info@trustbridge-compliance.com
Home / Thinking / Foresight
Pharma technology foresight · July 2026 · Sachin Bhandari

ELSA is coming. Is industry ready?

Part 3 of 3: how to prepare. The six moves a CIO and a CQO make together over the next two quarters to be ready for an AI-accelerated FDA.

Readiness is buildable, and most of it is the data coherence and decision traceability you already owed. Two quarters of unglamorous work, done together by IT and quality, close most of the gap.

Part 1 named the asymmetry: the FDA automated faster than the industry it regulates. Part 2 showed where that lands, on your submissions, your inspections, your validation backlog, and the vendor AI you answer for. Part 3 is the plan, and the reassuring part is that it fits inside two quarters.

I will be plain about the good news first, because it is the point of the whole series. Almost none of this asks you to buy a new platform or write a new policy stack. The work that makes you ready for an AI-speed regulator is the same integration, reconciliation, and decision-traceability you have been putting off anyway. An AI-accelerated FDA just moved the deadline forward and made the gap cheap to find. The firms that feel calm about Elsa are the ones whose records already reconcile.

One honest note on timing. As of early July 2026 the picture is the one Part 2 described: Elsa 4.0 and the HALO platform live since May, the AI-informed one-day inspection pilot running through the end of the agency's fiscal year, and EU GMP Annex 22 still a draft, with its final text expected later in 2026. No new rule has landed since. So this is a plan built entirely on what is already operating.

The frame: two quarters, two owners, one backlog

This work sits on the seam between IT and quality, so it belongs to both leaders at once. Every move below has a named owner and a named partner, because the exposure lives exactly on that seam: the CIO owns the systems, the CQO owns the records those systems write. When the seam is loose, the vendor AI writing your deviations, the submission that does not square with the last one, and the periodic review nobody finished all fall straight through it.

Split the work into two 90-day quarters. The first quarter is about finding and stabilising: know what you have, make it reconcile, and record the decisions behind it. The second is about hardening and proving: govern the models, fix the supplier gap, clear the backlog, and rehearse the inspection you can now expect.

Today Quarter 1 Find and stabilise Register · reconcile · decision record Quarter 2 Harden and prove Models · suppliers · backlog · dry run Ready
Figure 1. Two 90-day quarters. The first quarter earns the second: you cannot harden and prove what you have not yet found and made reconcile.

Quarter 1: find and stabilise

Move 1. Build the AI register, yours and your vendors'. You cannot govern a list you have never written down. Start with a single inventory of every AI touchpoint that reaches a GxP record: the models you built, and the ones that arrived quietly inside tools you already licensed. The summariser added to the eQMS, the document system that now drafts deviations, the analytics vendor scoring your complaints. For each one, capture what it does, what GxP record it touches, whether it is static or learning, and who signs for its output. This is the foundation of the AI Governance Stack, and in my experience it is the single most revealing week of the whole plan, because most teams find AI in their record trail that no one formally owns. The CIO leads it because IT holds the system map. The CQO co-signs because quality owns the records those systems write.

Move 2. Run the reconciliation pass the agency now runs. HALO cross-references your filing against every prior submission, inspection, and adverse-event record the FDA holds. The one internal exercise that matters most is to run the same check on yourself before the regulator does. Does this submission's numbers square with the last one you filed? Does your registered scope match how the site actually operates? The agency has said plainly that its risk targeting looks for exactly this, the discrepancies between registered and actual operations, so the cheapest thing you can do is close those gaps while they are still yours to close. This one belongs to both of you, because the contradictions live half in the data IT manages and half in the records quality controls.

Move 3. Build the decision-integrity record for every AI-touched output. Data integrity asked whether the number was real. Decision integrity asks whether the judgment behind it can be reconstructed. For each AI output that becomes a GxP record, you want a record that answers four questions without anyone in the room having to improvise: what was the model asked, what did it answer, who checked that answer, and where did a human sign for the call. This is also where you apply the Annex 22 line while it is still a draft worth heeding: static, deterministic models can sit in critical processes, while learning and generative models belong in non-critical use with documented human oversight. So the register from Move 1 splits in two here, the static models you can lock and the learning ones you must watch. The CQO leads this, because it is a quality record at heart, and it is the exact record that held up when I took AI applications in live GxP through health-authority inspection with zero compliance observations. The inspector pressed on the record around the model, never the model itself.

