Publication date: February 12, 2026
In recent years, the importance of artificial intelligence (AI) in drug development, evaluation, and monitoring has grown significantly. AI technologies have the potential to accelerate research, improve predictions of drug efficacy and safety, and reduce the need for animal testing. At the same time, their use presents new challenges. AI models can make errors, be susceptible to unforeseen risks, or use data in a non-transparent manner. To fully realize the benefits of AI while minimizing risks, it is essential to establish clear and common principles for the use of these technologies. In response to these challenges, the European Medicines Agency (EMA) and the US Food and Drug Administration (FDA) have jointly developed ten principles of good practice for the use of AI in the drug lifecycle. This document is fundamental and a framework, not a binding legal regulation – it provides general directions and guidelines that should guide drug manufacturers, applicants, and regulators. These principles indicate how AI should be designed and used to ensure it is ethical, safe, transparent, and based on reliable data. The ten principles also identify areas where international regulators, standards-setting organizations, and other collaborating entities can work together to promote good practice in drug development. These areas of collaboration include: conducting scientific research, creating educational tools and resources for market participants, international harmonization, and developing consensus standards. To facilitate initial analysis, these principles can be grouped into three logical pillars. Principles 1-3 address organizational foundations and people, focusing on interdisciplinary team expertise and ensuring that AI remains under human control within specific, established governance processes. Principles 4-7 address technical quality and model integrity, addressing the “heart” of the technology. Principles 8-10 address accountability and lifecycle, defining standards for documentation, clear communication with users, and continuous monitoring of the model after its implementation. Below is a detailed summary of the 10 principles of good practice for AI in the drug lifecycle:
1. Human-Centered Design. The development and use of AI technologies in the drug development lifecycle should be consistent with ethical values and human-centered. The ethical principles cited in the EMA and FDA documents do not constitute a standalone normative framework; rather, they were drawn from earlier standards for the protection of fundamental rights and bioethics and then incorporated into the “Trustworthy AI” framework developed by the High-Level Expert Group on AI (HLEG). The Assessment List for Trustworthy AI defines seven fundamental requirements for trustworthy AI, which provide a practical tool for implementing ethical values in AI systems. These principles assume that an AI system should support human decisions, enable human intervention, and not make decisions autonomously, which is directly related to the premise of “human-centeredness.” Another requirement is the AI’s technical resilience to errors, failures, and attacks, ensuring the system’s security and predictability. From an ethical perspective, it is also crucial that all collected and processed data comply with applicable law, and that the system’s decision-making processes remain fully verifiable. AI implementation should consider the potential risks associated with its use and provide mechanisms for oversight, verification, and preventive measures to minimize undesirable consequences. The document also emphasizes that AI systems must not contribute to exacerbating existing prejudices or discrimination, but should instead promote equality, justice, and the well-being of people and the environment. A final important principle is accountability – individuals and organizations that design, implement, and use AI systems are responsible for their performance and consequences.
The AI Act (Regulation (EU) 2024/1689 of the European Parliament and of the Council) contains many similar terms, such as “human-centric” and “trustworthy AI”, although the act itself does not provide a formal definition. This term appears repeatedly in the preamble and in Article 1, allowing for interpretation of its meaning in regulatory and practical contexts. The AI Act establishes a legally binding framework for AI systems in the EU, including prohibitions on certain practices, transparency obligations, and risk management requirements for high-risk systems. Therefore, conceptual overlap can be observed between the HLEG/EMA/FDA guidelines and the AI Act, although they serve different functions – the guidelines provide ethical and design direction, while the AI Act defines legal obligations.
2. Risk-Based Approach. The development and use of AI technologies follows a risk-based approach, with proportionate validation, risk mitigation, and oversight based on context of use and model-specific risk. Beginning the analysis with the first premise, namely the “risk-based approach,” this model is known from the AI Act. It identifies four risk levels for AI systems: unacceptable risk, high risk, transparency risk, minimal risk, or no risk. Article 5 of the AI Act introduces a catalog of prohibited practices, including AI systems whose use is deemed unacceptable due to a threat to fundamental rights. In the context of the use of AI in drug research, prohibitions relating to the protection of individual autonomy and vulnerability should be specifically mentioned, particularly the prohibition on the use of manipulative systems and systems exploiting the specific vulnerabilities of clinical trial participants. Moving on to the high-risk category, AI systems used in the development of medicinal products are generally not classified as high-risk systems under Annex III of the AI Act, but may be deemed so under Article 6(1) if they constitute a “safety-related component” of a sectorally regulated product and are subject to mandatory conformity assessment before marketing or use. The term “security-related component” refers to a component whose failure or malfunction could pose a threat to the health, safety, or security of individuals, or property. Systems explicitly listed in Annex III are also considered high-risk AI systems, including remote biometric identification systems, crime risk assessment systems, and systems that make decisions that significantly impact an individual’s legal status. The legislator has provided for the possibility of exempting certain systems from this category if they do not pose a significant risk to health, safety, or fundamental rights and do not significantly influence the outcome of the decision-making process. This exemption requires a documented self-assessment by the provider and is subject to review by the competent national authorities. For limited-risk AI systems, the legislator primarily provides for transparency obligations aimed at preventing users from being misled. This includes, among other things, the obligation to disclose that the system is based on AI and to indicate its limitations. The category of minimal-risk systems includes all other AI systems that do not fall into any of the above-mentioned groups. For these systems, the AI Act does not impose specific regulatory requirements, leaving them free to design and implement them.
