Provable or Unsellable

How AI Governance Became the License to Operate in Life Sciences

In regulated industries, AI that cannot prove what it did does not ship, and GRC is the function that makes it provable.

By Prashant Akhawat

Chief Technology and AI Officer, Ninestars Information Technologies · June 2026

For three years, “AI governance” lived in the slide that came after the demo. The model worked, the pilot impressed, and then someone in quality asked who was accountable when it got something wrong. The room nodded, a policy document was promised, and the project moved on.

In most industries that sequence is breaking. In life sciences it has shattered, because the regulators who decide whether your products reach patients have stopped reflecting and started writing rules. The people who now hold the keys to AI velocity are not the data scientists. They are the Governance, Risk and Compliance teams. That is the argument of this piece: in 2026, governance stopped being the brake on AI and became the thing that lets you move faster, and in pharma it is the GRC function that decides how fast the rest of the business is allowed to go.

Governance is the accelerator, not the brake

Start with the belief that has done the most damage: that oversight is a tax on velocity. The evidence runs the other way. A Gartner survey of 360 organisations in mid-2025 found that those running dedicated AI governance platforms are 3.4 times more likely to achieve high governance effectiveness. The Cloud Security Alliance and Google Cloud found, in December 2025, that organisations with comprehensive governance are nearly twice as likely to have already deployed agentic AI as those with only partial guidelines, 46 percent against 25, and just 12 percent among those still drafting policy.

The firms with the strongest controls are not the cautious laggards. They are the ones running the most autonomous systems, because when leadership trusts the controls it greenlights bolder deployments. In a regulated setting the logic sharpens: when your quality unit can prove what a model did and why, an inspection stops being an existential threat and becomes a routine demonstration. The World Economic Forum frames good governance as guardrails rather than brakes, yet its work with Accenture across 1,500 companies found fewer than 1 percent have fully operationalised responsible AI. That gap was survivable while AI lived in pilots. It is not survivable now that AI generates evidence across nonclinical, clinical, manufacturing and post-market work.

Why GRC became the function that decides velocity

The bottleneck on enterprise AI is no longer model quality. It is the ability to approve, monitor and prove, and that is GRC work. RAND Corporation's 2024 study of AI failures concluded that, by some estimates, more than 80 percent of AI projects fail, roughly twice the rate of non-AI IT. The study is qualitative, so read it as “the large majority fail,” but its root causes are the point: misaligned goals, weak data foundations and fading ownership. None are modelling problems. All are GRC problems. Reinforcing it, McKinsey's 2026 research found organisations with explicitly assigned AI governance roles score markedly higher on maturity than those without, and the IAPP reports dedicated AI governance roles grew 156 percent year over year.

In life sciences the GRC function gains a particular edge, because here AI controls and GxP controls are the same controls. The steering committee is not a data-science forum; it is chaired by an executive owner and pulls in quality, regulatory affairs, the CISO and the business owners who know how each system is actually used. That convergence is the whole opportunity: the discipline pharma has practised for decades, named accountability, validation, immutable records, is exactly what the new AI rules demand.

The governance lifecycle, mapped to the frameworks

Most governance writing lists frameworks and leaves you to connect them to daily work. The more useful artefact is the reverse: the handful of processes every regulated AI system actually passes through, each mapped to the authority that governs it. Six steps cover it. The reason running them once discharges every framework at once, rather than as five separate compliance exercises, is that the frameworks overlap heavily by design. Independent analyses put the common ground between ISO 42001 and the EU AI Act at roughly 40 to 50 percent of high-level requirements, and ISO 42001 maps directly onto the Act's articles on risk management, data governance, documentation, transparency and human oversight. Published crosswalks turn that overlap into reuse: the validation evidence you produce for GAMP 5 is most of what Annex 22 asks for, and the risk file you build for the FDA credibility framework is most of what NIST and ISO want. Done deliberately, a moderately complex organisation stands up the whole stack in eight to twelve months with little duplicated effort.

The AI governance lifecycle mapped to the frameworks — Figure 1. The six-step AI governance lifecycle, the GRC action at each step, and the framework that governs it.

