notified-body capacity for EU AI Act high-risk conformity should be monitored as the conformity-assessment ecosystem matures.
Regulators
FDA (CDER, CDRH, CBER, OGD, ORA, OAI/VAI/NAI classification, FDA Form 482 / 483 / Warning Letter / Consent Decree pathway) · EMA + national authorities (BfArM, AIFA, ANSM, MEB, AEMPS, HPRA) · MHRA (UK) · PMDA (Japan) · ANVISA (Brazil, RDC 658/2022) · NMPA (China) · CDSCO (India) · WHO PQT. AI-specific functions: FDA CDRH Digital Health Center of Excellence, EMA AI Working Group, MHRA AI Airlock.
GxP technology vendors
Veeva Vault QMS (formerly leading) · MasterControl · Sparta TrackWise Digital · ETQ Reliance · Dot Compliance · ComplianceQuest. Document control, deviation, CAPA, audit-management, training, supplier-quality. 21 CFR Part 11 compliance core capability. ISO 42001 certification programme spreading across vendor base 2025-2027. Validation eDoc systems also: ValGenesis · Kneat.
Standards bodies
ICH (International Council for Harmonisation · Q-series quality, E-series clinical, M-series multidisciplinary) · ISO (9001 quality, 13485 medical device, 14971 risk, 27001 infosec, 42001 AI, 23894 AI risk) · ASTM (E2500 specification & verification, E2898 risk-based qualification, F2503 implants) · USP (US Pharmacopeia · general chapters <1058> equipment qualification, <1224> transfer of analytical procedures) · NIST (AI Risk Management Framework, post-2023 generative AI profile).
/ 03

The ten stakeholder roles · interest & leverage.

Who decides · who pays · who is liable

Each stakeholder has a distinct interest and a distinct lever. Reading the politics of a QMS programme correctly means knowing whose lever fires when the inspection arrives, when the 483 lands, when the EU AI Act conformity assessment fails.

Sponsor QA director
InterestQMS effectiveness · inspection-readiness · CAPA closure rate
LeverageSOP authority · budget allocation across QMS modules · gatekeeper for batch release / submission sign-off
Sponsor compliance officer
Interestregulatory horizon scanning · gap analysis against new texts · non-compliance-cost avoidance
Leverageescalation to executive committee · CAPA scope expansion authority · supplier de-listing
Regulator inspector
Interestdata integrity · CAPA effectiveness · supplier-control rigour · risk-based thinking evidence
LeverageFDA Form 483 issuance · classification (OAI/VAI/NAI) · Warning Letter recommendation · inspection-cadence escalation
Notified-body / third-party auditor
Interestconformity-assessment integrity · surveillance-audit completeness · certification-body accreditation defence
Leveragecertificate suspension / withdrawal · significant nonconformity issuance · market-access blocking under EU MDR / IVDR / AI Act
IT · validation lead
Interestsystem-validation status · 21 CFR Part 11 audit-trail integrity · data-integrity tooling
LeverageCSV / CSA gating of system go-live · access-control approval · PCCP approval for AI / ML model updates
Sponsor executive committee
Interestregulatory liability cap · reputational risk · market-access protection · share-price exposure to Warning Letter
Leverageresource allocation · QMS function structure · consent-decree negotiation · M&A diligence on QMS
CRO / contract operations
InterestSOP standardisation across sponsors · inspection-readiness as a service · multi-sponsor audit-trail integrity
Leveragecapacity allocation · sponsor de-prioritisation · data-integrity escalation back to sponsor QA
GxP technology vendor
InterestQMS vendor consolidation · ISO 42001 certification · PCCP-ready model-update lifecycle support
Leveragerelease-cadence control · integration-roadmap influence · pricing power on QMS modules
Standards body delegate
Interestharmonisation across regions · relevance retention · stakeholder consultation legitimacy
Leverageguideline drafting authority · consultation-period agenda · ICH / ISO publication pathway
Patient · end user
Interestmedicinal-product safety · data-integrity in post-market surveillance · AI-decision transparency
Leverageindirect · via patient-advocacy organisations, ethics committees, EU AI Act fundamental-rights impact assessment, patient-reported outcomes feeding pharmacovigilance
/ 04

How the politics actually plays out.

