Guest Column | February 12, 2026

How To Operationalize AI-Enabled eTMF Systems Under The EU AI Act (Part 2)

By Donatella Ballerini, GCP consultant

AI, Holographic AI chip interface with European Union flag-GettyImages-2244741422

In part one of this series on AI-enabled eTMF systems, we explored how the EU AI Act reshapes the regulatory treatment of these systems. We established that the Act is not concerned with AI as a technical feature but with AI as a regulated capability — particularly when it influences how GCP compliance, oversight, and patient protection are demonstrated through the TMF.

By examining the risk-based structure of the EU AI Act and the regulatory role of the TMF as the primary evidence of trial conduct, we showed why certain AI use cases within eTMF systems — such as TMF quality risk scoring, inspection readiness assessment, and oversight prioritization — meet the criteria of high-risk AI systems, even in the absence of direct patient harm.

This second part moves from interpretation to execution. It focuses on what compliance with the EU AI Act actually requires in practice when AI is used in GCP-critical eTMF contexts. We will examine the concrete obligations imposed by the regulation, clarify the roles and responsibilities of sponsors, service providers, and technology vendors, and outline the key implementation steps needed to operationalize AI governance in a way that is both compliant and inspection-ready.

Why AI-Enabled eTMF Systems Matter Under The EU AI Act

Under the EU AI Act, this type of AI functionality would likely be considered high-risk, because it:

  • supports decisions affecting regulatory compliance
  • influences evidence related to health and safety
  • operates within a regulated healthcare and clinical research context.

The act requires:

  • documented risk management for misclassification scenarios
  • transparency about AI limitations
  • human oversight mechanisms to detect and override errors
  • continuous monitoring of AI performance.

The failure in this scenario is not just a TMF issue — it becomes an AI governance failure.

AI in eTMF does not interact with patients directly, but it governs the regulatory evidence chain through which patient safety is demonstrated, audited, and enforced. In regulated systems, control of evidence is control of compliance. AI does not need to make clinical decisions to affect patient safety.

If it shapes the evidence used to demonstrate safety oversight, it already operates in a high-impact regulatory space.

This is why AI, in this context, should not be treated as a purely administrative enhancement. It should be governed with the same seriousness as other systems that support GCP-critical processes.

Compliance Requirements Under The EU AI Act (High-Risk Systems)

So now, if you agree with me that AI eTMF systems are likely to meet high-risk classification criteria (in some use cases and context), the EU AI Act establishes a broad suite of regulatory obligations. What follows is not a checklist to be completed once but a continuous governance framework that must be embedded into an organization’s quality system and operational practices:

Risk Management System

Under the EU AI Act, organizations must establish and document a continuous life cycle-based risk management system for high-risk AI. This goes far beyond a one-time risk assessment performed during system validation.

For AI-enabled eTMF systems, this means identifying foreseeable risks such as:

  • document misclassification
  • incorrect completeness assessments
  • bias in risk scoring or prioritization
  • overreliance on AI-generated dashboards.

These risks must be assessed not only from a technical perspective but also in terms of regulatory compliance, inspection outcomes, and patient safety implications. Importantly, risk management does not end at go-live. AI behavior must be monitored over time, with defined processes to detect performance drift, emerging risks, and unintended consequences as the system is used across different studies, regions, and document types.

In practical terms, the AI risk management framework should be integrated with existing GCP risk-based oversight and quality management processes, rather than treated as a stand-alone AI initiative.

Technical Documentation And Recordkeeping

High-risk AI systems must be supported by comprehensive and structured technical documentation that enables regulators, auditors, and internal quality teams to understand how the AI system was designed, trained, validated, and deployed.

For AI in eTMF, this documentation typically includes:

  • the intended purpose and scope of each AI function
  • model architecture and versioning
  • description of training, validation, and testing data sets
  • data sources and data preparation methods
  • performance metrics and acceptance criteria
  • known limitations and residual risks.

From a regulatory perspective, this documentation plays a role similar to validation documentation for GCP-critical systems, but with additional emphasis on data provenance, algorithmic behavior, and change management. Crucially, records must be maintained over time to demonstrate traceability of changes, including model updates, retraining events, and performance recalibrations.