The loop runs inventory and classify, define context of use, validate and evidence, approve and deploy, monitor and log, report and re-assess. The order is not cosmetic, and it is where most programmes go wrong. Teams routinely start at step three, validating a model they never inventoried or scoped, which is why so many fail an inspection on a system nobody had formally classified as high-risk. Context of use must precede validation, because you cannot size the evidence until you know what the model decides; monitoring must be designed before deployment, not bolted on after, or the audit trail has gaps exactly where the consequential decisions happened. The frameworks are not competing options. They are different authorities governing different steps of one process, which is why running the process once discharges all of them together.

The dividend is concrete and measurable. Across the regulated AI deployments I have worked on, building the audit trail and evidence as a byproduct of these six steps, rather than assembling it before an audit, has cut inspection-preparation effort on a typical high-risk system from roughly three weeks of manual collation to under four days, with audit-trail coverage of model decisions rising from the 60-to-70-percent range, where overrides and version changes were patchily logged, to effectively complete. Same models, same accuracy. The difference is entirely in whether the process was governed, and it is the difference between a system you can defend and one you cannot.

Two regulatory weather systems at once

Life sciences contends with horizontal AI law and a parallel body of GxP-specific guidance. Understanding where they collide is the rest of the game.

The 2025 to 2028 convergence timeline — Figure 2. The 2025 to 2028 convergence: horizontal AI law above the line, vertical GxP guidance below it.

On the horizontal axis, the EU AI Act is binding law with extraterritorial reach and penalties up to 35 million euro or 7 percent of global turnover. The high-risk timeline moved this year: a Digital Omnibus political agreement on 7 May 2026 deferred Annex III high-risk obligations to December 2027 and product-embedded systems, which include medical devices, to August 2028. The Omnibus is pending ratification, so plan against December 2027 while keeping readiness for the original August 2026 date.

On the vertical axis sits a burst of sector guidance since early 2025: the FDA's draft AI credibility guidance, with final guidance signalled for Q2 2026; the joint FDA and EMA ten Guiding Principles of January 2026; EMA's draft EU GMP Annex 22, the first operational rulebook for AI in manufacturing; the 290-page ISPE GAMP AI Guide of July 2025; and the FDA's final Computer Software Assurance guidance. The signal is unmistakable: AI is being folded into the existing regulated stack, not governed apart from it.

The view from India, and why APAC raises the bar

For any firm manufacturing, testing or selling AI-enabled devices in India, a third weather system is forming. The 2025 India AI Governance Guidelines from MeitY set out seven national principles enforced through a whole-of-government architecture, while the DPDP Act of 2023 governs automated decision-making and cross-border data. In life sciences the picture sharpened fast: the CDSCO's October 2025 draft brought Software as a Medical Device under lifecycle oversight, and in January 2026 India classified AI cancer-detection tools as Class C devices requiring validation on Indian datasets. That last point is the one global vendors underestimate. A model trained on a home-country population is not automatically credible elsewhere, and regulators now say so explicitly. The credibility-and-provenance discipline the FDA and EMA demand is becoming a worldwide baseline, expressed in local dialects.

The governing bodies, at a glance

Confusing these authorities is the most expensive mistake a programme makes. The table maps each one, what it produces, and whether it is law or guidance.

Table: the governing bodies a life-sciences GRC team must track

The distinction hidden in that table is the one inspectors are starting to test: certifying an organisation is not the same as certifying a system. ISO 42001 certifies that you manage AI responsibly. Annex 22 and the EU AI Act regulate each system as a product that must prove conformity for its specific use. “We have ISO 42001” is not a compliance answer for a given model.

The platforms that operationalise it, and where they differ

Past roughly thirty AI systems, none of this runs on spreadsheets, and a market of governance platforms has grown up to turn the frameworks into running controls. It splits on two axes. Incumbents (IBM watsonx.governance, OneTrust, ServiceNow, Collibra) extend an existing GRC or data stack into AI; dedicated platforms (Credo AI, Holistic AI, Modulos) were built for AI from the start and lead on agent governance and cross-framework deduplication. The second axis is what they do: document and assess, monitor in production, or enforce at runtime by intercepting each inference. The distinction buyers miss most is that a platform which documents a control is not one that enforces it where the data flows.

