A CAPA investigator opens an AI-enabled quality management system and asks for potential root causes. The system produces several plausible explanations, summarizes similar historical events, and recommends corrective actions. The investigator reviews the suggestions, selects one, and closes the record.

Months later, an auditor asks a simple question: “How did you determine this was the root cause?” The record contains the conclusion. It doesn’t contain the reasoning.

The emerging quality problem

AI is now embedded throughout commercial QMS platforms. It drafts procedures. It summarizes investigations. It identifies complaint trends. It proposes risk scores. It suggests design inputs.

Organizations are adopting these capabilities because they improve efficiency. That’s a legitimate reason. The challenge is that most quality systems were built around human-generated analysis and human-owned conclusions. The controls that govern records, approvals, and traceability were designed for a workflow where a qualified individual performed the analysis and documented the basis for their determination.

That workflow is no longer the only one operating inside most quality systems.

The gap

Traditional quality controls govern what gets documented and who approves it. They don’t establish when AI influence requires additional controls. More important, they don’t distinguish between independent human evaluation and acceptance of AI-generated output.

Those are not the same activity. A quality professional who independently analyzes complaint data and reaches a conclusion is performing a different function than one who reviews an AI-generated summary and accepts its framing. Both might produce a signed record. Only one produced the reasoning behind it.

Existing quality system controls don’t require organizations to distinguish between those situations.

Why this matters

In regulated environments, accountability doesn’t transfer to software.

When an FDA investigator reviews a CAPA, a risk assessment, a design history file, or a controlled procedure, the central question is the same regardless of what tools were used to produce the record: Who owned the decision, and what evidence supports it?

If the answer lives in an AI tool—in a session that wasn’t logged, a prompt that wasn’t preserved, or an output that was accepted without independent evaluation—the record can’t answer that question. The organization is left with a conclusion and no traceable path to the reasoning behind it.

That isn’t an AI problem. That’s a documentation and accountability problem. It’s exactly the type of finding that audit and inspection practices are already equipped to identify.

The problem isn’t AI

AI can support quality decisions. AI can accelerate analysis. AI can improve consistency across large datasets and complex investigations.

When an AI tool shapes the structure of a conclusion and that influence isn’t reflected in the quality record, the organization has created a gap between what happened and what’s documented.

The issue isn’t that AI was used. The issue is that there’s no record of how it was used, and therefore no way to demonstrate that a qualified human evaluated the output and owned the conclusion.

A practical approach

Organizations should begin by classifying AI use cases according to how much influence they have on regulated decisions.

The AI decision governance architecture (ADGA) classifies AI activity according to the degree of influence it has on regulated decisions and applies controls proportionate to that influence. Under the model, administrative uses of AI require different controls than AI outputs that influence root cause determinations, risk estimations, controlled procedures, or design decisions.

AI decision governance architecture (ADGA)

AI activities are classified into three tiers based on their relationship to regulated decision-making: efficiency, innovation, and boundary. As AI influence increases, additional controls are applied to preserve accountability, traceability, documented rationale, and inspection defensibility.

The objective isn’t to restrict AI use. It’s to ensure that documentation and accountability increase as AI influence over regulated decisions increases.

An AI tool that formats a document or generates a meeting summary creates control requirements different from one that produces root cause recommendations, assigns risk ratings, or suggests design inputs.

As AI influence increases, documentation and accountability requirements should increase proportionally.

What quality leaders should do now

The starting point is understanding where AI is already influencing quality.

Identify the AI-enabled functionality already present in the QMS, not just stand-alone tools, but also features embedded in existing platforms.

Once the inventory exists, map each use case to the activities it touches: CAPA investigations, risk management, document control, and design controls. For each one, determine whether AI outputs are being accepted into quality records without documented independent evaluation.

The foundation already exists: Under 21 CFR 820 and ISO 13485, organizations are expected to maintain documented processes, assigned responsibilities, and records sufficient to demonstrate traceability and justify quality decisions. Those expectations apply to AI-influenced decisions as directly as they apply to any other.

The real question

The question facing quality organizations is no longer whether AI belongs inside the QMS.

It’s already there.

The question is whether the organization can demonstrate who owned the reasoning behind the decisions AI helped shape. In regulated systems, conclusions are easy to document. 

Reasoning is what must be defended.