Can You Trust AI in a Regulated eQMS? Separating Hype from Reality

AI trust is earned, not assumed

AI tools can support regulated eQMS activities when their intended use is clearly defined, their outputs are subject to human review, and they are validated (or otherwise assured) in accordance with applicable regulatory requirements. Trust is not inherent in the technology; it is earned through design, governance, and evidence.

What "trust" means in a regulated eQMS

In everyday language, trusting a tool means relying on it to do what you expect. In a regulated eQMS, the standard is higher and more specific. Trust must be demonstrable, documented, and auditable.

ISO 13485:2016 requires that software used in the eQMS be validated for its intended use (clause 4.1.6). Validation is not a one-time event; it is a lifecycle commitment covering initial qualification, change control, and periodic review.

FDA 21 CFR Part 11 adds a further dimension: electronic records and electronic signatures must be trustworthy, reliable, and equivalent to paper records. This demands access controls, audit trails,  time-stamped records, and controls to prevent unauthorised alteration. If an AI tool generates, modifies, or approves records in your eQMS, those records must meet Part 11 requirements by design.

Framed this way, trust in AI within a regulated eQMS rests on five pillars:

• Compliance with applicable regulations
• Fitness for intended use (the software does what you claim)
• Data integrity (records are accurate, complete, and attributable)
• Auditability (every action can be traced and explained)
• Human accountability (a qualified person reviews and approves AI-assisted outputs)

Where AI adds real value in an eQMS

Document drafting and review assistance (with human-in-the-loop)

Large language models (LLMs) can draft Standard Operating Procedures (SOPs), work instructions, or technical file sections based on controlled templates and approved reference content. The practical value is real, as drafting time can fall significantly, and consistency across documents can improve.

The control that makes this acceptable is a mandatory human review and approval step before any AI-assisted draft enters the document control workflow. In a compliant eQMS, this means the draft passes through a defined review/approval chain, with each sign-off captured in the audit trail, before the document is issued. The AI is a drafting assistant; the qualified author remains the accountable party.

For example, a quality engineer uses an AI drafting feature to generate a first-pass CAPA procedure based on the company's approved CAPA template and related regulatory requirements. The draft is reviewed and edited by the QA manager, approved via an electronic signature, and versioned in the controlled document system. The AI's involvement is transparent and traceable.

Intelligent search and retrieval across controlled documents

Finding the right version of the right document at the right moment is a persistent challenge in mature eQMS environments with thousands of controlled records. AI-powered search—particularly retrieval-augmented generation (RAG), where the model answers only from your validated document corpus—can dramatically reduce search time and retrieval errors.

Controls here include:

• Restricting the retrieval index to approved, current-version documents
• Logging every query and response
• Ensuring the system cannot surface superseded or draft documents as authoritative.

Role-based access controls must mirror those applied to the underlying document management system.

Classification and tagging to improve findability and reuse

Automatic classification of incoming complaints, NC reports, or supplier documents by product family, risk category, or regulatory clause is a low-risk, high-value AI use case. Classification suggestions (not decisions) presented to a human reviewer keep the human in the loop while reducing manual effort.

The key control is that classification remains a suggestion until confirmed by an authorised user, and the confirmation is logged with a timestamp and user identity in the audit trail. 

Audit and inspection readiness support

AI can help quality teams prepare for FDA inspections, Notified Body audits, or internal eQMS reviews by aggregating evidence, cross-referencing open CAPAs against findings, identifying gaps in training records, and generating audit-ready summaries. This is non-decision-making analytical support, feeding into a human-led preparation process.

Acceptable controls include:

• Clearly labelling AI-generated summaries as draft or "for review”
• Linking output back to source records for human verification
• Ensuring that no AI summary is submitted to a regulator without human review and sign-off

Complaints / NC / CAPA triage suggestions (risk-based, not automatic decisions)

AI can suggest risk classifications, related precedents, or likely root-cause categories for incoming complaints and NCs based on historical data in the eQMS. This accelerates triage and supports consistent risk-based prioritisation.