Table: AI governance platforms compared, including AOTM TRUST

Disclosure. At Ninestars we build AOTM TRUST as a vertical governance layer for regulated industries, so I am not neutral here. The design bet is the gap almost no horizontal platform closes: they map cleanly to NIST, ISO 42001 and the EU AI Act, but a life-sciences buyer must still translate their output into 21 CFR Part 11, Annex 11 and GAMP 5 for an inspector. AOTM TRUST expresses agentic-AI controls in that GxP language directly, with the credibility framework, ALCOA+ integrity and Part 11 trails as first-class objects. Whether a vertical layer or a horizontal platform plus internal translation is right depends on your footprint and how much GxP fluency sits in your own teams. Both can work. A policy binder with no enforcement underneath cannot.

The honest counterargument

Governance does not only ever help. Done badly it becomes theatre: committees admiring their own process, approval queues that add months without adding safety, risk registers nobody reads. Over-governance has a body count too; it just shows up as opportunity cost rather than a warning letter.

The skeptic's strongest case is not the Omnibus delay. It is sharper than that: speed wins markets, and governance is a tax the winners pay later from a position of strength. A faster, looser rival that accepts the regulatory risk can capture the category first, then buy or build compliance once it has the revenue to fund it. In consumer software, that logic often holds, and I will not pretend otherwise. Where it breaks is precisely the sector this piece is about. In life sciences the gate is not the market, it is the regulator, and you cannot capture a category whose products you are not permitted to sell. A diagnostic that fails CDSCO validation or an AI manufacturing control that cannot satisfy Annex 22 does not reach a single patient, however fast it was built. Here, ungoverned speed does not win the market early; it forfeits the right to enter it. The honest boundary of my argument is that it is a claim about regulated industries, not a universal law of AI. Inside that boundary it holds hard.

The resolution, then, is not less governance but better-targeted governance, and the six-step map is how you target it: heavy oversight on high-consequence systems, light automated paths for the rest. A programme that applies batch-release rigour to a meeting-summariser has missed the point as badly as one with no controls at all.

The closing argument

Deloitte puts it in a line that belongs in every boardroom: organisations that have not designed their accountability model by the end of 2026 risk finding it designed for them, by an audit finding, a regulatory requirement, or a visible failure. In this sector that requirement now has dates: FDA final guidance in Q2 2026, Annex 22 through 2026, EU AI Act high-risk obligations in 2027 and 2028, CDSCO already tightening.

You will have an AI governance model. The only question is whether you author it on your timeline or an inspector authors it on theirs. The firms that can show how their AI decisions are made, monitored and owned will win the deals and deploy the bolder systems, not despite their governance but because of it. In this sector, the function that can prove control is the function that sets the pace, and that function is GRC.

Sources and references

AI governance: general frameworks and evidence

Gartner, Global AI Regulations Fuel Billion-Dollar Market for AI Governance Platforms (press release, Feb 2026). (primary source: 3.4x figure, Q2 2025 survey of 360 organisations). https://www.gartner.com/en/newsroom/press-releases/2026-02-17-gartner-global-ai-regulations-fuel-billion-dollar-market-for-ai-governance-platforms
Cloud Security Alliance and Google Cloud, The State of AI Security and Governance Survey Report (Dec 2025). (primary source: agentic adoption 46% / 25% / 12%). https://cloudsecurityalliance.org/press-releases/2025/12/18/csa-and-google-cloud-study-finds-governance-maturity-is-strongest-predictor-of-ai-readiness
RAND Corporation, The Root Causes of Failure for AI Projects (2024). (origin of the 80% AI-project-failure figure; qualitative). https://www.rand.org/pubs/research_reports/RRA2680-1.html
Atlan, AI Governance Framework: 2026 Enterprise Guide. (secondary aggregation of the above). https://atlan.com/know/ai-readiness/ai-governance-framework/
Databricks, A Practical AI Governance Framework for Enterprises. (ownership and ROI). https://www.databricks.com/blog/practical-ai-governance-framework-enterprises
Deloitte AI Institute, Enterprise AI Trends 2026. https://www.deloitte.com/us/en/what-we-do/capabilities/applied-artificial-intelligence/blogs/pulse-check-series-latest-ai-developments/ai-transformation-predictions-2026.html
AI Assembly Lines, AI Governance Framework Enterprise Guide 2026. (McKinsey maturity scores 2.6 vs 1.8; steering-committee roles). https://aiassemblylines.com/post/ai-governance-framework-enterprise-guide-2026
VerifyWise, EU AI Act vs ISO 42001. (40-50% framework overlap; IAPP 156% growth in governance roles). https://verifywise.ai/blog/eu-ai-act-vs-iso-42001-similarities-and-differences
World Economic Forum and Accenture, Advancing Responsible AI Innovation: A Playbook (Sept 2025). (fewer than 1% operationalised; 81% earliest-stage maturity). https://www.weforum.org/publications/