The reference to “proportionate validation” should be understood as a consequence of the AI Act’s adoption of a risk-based approach. This means that the scope, intensity, and formalization of validation processes for AI systems should be tailored to the level of risk the system poses to health, safety, or fundamental rights. In other words, the scope of validation, oversight, and requirements for an AI system depend on both the level of risk posed by the model and the context of its use. The greater the potential risk, the more stringent the requirements.
3. Compliance with standards. AI technologies must comply with applicable legal, regulatory, technical, and ethical standards, including the principles of good practice in pharmacy and data protection. Legally, this includes, among others, Regulation (EU) 2024/1689 of the European Parliament and of the Council on Artificial Intelligence (AI Act), which establishes obligations for AI system operators, prohibitions on certain practices, and requirements for high-risk systems, as well as the personal data protection provisions of the GDPR, anti-discrimination directives, and national regulations on clinical trials and the marketing of medicinal products. Regulatory and good practice standards include Good Manufacturing Practice (GMP), Good Clinical Practice (GCP), ICH guidelines, and the use of regulatory sandboxes, which enable testing of new technologies in a controlled environment while maintaining the safety of patients and researchers. Technically and ethically, the aforementioned HLEG/ALTAI guidelines for trustworthy AI must be taken into account. Additionally, compliance with ISO standards for information security and validation of medical algorithms ensures the technical consistency and reliability of AI systems in the pharmaceutical context.
4. Clear context of use. Every AI system must have clearly defined objectives and a precisely defined scope of application, as reflected in the ISO/IEC 42001 standard. This standard requires organizations to document the context in which the system is used, specify the decision-making processes it supports, and identify the risks arising from its specific nature. This requirement is inextricably linked to the qualification of the risk level under the AI Act. According to Article 6 of this regulation, a precise definition of the system’s functions and its potential impact on health and property is necessary to determine whether AI constitutes a “safety-related element of a product”. High-risk systems must have a transparently defined purpose, which is a sine qua non for conducting a reliable compliance assessment and implementing adequate oversight.
5. Multidisciplinary expertise. Establishing the operational framework for the system requires multidisciplinary expertise, which should be integrated into the project throughout the technology lifecycle. This principle reflects the complexity of contemporary solutions, particularly general-purpose AI (GPAI) models. It is worth noting that their characteristics in the pharmaceutical regulatory guidelines explicitly refer to the legal definition contained in Article 3(63) of the AI Act, which describes models characterized by large scale, the ability to learn from diverse data, and competence in performing a wide range of tasks. According to the EMA/FDA, collaboration between specialists in AI technology, biology, pharmacy, law, and ethics is not merely a formality but a necessary condition for ensuring model reliability. A multidisciplinary approach guarantees higher quality input data, correct interpretation of results in the specific clinical context, and full consideration of the regulatory environment. This concept aligns with the AI Act’s classification of “high-impact” models, where systems with a significant potential to generate systemic risks are subject to special scrutiny. In pharmaceutical practice, the involvement of experts from various fields allows us to create a model that not only complies with the law, but above all works effectively and safely in real medical applications.
