AI Has Arrived In Biotech CMC Amid Patchwork Governance

A conversation between Kelsey Hoontis, regulatory affairs and CMC strategy leader, and Life Science Connect's Jon O'Connell

Artificial intelligence is moving into regulatory affairs and CMC faster than many biotech companies can govern it. Across the industry, teams are already using AI to support drafting, summarization, knowledge retrieval, and early response development.

In many cases, those uses are emerging inside regulated workflows before organizations have fully defined how outputs should be governed. That disconnect is becoming especially visible in small and midsize biotech, where lean teams are under pressure to accelerate development timelines while building quality systems in parallel.

Kelsey Hoontis, a regulatory affairs and CMC strategy consultant, will describe a path for biotech companies to catch up at the inaugural 2026 ISPE AI in Life Sciences Summit – Powered by GAMP. Ahead of her talk, she offered us a preview.

From your vantage point as a consultant, where do we stand on meaningful AI diffusion in regulatory CMC? Are companies still struggling to roll out tools at an operational level?

Hoontis: Meaningful AI adoption in regulatory affairs and CMC is absolutely happening, but governance maturity still lags operational use in many organizations. Most companies are no longer questioning whether AI has value. The challenge now is implementing it responsibly inside regulated workflows.

What I see most often is fragmented adoption. Teams may already be using AI informally for authoring support, data summarization, health authority response drafting, or knowledge retrieval without centralized oversight or defined governance expectations.

Large pharmaceutical companies are generally further along in establishing approved-use frameworks and governance models. Smaller and midsize organizations are often still in pilot phases. The pressure to accelerate timelines, especially in biologics and advanced modalities, is driving adoption faster than many organizations can operationalize controls around traceability, review, and accountability.

What are the hallmarks of fragmented AI adoption? What risks does it create that we might not immediately see?

Hoontis: Fragmented AI adoption usually appears when multiple teams use different AI tools with inconsistent controls and no centralized governance ownership. One group may use AI for SOP drafting while another uses it for analytical summaries or health authority responses, but there is no shared framework defining acceptable use, review expectations, or traceability.

One of the biggest hidden risks is inconsistency. AI-generated content can sound technically credible while introducing subtle inaccuracies, unsupported conclusions, or variability across submission documents. Those issues are not always immediately visible during routine review.

Another concern is vendor opacity. Many platforms are embedding AI capabilities into systems organizations already use operationally. Companies may not fully understand how outputs are generated, managed, or updated over time, which creates challenges around reconstructability and inspection readiness.

What do organizations most commonly get wrong when they try to build their own AI governance models?

Hoontis: One of the most common mistakes is treating AI governance as either purely an IT initiative or purely a compliance exercise. Effective governance needs to be operational and cross-functional because AI affects scientific workflows, submission quality, validation, and life cycle management simultaneously.

Another issue is overengineering governance before organizations understand where AI is already being used. A more practical approach is starting with visibility and risk classification. Companies first need to inventory use cases and identify where AI outputs may influence regulated content or operational decisions.

Organizations also tend to apply the same governance expectations across every use case. That usually does not work. AI-assisted meeting summaries do not carry the same risk as AI-assisted Module 3 authoring or analytical interpretation. Governance should scale proportionally to regulatory and scientific impact.

Does the industry's well-established data integrity infrastructure help organizations as they bring AI into regulatory workflows, or does AI introduce new data integrity risks that the existing ALCOA+ framework wasn't designed to address?

Hoontis: The industry’s existing data integrity infrastructure provides a strong foundation for AI governance. Principles like ALCOA+ remain highly relevant because organizations still need data to be attributable, traceable, accurate, and reviewable regardless of whether AI is involved.

However, AI introduces additional complexity that traditional data integrity models were not specifically designed to address. One major challenge is probabilistic output generation. Traditional systems generally produce consistent outputs from the same inputs, while generative AI models may produce variable outputs depending on prompts, model updates, or context.

That creates new concerns around reproducibility, version control, and traceability. AI-generated content can also sound scientifically credible while containing subtle inaccuracies. Existing ALCOA+ principles still apply, but organizations may need additional controls around human review, source verification, and life cycle monitoring.

Do you see any meaningful governance differences based on modality complexity or novelty?

Hoontis: Yes, modality complexity significantly affects governance expectations and regulatory risk. Mature monoclonal antibody and many small-molecule programs typically operate with more standardized manufacturing platforms, established analytical methods, larger historical data sets, and clearer regulatory precedent. That can make lower-risk AI-supported activities, such as document summarization or structured authoring support, more manageable with appropriate human oversight.

Cell and gene therapies introduce greater complexity because manufacturing processes are often closely linked to product identity, potency, and clinical performance. These programs may involve higher variability, evolving analytical strategies, and less historical precedent. From a regulatory perspective, that increases expectations for scientific justification, traceability, verification, and documented human review when AI-supported outputs influence regulated decisions or submission content.

What does inspection-ready documentation for an AI-supported authoring or data verification process actually look like? What would an FDA investigator expect to see?

Hoontis: Investigators are generally not looking for evidence that AI was never used. They are looking for evidence that the organization maintained control over the process and remained accountable for the outcome.

Inspection-ready documentation should clearly demonstrate:

• what the AI tool was used for,
• how the organization classified the risk,
• what review processes were required,
• who approved the final output, and
• how traceability was maintained.

For higher-risk workflows, especially those influencing submission content or scientific interpretation, organizations should also be able to explain how outputs were verified against source data and how human oversight was documented.

In practice, this should resemble other governed digital workflows with clear expectations around intended use, review responsibilities, life cycle oversight, and change management.

What is some practical advice for a regulatory affairs or CMC leader who is being told to integrate AI into their workflows but lacks a governance model in place? Where do you start?

Hoontis: The first step is visibility. Most organizations should begin by understanding where AI is already being used before attempting to build a fully mature governance program. In many companies, operational use has already started informally across regulatory affairs, CMC, quality, or technical operations.

Once organizations understand current use cases, they can begin classifying activities based on risk and regulatory impact. Not every workflow requires the same level of governance. AI-assisted meeting summaries carry very different risk compared to AI-assisted submission authoring or analytical interpretation.

I usually recommend starting with a small number of clearly defined lower-risk use cases where review expectations and oversight can be established practically. The strongest governance models are operational, cross-functional, and integrated into existing quality and life cycle management systems.

Selected references for further reading:

1. FDA. Considerations for the Use of Artificial Intelligence to Support Regulatory Decision-Making for Drug and Biological Products (Draft Guidance), January 2025.
2. FDA. Data Integrity and Compliance With Drug CGMP: Questions and Answers (Guidance for Industry), December 2018.
3. MHRA. GXP Data Integrity Guidance and Definitions, Revision 2, March 2018.
4. EMA. Reflection Paper on the Use of Artificial Intelligence in the Medicinal Product Lifecycle, 2024.
5. ICH Q9(R1): Quality Risk Management, International Council for Harmonisation, 2023.
6. ICH Q10: Pharmaceutical Quality System, International Council for Harmonisation, 2008.
7. ALCOA+ Principles for Data Integrity, FDA and industry-recognized industry framework.

About The Expert:

Kelsey Hoontis, M.Sc., is a regulatory affairs and CMC strategy leader with nearly 20 years of experience supporting global biotechnology and pharmaceutical programs, specializing in biologics and advanced modalities across major regulatory regions. She brings a practical perspective on how AI is being utilized within regulatory affairs and CMC, with a focus on responsible governance, ethical use, and maintaining data integrity and trust in submission-ready outputs.