ELSA is coming. Is industry ready?
Part 2 of 3: what it hits. The impact of an AI-speed FDA on submissions, inspections, your validation backlog, and the vendor AI you are accountable for, written for the CIO and the CQO together.
Part 1 traced the asymmetry: the FDA automated faster than the industry it regulates. Part 2 is about where that lands.
An agency that reads at machine speed does not only review faster. It reviews differently, and the difference reaches into your submission queue, your inspection odds, the validation backlog you already carry, and the contracts you signed with vendors whose AI you have never seen. None of this waits on new regulation. It is operating now, and it touches the CIO and the CQO at the same time.
The submission queue moves first
Elsa 4.0 and the HALO data platform landed together in May 2026. The agency has completed its first AI-assisted scientific review pilot, and the work it describes is the work that used to take days now taking minutes. HALO consolidated more than 40 application and submission data sources into one platform, so a reviewer queries across them without re-uploading anything. The clearest hard proof so far sits in tobacco: premarket tobacco application review times have dropped sharply, and the agency now splits a single submission so approved products clear immediately instead of waiting for the slowest item in the batch.
Faster approvals help you, and often they genuinely do. The catch is that a faster reviewer also cross-references faster. Your filing now arrives in a system that already holds your prior submissions, your inspection history, and your adverse-event record, and it can compare all of them in an afternoon. A claim in this submission that does not square with a number in your last one used to be buried by review time. That cover is gone.
One honest caveat on the numbers. The published, concrete reductions are clearest for tobacco applications. For drug and biologic review the agency describes tasks moving from days to minutes rather than a fixed end-to-end percentage, so treat the drug-review speed-up as a direction of travel rather than a settled figure. The direction is not in doubt.
Inspections stopped sampling
The deeper change is not speed, it is scope. A human inspector sampled, because no team could read everything. An AI that reads entire repositories takes the sample away. Compliance commentary now says it plainly: expect inspections to assess full data populations, not the records you chose to present. By late April 2026 the agency had run more than 45 AI-informed one-day assessments, most closing No Action Indicated, some extending beyond a day when investigators found significant observations. The pilot runs across human and animal foods, biologics, medical products, and clinical research, through the end of fiscal year 2026.
The inspection you prepared for was, in practice, a sampling exercise. You readied the records most likely to be pulled. Full-population review reads the rest: the deviation you closed quietly, the audit trail you assumed no one would open, the CAPA that drifted past its due date. The one-day visit is the visible edge of this. The invisible part is the targeting that decided you would get one at all, and that decision was made by a model reading patterns across your whole data trail.
From data integrity to decision integrity
Part 1 named the principle. Here is where it bites. Data integrity asked whether the number was real. Decision integrity asks whether the judgment behind it can be reconstructed. When the regulator's model and your own both shape GxP records, every output carries the same three questions: what was the model asked, what did it answer, and who checked that answer before it became a record an inspector can pull.
In my own work I have taken AI applications in live GxP through health-authority inspection with zero compliance observations. The part that held up under questioning was never the model itself. It was the record around the model: who decided what, on what basis, and where a human signed for the call. That record is what decision integrity protects, and it is what an AI-speed inspection now has the time to examine.
| What the record must answer | Data integrity asked | Decision integrity now asks |
|---|---|---|
| The number | Is it accurate, attributable, contemporaneous? | Was the judgment behind it sound and reconstructable? |
| The model | Not in scope | What was it asked, and what did it answer? |
| The human | Who recorded the value? | Who checked the AI output, and where did they sign? |
| The inspection | Reads a sample of your records | Reads the full population, at machine speed |
The validation backlog you already carry
The asymmetry has a mirror inside your own walls. The agency finished consolidating more than 40 data sources into a single platform. Most of the companies it inspects deferred that same integration for a decade. The validation backlog is the bill for that deferral: legacy systems running on qualifications that predate the way anyone actually uses them, periodic reviews overdue, CSV paperwork that documents a behaviour the team stopped following years ago.
I have run paperless validation across more than 40 sites, taken roughly 6 million paper records a year out of the process, and pulled validation cycle time down by up to 45%. The platform was rarely the hard part. The hard part was facing the backlog honestly enough to decide what still deserved validating and what had quietly become theatre. An AI-speed regulator widens the distance between what you validated on paper and what your systems do in practice. That backlog used to be a slow liability. At the agency's new reading speed it is a fast one.
Your vendors' AI is now your data trail
Look at the AI you did not build. The eQMS that added a summariser, the document system that now drafts deviations, the analytics vendor scoring your complaints. Their AI outputs become your GxP records, and your accountability in front of an inspector. The FDA governs its own third-party AI engagements with contractual safeguards on data use, security, and confidentiality. The same discipline now runs downward to you: do your vendor contracts say what the model was trained on, how it is monitored for drift, and who is liable when it is wrong?
Many supplier agreements were signed before the supplier had an AI feature at all. That gap is the new supplier-oversight problem, and it sits squarely between the CIO who owns the vendor relationship and the CQO who owns the records the vendor's model now writes.
What an AI-accelerated FDA exposes
The regulator's own model can still get things wrong, and the consolidation cuts both ways. On a unified platform, an error in retrieval or synthesis no longer stays inside one query; it can carry across the review pipeline. So the speed exposes a company in two directions at once: your own contradictions become cheap to find, and a model's mistake can land on your calendar as easily as your own can.
What gets exposed, underneath all of it, is contradiction. Anything that does not reconcile across your systems, your submissions, and your audit trails was protected for years by how long a human needed to find it. That protection has ended. The work to remove the contradictions is the same integration and decision-traceability you have been deferring, which is the quiet good news in all of this.
The submission queue
HALO cross-references your filing against every prior submission, inspection, and adverse-event record the agency holds, in an afternoon rather than a quarter.
The inspection shortlist
Full-population risk scoring, not a human's limited sample, decides which sites get the one-day visit and reads the records you did not prepare.
Your vendors' AI
Third-party models in your GxP stack write records you answer for. Contracts written before the AI feature existed are the new oversight gap.
Five questions to sit with before Part 3
- If an inspection now reads your full data population instead of a sample, which records were you quietly counting on no one opening?
- Your validation backlog was a slow liability. At the regulator's new reading speed, how much of it could surface in a single afternoon?
- A vendor's AI drafted a deviation that became a GxP record. If an inspector asks how that output was checked, can anyone in the room answer?
- Faster approvals help you and faster cross-referencing helps them. Does every claim in your next submission reconcile with the last one you filed?
- When the regulator's model and yours disagree about your own data, whose version is on the record, and who can reconstruct the judgment behind it?
Where this leaves us
Part 2 is the impact: submissions read in context, inspections that no longer sample, a validation backlog that turned from slow to fast, and vendor AI you are accountable for but did not build. Part 3 is the preparation plan, the moves a CIO and a CQO can make together over the next two quarters to close the gap.
The honest reading of June 2026 is that none of this needs a new rule to reach you. It is already running. Readiness is buildable, and most of the work is the data coherence and decision-traceability you have been putting off anyway. The firms that started early are not calmer because they are braver. They are calmer because their records already reconcile.
Sachin Bhandari advises pharma, biotech, medical device and CDMO organisations on AI in GxP, the CSV to CSA evolution and digital validation at enterprise scale. He is a draft reviewer for EU GMP Annex 22 (AI) and sits on the Global GAMP Steering Committee. If Elsa is live for your programme, start with AI in GxP governance and the frameworks.
Find what an AI-speed regulator would find first.
A focused 30 minutes on your own data trail and validation backlog, no obligation. Bring your hardest question.
Request a conversation