6. Data and Documentation Management. Another pillar of technology security is data management and documentation, which must be transparent and verifiable throughout the drug lifecycle. According to EMA and FDA guidelines, every stage of data processing and every analytical decision must be documented in a way that allows for full reconstruction of events. In pharmaceutical practice, this means maintaining the ALCOA++ standard, which has evolved from the original five principles to the current set of ten attributes, including completeness, consistency, and durability of the record. This documentation cannot be limited to final results; in accordance with GxP requirements, it must encompass the entire “data engineering” process, from the original source to the final input into the AI model. This is crucial in the context of regulatory audits, as an analysis of FDA activities indicates that as many as 80% of warning letters regarding data integrity issued in recent years resulted from gaps in this area. Applying the ALCOA++ standard in the age of artificial intelligence requires healthcare entities to implement advanced audit trails that record every modification. Inspectors such as the EMA and the national Chief Pharmaceutical Inspectorate (GIF) currently expect not only system logs but also proactive and systematic review of these logs to detect potential manipulation or human error. This process must also consider the protection of privacy and sensitive data, which links GxP requirements with GDPR obligations. In this context, it is particularly important that the data be “persistent” and “available.” Such supervision ensures the credibility and verifiability of data obtained using AI. Whereas is should be noted that the term “GxP” is an umbrella term for specific regulated sub-areas, such as: GMP = Good Manufacturing Practice; GSP = Good Record Keeping Practice; PKB = Good Distribution Practice; GEP = Good Engineering Practice; GAMP = Good Automated Manufacturing Practice.
7. Design and Development of Practice Models. The seventh principle is a technical confirmation that the AI system was not created haphazardly, but was built according to rigorous engineering standards. In pharmaceutical practice, this primarily means applying the GAMP 5 standard, which requires that each algorithm function be tested and verified before use (validation). Because AI systems have the ability to continuously learn, this principle also introduces modern oversight (MLOPs), which acts as a quality monitor. This protects the model from losing its effectiveness after it leaves the laboratory and reaches hospitals. A key element of safe design is the selection of data that is “fit for purpose.” This means that the model cannot learn from random information. This information must be representative, reflecting the diversity of patients (e.g., in terms of age, gender, or ethnicity), which prevents the development of erroneous algorithmic biases. This gives the model generalizability, ensuring that it will perform safely on every new patient, not just on the narrow group of individuals on whom it was trained. Regulators (EMA/FDA) prioritize moving away from “black box” models toward explainability (Explainable AI – XAI), which finds its technical support in the ISO/IEC 23894 standard. As part of risk management, this standard requires that the system be able to present logical rationale for its decisions. This means that the algorithm must indicate which specific medical parameters prevailed in a given clinical assessment, allowing the physician to substantively verify the result. This vision is complemented by the ISO 9241 (Human-Centered Design) standard. In medical AI, HCD is not understood as interface aesthetics, but as a security architecture that counteracts the phenomenon of thoughtless submission to machine suggestions. In accordance with the principles of this standard, such as error tolerance and controllability, the system design must minimize the effects of human error and guarantee the user the ability to override AI suggestions at any stage. The principle of self-descriptiveness, in turn, requires the system to clearly communicate its state and confidence limits, which directly addresses the technical robustness requirement stipulated in the EU AI Act. Ultimately, this ensures that the entire decision-making process of the algorithm is fully verifiable and trustworthy.
8. Risk-based performance assessment. Risk-based performance assessments evaluate the entire system, including human-AI interactions, using data and metrics appropriate to the intended context of use, supported by predictive performance validation through appropriately designed testing and evaluation methods. Although the concept of a “risk-based approach” was discussed in detail in Principle 2, in the context of classifying systems under the AI Act, under Principle 8 it has a more operational dimension. In short, we no longer ask whether a system is risky, but rather to what extent we need to test it to meet safety requirements. A key element of this principle is defining and monitoring human-AI interaction. According to Article 14 of the AI Act, high-risk systems must be designed to enable effective human oversight. In pharmaceutical practice, this means creating a mechanism for continuous learning under human oversight, where the human is not just a passive recipient of the result, but an active operator filtering the algorithm’s suggestions. This model of collaboration allows for the verification of AI decisions and effectively counteracts the phenomenon of over-trust, in which medical personnel could uncritically accept erroneous system recommendations. A reliable performance assessment also requires the implementation of failure mode analysis. Instead of focusing solely on confirming the model’s predictive effectiveness, AI implementers must deliberately identify the system’s weaknesses and moments when the algorithm may miss safety signals (e.g., rare adverse drug reactions).
Referring to Article 15 of the AI Act is crucial here, as it imposes the obligation to ensure a high level of robustness and accuracy. In practice, this means that system validation cannot be limited to simulations under ideal conditions. It must include testing how the system responds to intentionally erroneous, incomplete, or unusual medical cases. In this context, the concept of data appropriate for use takes on a new definition. Looking at the SPIFD methodologies and FDA guidelines, data “appropriateness” should be understood as a selection process based on two specific parameters: reliability and relevance. Reliability does not refer to the substantive content itself, but rather to the technical reliability of the source; the researcher must prove that the data is consistent and complete. Relevance, in turn, requires the researcher to answer the question of whether the dataset (often derived from real-world data) actually represents the target population and contains the variables necessary to answer a specific clinical question.