Transparency And Explainability

Transparency is a cornerstone of the EU AI Act, particularly for high-risk systems. Organizations must ensure that AI outputs are understandable by trained professionals, even if the underlying models are complex.

In the context of eTMF, this means that users should be able to:

  • understand why a document was classified in a certain way
  • know what criteria contribute to completeness or risk scores
  • recognize the confidence level or limitations of AI outputs.

This does not require exposing source code to end users, but it does require clear explanations, user guidance, and contextual information that prevent blind trust in AI-generated results. From a GCP perspective, transparency is essential to avoid automation bias — where users assume AI outputs are correct simply because they are automated.

Human Oversight

High-risk AI systems must always operate under meaningful human oversight. The EU AI Act is explicit: AI must support human decision-making, not replace it.

For AI-enabled eTMF systems, human oversight means:

  • clearly defined points where human review is mandatory
  • the ability for users to override AI decisions
  • escalation pathways when AI outputs raise concerns or appear inconsistent.

Oversight mechanisms must be designed intentionally, not informally assumed. Organizations must define who is responsible for reviewing AI outputs, when intervention is required, and how decisions are documented. This aligns closely with inspection expectations around sponsor oversight and accountability.

Data Governance

AI systems are only as reliable as the data they are trained and operated on. The EU AI Act, therefore, places strong emphasis on data governance, particularly for high-risk systems.

In the eTMF context, this includes ensuring that:

  • training data sets reflect the diversity of real-world TMF documents
  • regional, language, and format variations are adequately represented
  • data is accurate, complete, and free from systematic bias.

Ongoing governance is essential, as TMF content evolves over time with new trial designs, decentralized models, and regulatory expectations. Poor data governance can lead to biased AI behavior, reduced accuracy, and, ultimately, loss of regulatory confidence in AI-supported processes.

Robustness, Accuracy, And Cybersecurity

The EU AI Act requires organizations to demonstrate that high-risk AI systems are robust, accurate, and secure throughout their life cycle.

For AI in eTMF, this means showing that:

  • AI models perform consistently across studies, countries, and document types
  • accuracy remains within defined thresholds over time
  • systems are protected against manipulation, data poisoning, or unauthorized access.

Cybersecurity is particularly critical given the sensitive nature of clinical trial documentation. AI components must be integrated into the organization’s broader information security and data protection frameworks, ensuring alignment with GDPR and other applicable regulations.

Conformity Assessment

Finally, high-risk AI systems are subject to conformity assessment requirements before being placed on the EU market or put into service.

For vendors, this often involves:

  • demonstrating compliance with EU AI Act requirements
  • preparing evidence for internal or third-party assessments
  • in some cases, engaging notified bodies for independent review.

For sponsors and CROs, conformity assessment translates into due diligence and oversight responsibilities — ensuring that AI-enabled eTMF systems they procure or deploy meet regulatory expectations and are supported by adequate documentation and assurances.

The EU AI Act formalizes what regulators have implicitly expected for years: AI used in regulated clinical processes must be governed with the same rigor as the processes themselves. While the governance logic of the EU AI Act aligns with existing GxP and validation frameworks, it introduces novel regulatory objects:

  • Algorithmic decision logic as a regulated artifact
  • Training data as regulated infrastructure
  • Model drift as a compliance risk
  • Explainability as a regulatory requirement
  • AI autonomy as a governance dimension

Traditional validation frameworks were designed for deterministic systems. AI systems introduce probabilistic behavior, adaptive learning, and nonlinear outputs, which require new governance controls beyond classical CSV models.

Who The EU AI Act Applies To In The eTMF Ecosystem

Another critical aspect of the EU AI Act is that it applies to multiple actors across the eTMF value chain, not just software vendors.

Depending on their role, organizations may be classified as:

  • AI providers (e.g., vendors developing AI-enabled eTMF functionality)
  • AI deployers/users (e.g., sponsors or CROs using AI within their eTMF processes)
  • importers or distributors of AI systems.