Asked What was the model asked? Answered What did it answer? Checked Who reviewed it? Signed Where did a human own it? The four links an inspector can now follow, at machine speed, on every AI-touched record.
Figure 2. The decision-integrity record. If any link is missing, the output is an orphan the moment an inspector reads the population it lives in.

Move 3 is where your register from Move 1 splits in two. The Annex 22 draft draws the line most people need, and it is worth heeding now while it is still a draft.

Model typeExamplesWhere it can sitOversight
Static / deterministicFixed-rule engines, locked models, validated calculatorsCritical GxP processes, once qualifiedLock it, version it, requalify on change
Learning / generativeLLM summarisers, drift-prone scorers, generative drafting toolsNon-critical use, with documented human oversightWatch for drift, keep the human sign-off

Those three moves are the priority. If your next quarter buys you nothing else, buy the register, the reconciliation pass, and the decision record, because they are the cheapest to start and they sit directly on the exposure Part 2 described. Everything in Quarter 2 gets easier once these are in place.

Quarter 2: harden and prove

Move 4. Rewrite the supplier questions. Many of your vendor agreements were signed before the vendor had an AI feature at all, and that gap is now your oversight problem. Turn it into a short, firm questionnaire and a contract addendum: what was the model trained on, how is it monitored for drift, how will you be told when it changes, who is liable when it is wrong, and can your quality team get audit access to how it works. The FDA governs its own third-party AI with contractual safeguards on data use and confidentiality, and the same discipline now runs downward to you. The CIO leads because IT owns the vendor relationship. The CQO sets the acceptance bar, because quality owns the records the vendor's model writes.

Move 5. Face the validation backlog and retire the theatre. The backlog is the bill for a decade of deferred integration, and an AI-speed regulator widens the distance between what you validated on paper and what your systems actually do. Work it with risk-based CSA rather than by re-testing everything, which is what my DRIVE approach exists for, and lean on the Enterprise Paperless Validation framework so the evidence is current and queryable rather than sitting in a binder. The honest half of this move is deciding what has quietly become theatre and stopping it, so the effort lands on the systems that genuinely carry risk. I have run this across more than 40 sites, and the platform was rarely the hard part. Facing the backlog honestly was. Both of you own this, because the backlog is half legacy systems and half legacy records.

Move 6. Run a one-day inspection on yourselves. The pilot the FDA is running, 46 AI-informed one-day assessments by late April and most of them closing with no action, is exactly the exercise to rehearse. Pick a site, take away your own ability to choose the sample, and read the full population against the clock the way the agency now can. Score it with an honest instrument rather than a hopeful one. This is what our AI in GxP Readiness Index and CSA Maturity Index are built for, and you can start with the free versions before anyone brings in help. The point is to find what the regulator's model would surface first, while it is still a finding you can fix rather than one you have to explain. Both owners in the room, because a real inspection puts them both in the room anyway.

Quarter 1Find and stabilise
1. Build the AI register
Every touchpoint that reaches a GxP record, yours and your vendors'. Static or learning, and who signs.
CIO leads · CQO co-signs
2. Run the reconciliation pass
Square this submission with the last, and registered scope with actual operations, before HALO does.
CIO + CQO
3. Build the decision-integrity record
Asked, answered, checked, signed, on every AI-touched output. Lock the static models, watch the learning ones.
CQO leads
Quarter 2Harden and prove
4. Rewrite the supplier questions
Training data, drift monitoring, change notice, liability, audit access. Questionnaire plus contract addendum.
CIO leads · CQO sets the bar
5. Face the validation backlog
Risk-based CSA through DRIVE, evidence through Enterprise Paperless Validation. Re-qualify what carries risk, retire the theatre.
CIO + CQO
6. Run a one-day inspection on yourselves
Full-population read against the clock. Score with the Readiness Index and CSA Maturity Index.
CIO + CQO