Critically, triage suggestions must be reviewed and confirmed by a competent quality professional before initiating a CAPA or escalation workflow. 

AI risks and failure modes to watch out for

None of the following should discourage you from exploring AI in your eQMS, but they are worth thinking through before deployment.

What the regulations do and don’t say

ISO 13485:2016 

ISO 13485 does not explicitly reference AI. However, clause 4.1.6 requires that:

"software used in the quality management system shall be validated prior to initial use and, as appropriate, after changes to such software."

This applies to AI-enabled eQMS tools. The standard's risk-based philosophy maps directly to the need to calibrate validation effort to the potential impact of AI failures on product quality and patient safety.

FDA 21 CFR Part 11

Part 11 requires audit trails, access controls, time-stamped records, and electronic signature controls for electronic records in regulated activities. It does not address AI specifically.

However, when AI generates or modifies records that fall within the scope of 21 CFR Part 820, Part 11 controls must be in place. The FDA confirmed in its final Computer Software Assurance (CSA) guidance (September 2025) that

"if electronic records are maintained under Part 820, Part 11 applies."

In February 2024, the FDA finalised a rule amending 21 CFR Part 820 to align more closely with ISO 13485, with an effective date of February 2026. This harmonisation reinforces the alignment between US and international QMS software requirements.

FDA Computer Software Assurance (CSA) Guidance

The FDA’s final CSA guidance (September 2025) formalises a risk-based approach to software assurance, replacing the traditional CSV paradigm of exhaustive scripted testing

For AI-enabled tools, CSA's risk-tiering approach—distinguishing "high process risk" from "not high process risk" features—provides a practical framework for calibrating validation effort. GAMP 5 Second Edition (ISPE, July 2022) aligns closely with CSA.  

EU MDR/IVDR and QMS Records

The EU Medical Device Regulation (MDR 2017/745) and In Vitro Diagnostic Regulation (IVDR 2017/746) require manufacturers to maintain a QMS, including documentation and record-keeping obligations. Where AI tools generate or manage QMS records that feed into technical documentation or post-market surveillance reports, the integrity and traceability of those records are directly relevant to compliance.

EU AI Act

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 with phased implementation.

The most immediately relevant obligations for eQMS deployments are:

• The AI literacy requirement (Article 4, applicable from 2 February 2025), which requires deployers to ensure that staff handling AI have adequate knowledge; and
• The deployer obligations for high-risk AI systems (Article 26), which include human oversight, use limitation to the intended purpose, and monitoring of performance.

Most internal eQMS workflow tools are unlikely to meet the high-risk thresholds, but this should be formally documented.

GDPR

If personal data is processed by an AI tool—including patient complaints, adverse event reports, or employee records—GDPR obligations apply in full. This is especially relevant when using externally hosted LLMs as processors under a Data Processing Agreement (DPA).

Validating AI-enabled eQMS tools: A practical approach

Step 1 – Define intended use and risk:

Document which AI features will be used, in which processes, and by which user roles. Apply the CSA risk framework: classify each AI feature as high or not-high process risk based on the consequence of failure.

Step 2 – Supplier assessment:

Under ISO 13485 clause 7.4, evaluate your supplier. Request validation documentation, SOC 2 Type II or ISO 27001 certifications, data processing agreements, and specifics on model versioning and change notification.

Step 3 – Risk-based validation:

Test critical-to-quality requirements with evidence proportionate to risk. For AI features, define acceptance criteria as ranges rather than exact outputs; use reference-grounded prompts; apply sampling across multiple test runs; fix model version and temperature settings during qualification.

Step 4 – Audit trail and traceability: Document the traceability matrix and link each URS requirement to the test evidence. Retain prompt logs, model version identifiers, and test outputs as validation records.

Step 5 – Change control and revalidation triggers: AI features must be subject to your formal change control procedure. Revalidation triggers should include model version updates, changes to the retrieval corpus, changes to prompt templates, and periodic reviews at a frequency commensurate with risk).  

Governance and technical controls

Data governance

Establish clear policies on which content may be processed by AI: segregate regulated records from non-regulated content; apply encryption at rest and in transit; define retention periods; ensure AI access controls mirror those of the underlying eQMS. 