Each role carries specific obligations. For example:

  • Vendors must demonstrate that their AI systems meet design, data governance, and risk management requirements.
  • Sponsors and CROs must ensure appropriate use, human oversight, and integration into their quality systems.
  • Contracts and vendor oversight models must be updated to reflect shared AI compliance responsibilities.

This has direct implications for vendor qualification, supplier audits, and quality agreements in clinical research.

Implementation Steps For Sponsors, CROs, And Vendors

Achieving compliance demands a systematic, enterprise-wide approach that aligns AI development practices with the regulatory architecture of the EU AI Act. The following steps form a practical implementation road map:

Step 1: Inventory and Risk Categorization

  • Identify all AI components in the eTMF system.
  • Classify each AI use case against the EU AI Act risk categories.

Deliverable: Risk classification register tied to use case purpose and potential impact.

Step 2: Establish an AI Risk and Governance Framework

  • Develop an AI risk management policy integrated with existing quality management systems (QMS).
  • Define roles and responsibilities for AI oversight (AI Governance Board or committee).

Deliverable: AI risk governance charter and life cycle process definition.

Step 3: Data Governance and Model Validation

  • Define data quality standards.
  • Implement data lineage and bias detection processes for training/validation data sets.

Deliverable: Data governance policy, data set validation reports, and bias mitigation records.

Step 4: Technical Documentation Preparation

  • Compile design specifications, algorithms, model versions, performance tests, and validation evidence.
  • Prepare clear documentation for regulatory inspection and conformity assessment.

Deliverable: AI technical file aligned with EU AI Act documentation requirements.

Step 5: Human Oversight Mechanisms

  • Build in human review points where AI outputs influence compliance decisions.
  • Establish oversight protocols and training for personnel interacting with AI modules.

Deliverable: Human oversight SOPs and training logs.

Step 6: Transparency and Explainability

  • Provide clear user guidance on AI functions, limitations, and interaction contexts.
  • Embed explainability documentation into user interfaces if appropriate.

Deliverable: User transparency disclosures and explainability documentation.

Step 7: Conformity Assessment and Certification

  • Engage notified bodies (when required) for conformity assessments.
  • Achieve CE marking where appropriate.

Deliverable: Conformity assessment reports and CE certificates.

Step 8: Monitoring and Continuous Improvement

  • Implement post-market monitoring processes to detect, report, and mitigate issues.
  • Periodically reassess risk categorization as the system evolves.

Deliverable: Post-market monitoring dashboard and audit trail.

Conclusion

The EU AI Act represents a transformative regulatory overlay that elevates the governance of AI systems to the same level of rigor as that historically seen in clinical, medical, and data protection regulations. For AI-enabled eTMF systems, this means proactively classifying AI components, rigorously managing risks, and embedding compliance at every stage of the AI life cycle.

Far from being a mere compliance burden, this structured approach enhances the quality, transparency, and trustworthiness of AI-driven processes in clinical research, ultimately supporting regulatory confidence and stakeholder trust in eTMF systems powered by AI.

If your organization is deploying or procuring AI for eTMF, start risk classification and documentation now — the timeline for enforcement is already in motion, and early adoption of EU AI Act compliance frameworks will be a competitive differentiator in regulated clinical operations.

About The Author:

With over 20 years of experience in the pharmaceutical industry, Donatella Ballerini is a senior clinical quality and documentation expert specializing in GCP compliance, eTMF governance, and inspection readiness. After establishing a strong foundation in rare diseases and neonatology at Chiesi Farmaceutici, she progressed to leadership roles where she spearheaded the transition from paper to electronic TMF models and headed the GCP Compliance and Clinical Trial Administration Unit. Currently, as the head of eTMF Services at Montrium and an independent GCP consultant, she leads global consultancy in process optimization and TMF risk management. Donatella contributes to the CDISC TMF Standard Model, while also lecturing at the University of Parma and authoring several industry-leading e-books. Recently, she has expanded her impact by leading AI implementation projects to ensure the ethical and compliant adoption of new technologies within clinical operations.