AI governance platforms: market landscape

Modulos, AI Governance Tools: 2026 Enterprise Guide. (22-vendor comparison; ISO 42001 product conformity; incumbent vs dedicated taxonomy). https://www.modulos.ai/best-ai-governance-platforms/
CloudZero, Best AI Governance Tools in 2026. (Credo AI, Holistic AI, OneTrust, IBM, Monitaur by category). https://www.cloudzero.com/blog/ai-governance-tools/
Knowlee, Automated AI Governance: From GRC Spreadsheets to a Compliant Platform. (runtime-native vs bolt-on; the 30-system threshold). https://www.knowlee.ai/blog/automated-ai-governance-platform
TrueFoundry, Best AI Governance Tools. (documentation vs monitoring vs runtime enforcement). https://www.truefoundry.com/blog/best-ai-governance-tools
Atlan, AI Governance Tools: Top Platforms Compared (2026). (IAPP vendor segmentation). https://atlan.com/ai-governance-tools/

Life sciences: validation (GAMP 5, ISPE AI Guide, CSA, Part 11) and enforcement

ClinStacks, GAMP 5 and the ISPE AI Guide. https://clinstacks.com/compliance/gamp-5-ispe-ai-guide
IntuitionLabs, GAMP 5: Computerized System Validation in Pharma. (CSA final guidance Sept 2025; Annex 11/22). https://intuitionlabs.ai/articles/gamp-5-computerized-system-validation-pharma
Certivo, FDA Warning Letters and Data Integrity. (60-80% data-integrity citation statistic). https://www.certivo.io/blog/fda-warning-letters-data-integrity
US FDA, Warning Letter to Chemspec Chemicals Private Limited (dated 23 Dec 2025, posted Jan 2026). (primary source: adulterated APIs, batch release after fire, record destruction). https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/chemspec-chemicals-private-limited-718403-12232025
Policy Canary, FDA Data Integrity Warning Letters 2026. (2026 Indian-firm enforcement pattern; import-alert timelines). https://policycanary.io/blog/fda-data-integrity-warning-letters-2026

India and APAC

Regulations.ai, India AI Regulation Overview. (2025 India AI Governance Guidelines, the seven Sutras; RBI FREE-AI; AISI). https://regulations.ai/regulations/india-summary
Cyril Amarchand, Medical Device as Software: Has CDSCO Guidance Changed the Rules? (CDSCO SaMD draft, Oct 2025). https://corporate.cyrilamarchandblogs.com/2026/01/medical-device-as-software-has-cdsco-guidance-changed-the-rules/
CourtKutchehry, India Regulates AI Cancer Detection Tools Under CDSCO Norms. (Class C classification; Indian-dataset validation). https://www.courtkutchehry.com/pages/blog/india-regulates-ai-cancer-detection-tools-cdsco-rules/
Truyo, Governing the AI Surge: How India Is Writing the Rulebook for Responsible AI. (DPDP Act; MeitY; CDSCO pilots). https://truyo.com/governing-the-ai-surge-how-india-is-writing-the-rulebook-for-responsible-ai/

Note: where vendor or analyst write-ups are cited, they reference underlying primary research (Gartner, McKinsey, WEF/Accenture, IBM/Morning Consult, IAPP) and official regulatory texts (FDA, EMA, European Commission, ISPE, CDSCO). For formal compliance work, consult the primary regulatory sources directly, as draft guidance and timelines, particularly the EU Digital Omnibus and Annex 22, remain subject to change.

Prashant Akhawat is Chief Technology and AI Officer at Ninestars Information Technologies, where he architects agentic AI platforms for regulated industries across life sciences, pharma, BFSI and government. He has spent over two decades building Enterprise Platforms for regulated environments, and presented as a featured customer speaker at AWS Summits

Connect

Website akhawat.com

Email akhawats@isecol.com

LinkedIn linkedin.com/in/prashantakhawat