9. Lifecycle Management. Risk-based quality management systems are implemented throughout the AI technology lifecycle, specifically to identify, assess, and respond to emerging issues. AI technologies are subject to planned monitoring and periodic reassessment to ensure their proper functioning, for example, in the context of changes in input data. Therefore, we are not talking about a single validation, but rather continuous oversight.
10. Clear and meaningful information. Results generated by AI should be presented in a simple and understandable way, so that users and patients can truly understand their meaning, significance, and limitations. In this context, a reference to Article 13 of the AI Act, which explicitly imposes the requirement of transparency, may be helpful. The regulation imposes a specific requirement to share specific parameters, while the EMA/FDA principle emphasizes language and communication. How is “clear language” understood? This is not an empty phrase, but a specific requirement based on standards such as ISO 24495-1 (Plain Language). In pharmaceutical and clinical practice, this means moving away from hermetic vocabulary toward messages accessible to the “average citizen.” Not only is style important, but also the structure of the text itself. More specifically, long, complex texts should be avoided. Instead, it is recommended to use short sentences, preferably in the active voice, avoiding the passive voice. Ultimately, clarity of communication comes down to explaining what a given result means in practice, currently in a given case.
The above analysis aimed to dissect the general EMA/FDA principles and demonstrate the specific technical and legal requirements underlying each term. This is an attempt to clarify the general terminology and demonstrate that each of these 10 principles has a technical equivalent that must be met for an AI model to be considered safe and reliable in a regulated environment.
| Principle | Explanation |
| 1. Human-Centered Design | Moving from ethics to practice Trustworthy AI; the system must support human decision-making (Human-in-the-loop) and be resilient to attacks and errors. |
| 2.Risk-based approach | Classification of the system under the AI Act; the scope of validation and oversight depends on whether the AI is a critical “safety element” of the medicinal product. |
| 3. Compliance with standards | Combining the new legal framework with classic pharmaceutical practices: GxP, ICH and ISO standards to ensure full legality and quality. |
| 4. Clear context of use | Obligation to document intended use (ISO/IEC 42001); precise definition of where the model’s competence ends and the risk of error begins. |
| 5. Multidisciplinary expertise | Collaboration between IT, medicine and law as a filter for GPAI models; guaranteeing that the technical result will be correctly interpreted clinically. |
| 6.Data and documentation management | Maintaining data integrity according to ALCOA++; full audit trail allowing for the replication of every decision and model modification. |
| 7. Design and development of practice models | Moving from black boxes to explainability (XAI); using GAMP 5 engineering and MLOps post-implementation monitoring. |
| 8.Risk-Based Performance Assessment | Testing for resistance to data errors (Art. 15 AI Act ) and selecting data in terms of their reliability and relevance to the patient population. |
| 9.Lifecycle Management | Replacing one-time validation with continuous supervision; systematically detecting model quality degradation (drift) in real time. |
| 10.Clear and relevant information | Translating statistics into Plain Language (ISO 24495-1); using short active sentences to facilitate quick medical decisions |
Full text of FDA and EMA Guidelines can be accessed here:
www.ema.europa.eu/en/documents/other/guiding-principles-good-ai-practice-drug-development_en.pdf
European Medicines Agency & US Food and Drug Administration. (2026, January 14). Guiding principles of good AI practice in drug development (EMA/FDA joint principles). European Medicines Agency.
High-Level Expert Group on Artificial Intelligence. (2020). Assessment List for Trustworthy AI (ALTAI). European Commission.
Guidelines on prohibited artificial intelligence practices established by Regulation (EU) 2024/1689 (AI Act).
Jędrzejczyk Maria (ed.), Szoszkiewicz Lukasz (ed.), Wydra Jędrzej (ed.), AI Act, Artificial Intelligence Act. Commentary
Quanticate, The ALCOA++ Principles for Data Integrity in Clinical Trials, August 28, 2025.
Explainable AI (XAI) – the key to understanding artificial intelligence, Kasia Szczesna. 05.12.2024.
IQVIA, Blog :Understanding AI, Data and Human Interaction in Pharmaceutical Development, Mike King, Senor Director of Product & Stratgy, IQVIA, 06/02/2024.
National Library of Medicine – The Structured Process to Identify Fit-For-Purpose Data: A Data Feasibility Assessment Framework.