Prompt and context management

Maintain a library of approved prompt templates reviewed by subject matter experts. Validate the behaviour of approved prompts as part of the qualification. Restrict user ability to modify prompts in ways that could alter the scope or risk profile of AI outputs.

Auditability

Every AI-assisted action within the eQMS should generate an auditable record: the prompt or  template reference, the model version, output, reviewer identity, review decision, and timestamp. This record should be immutable and linked to the relevant eQMS record. Where electronic signatures are required, they must meet Part 11 controls. 

Monitoring

Establish periodic performance checks to detect model drift. Define a threshold for triggering formal investigation and, where necessary, revalidation. Integrate AI performance monitoring into your existing corrective action process.

Separating hype from reality

What you can do safely with AI and an eQMS today:

• Use AI-assisted document drafting with mandatory human review and electronic approval in a Part 11-aligned eQMS.
• Deploy intelligent search within your validated document corpus using RAG, with full query and response logging.
• Use AI classification suggestions for incoming complaints and NCs, with quality professionals confirming before record updates.
• Apply AI-generated audit-readiness summaries as inputs to human-led inspection preparation, clearly labelled as drafts.

What to approach with caution:

• Allowing AI to approve, close, or sign off on any regulated record without a qualified human review step.
• Processing patient-identifiable complaint data through external LLM APIs without a DPIA, DPA, and appropriate transfer safeguards.
• Deploying AI features that have not been subjected to supplier assessment and risk-based validation, even if marketed as "compliance-ready."
• Relying on AI to determine regulatory reportability of adverse events; this requires a qualified regulatory professional.

How Cognidox can help 

AI can add genuine value to regulated quality management, but realising that value safely requires the right eQMS foundation, a sound governance framework, and practical guidance from people who understand both the technology and the regulations.

The governance principles outlined above—document control, version management, audit trails, role-based access, electronic approval workflows—are not new requirements created by AI. They are the foundations of a well-run eQMS. AI simply raises the stakes on getting them right.

Cognidox’s eQMS platform is built around these foundations. Role-based access controls, immutable audit trails, and Part 11-aligned electronic approval workflows provide the infrastructure that enables AI-assisted document drafting, intelligent search, and classification to be deployed safely in a regulated environment.

Whether you are evaluating or building a governance framework for an existing AI pilot, the Cognidox team can help you navigate the practical, compliant path forward. Contact us to discuss your specific use cases.

FAQs

1. Do I need to validate an external AI tool used within my eQMS?

Yes, if the tool is used as part of your production or quality system processes, validation is required under ISO 13485 clause 4.1.6 and 21 CFR 820.70(i). The FDA’s final CSA guidance supports a risk-based approach, calibrating validation depth to the risk of the AI feature failing to perform its intended use.

2. Is AI-generated content Part 11 compliant?

AI-generated content can be Part 11 compliant, but compliance is determined by the controls applied—not by the content's origin. If AI-generated text forms part of an electronic record that is subsequently reviewed, approved, and signed off via Part 11-compliant, the record can meet Part 11 requirements.

3. Can AI approve documents or make quality decisions?

No. AI tools should not be configured to approve documents, close CAPAs, determine regulatory reportability, or make any quality decision requiring the judgment of a competent, accountable person. Human review and electronic sign-off must remain in the workflow.

4.  How do auditors view AI use in QMS today?

Regulators have not issued AI-specific QMS guidance as of April 2026, but auditors are increasingly asking questions about AI governance. The expectation mirrors existing principles: intended use must be defined, the tool must be validated, outputs must be traceable, and a qualified human must be accountable. A documented AI governance framework puts organisations in a strong position.

5. Does the EU AI Act apply to internal QMS tools?

It may. The AI literacy obligation (Article 4) has applied since 2 February 2025 to all organisations deploying AI professionally in the EU—including internal QMS use. Whether a specific AI-enabled eQMS feature qualifies as  "high-risk " under Annex III  requires a case-by-case assessment and should be formally documented.