The plan at a glance

#MoveQuarterWhat it producesOwner
1Build the AI registerQ1 · FindOne inventory of every AI touchpoint that reaches a GxP recordCIO leads, CQO co-signs
2Run the reconciliation passQ1 · FindSubmissions and registered scope squared against your own recordsCIO + CQO
3Build the decision-integrity recordQ1 · FindAsked, answered, checked, signed on every AI-touched outputCQO leads
4Rewrite the supplier questionsQ2 · ProveA drift-and-liability questionnaire plus a contract addendumCIO leads, CQO sets the bar
5Face the validation backlogQ2 · ProveRisk-based CSA evidence that is current and queryable, theatre retiredCIO + CQO
6Run a one-day inspection on yourselvesQ2 · ProveAn honest score of where you really stand before the agency arrivesCIO + CQO
2
Quarters of focused work close most of the readiness gap
46
AI-informed one-day assessments by late April 2026, most closing no action
40+
Data sources HALO already consolidated into one queryable platform
Late 26
Annex 22 (AI) final text expected, phased enforcement to follow
The plan is the coherence work you already owed, done in the order that removes your exposure fastest.

What the plan buys you

Run these six moves and the payoff runs well past compliance. The register gives you an AI inventory you can actually govern. The reconciliation pass turns your own contradictions into fixes instead of findings. The decision record makes every AI output defensible in front of a board and an inspector alike. The supplier work closes the gap you did not create but still answer for. The backlog stops being a slow liability, and the self-inspection tells you where you really stand rather than where you hope you do. Each one makes the CIO and the CQO look good to the people they answer to, which is the quiet test of whether a compliance move was worth making.

None of it is glamorous. Registers, reconciliations, and decision logs never are. That is precisely why they were deferred, and precisely why an AI-speed regulator now rewards the firms that stopped deferring them.

Do first 01

The register

One inventory of every AI touchpoint that reaches a GxP record. You cannot govern what you have not listed, and most teams find models no one owns.

Do first 02

The reconciliation pass

Square your submissions and your registered scope against your own records before HALO does it for you. The cheapest afternoon you will spend all year.

Do first 03

The decision record

Asked, answered, checked, signed, on every AI-touched output. This is the record that holds up when the inspection finally reaches the layer above the raw data.

The five questions to answer together by the end of two quarters

  1. Can you produce, in one afternoon, a complete list of every AI touchpoint in your GxP record trail, including the ones that arrived inside a vendor's product?
  2. If the agency cross-references your next submission against your last one, does every claim reconcile, and does your registered scope match how the site actually runs?
  3. For any AI output that became a GxP record, can someone in the room show what the model was asked, what it answered, who checked it, and where a human signed?
  4. Do your vendor contracts now say what the model was trained on, how drift is monitored, and who is liable when it is wrong?
  5. When did you last read your own full data population the way an AI-targeted inspection would, and what did it find that you would rather fix than explain?

Where the series lands

Three parts, one through-line. The regulator automated faster than the regulated. That speed reaches your submissions, your inspections, your backlog, and the vendor AI you did not build. And readiness is buildable, in two quarters of coherence work that IT and quality do together rather than in sequence.

Start now for a simple reason. The work is owed either way, and doing it early turns a fast liability back into a slow one you control. Sampling was the regulator's oldest constraint, and quietly it was your protection too. With it gone, the distance between the records you polish and the records you keep becomes the inspection. Two quarters of honest work is what closes that distance, and the firms that feel ready are simply the ones who started.

If Elsa is already shaping how your programme gets reviewed or inspected, the most useful next step is a focused conversation about your own data trail and validation backlog, with your hardest question on the table. That is where I would begin, and it is where I am glad to help.

Sachin Bhandari advises pharma, biotech, medical device and CDMO organisations on AI in GxP, the CSV to CSA evolution, and digital validation at enterprise scale. He contributed to the industry review of the EU GMP Annex 22 (AI) draft and sits on the Global GAMP Steering Committee. This is Part 3, the finale, of a 3-part executive brief on FDA Elsa.

Find what an AI-speed regulator would find first.

A focused 30 minutes on your own data trail and validation backlog, no obligation. Bring your hardest question.

Request a conversation

← Read Part 1  ·  Read Part 2  ·  The book: Validating AI in GxP

})();