Six recurring scenarios

The interests and levers above are abstract until they collide in a real scenario. Six patterns recur across 2020-2026 sponsor experience.

Scenario 01

483 lands · QA vs exec.

QA wants comprehensive CAPA, multi-month timeline, root-cause depth. Executive wants narrow remediation, fast close-out, share-price defence. The 15-business-day response window forces alignment within days. Leverage shifts to QA when classification drifts toward OAI.

Scenario 02

Notified-body finding on AI vendor.

Vendor's ISO 42001 surveillance audit raises a significant nonconformity. Sponsor QA may need to decide: replace the vendor (high cost), accept the risk (audit-trail-able), or negotiate a CAPA into the vendor's roadmap (slow). Compliance officer's lever: supplier-control SOP escalation to executive risk committee.

Scenario 03

CAPA effectiveness fails.

30-day effectiveness review shows recurrence. CAPA owner wants to re-open quietly. QA director under inspector spotlight wants to escalate. Inspector lever: cite the failed effectiveness review as separate 483, escalating systemic-failure pattern.

Scenario 04

Vendor release contains AI change.

GxP vendor pushes a release with embedded AI-feature update. The validation lead may not have a pre-agreed change pathway for the release. QA may need to decide whether to roll back (operational disruption) or accept (validation gap citation risk). The standing fix: contractual pre-notification under supplier-control SOP.

Scenario 05

EU AI Act conformity blocks launch.

Notified body identifies non-conformity in conformity-assessment file pre-launch. Marketing wants to go ahead with mitigations; compliance officer cites EU AI Act Art 16 obligations. Leverage with compliance because non-conformity is statutory, not negotiable.

Scenario 06

Post-market signal · pharmacovigilance + AI.

Pharmacovigilance signal from real-world data possibly attributable to an AI-driven decision-support component. Pharmacovigilance physician, AI vendor, sponsor QA, regulator EMA AI Working Group all engage simultaneously. The most multi-stakeholder governance scenario in the 2026 landscape. Leverage diffuse; speed of response is the differentiator.

/ S

Source register.

official anchors · interpretation separated
FDA / QMSR

QMSR final rule.

Federal Register final rule amending the Quality System Regulation; effective date and FDA-specific overlays should be read from the rule text.
eCFR

21 CFR Part 820.

Current legal text for FDA device quality-system requirements; use this as the live clause anchor for QMSR references.
ICH

Q9(R1) quality risk management.

Step 4 guideline for quality-risk-management concepts, subjectivity, formality, and knowledge management.
ICH

Q10 pharmaceutical quality system.

Pharmaceutical quality-system reference for management responsibility, lifecycle quality, CAPA, and continual improvement.
ICH

Q12 lifecycle management.

Step 4 guideline for established conditions, post-approval change management, and product lifecycle management.
eCFR

21 CFR Part 11.

Electronic records and electronic signatures rule; use with predicate-rule context and FDA scope guidance.
FDA

Data integrity Q&A.

FDA questions-and-answers guidance on data integrity and CGMP; useful for ALCOA+ and audit-trail interpretation.
European Commission

EudraLex Volume 4.

Official EU GMP page for Annex 11 and related GMP annexes; AI-specific GMP claims should be checked here before publication.
EUR-Lex

EU AI Act.

Regulation (EU) 2024/1689 official text; used for AI Act timing, high-risk system references, and governance boundaries.
ISO

ISO/IEC 42001.

AI management-system standard landing page. Full standard text is paid; public iFeed content should not quote unavailable clauses.
FDA

Computer Software Assurance.

FDA guidance PDF for production and quality-system software; useful for CSA and CSV evidence-readiness discussion.
ISPE

GAMP 5, second edition.

Industry guidance landing page. Treat as implementation guidance, not a regulation; full guide access is controlled by ISPE.