← Back to the RCI concept ← Home
RCI · Triage process

Regulatory & Compliance Intelligence: Triage logic for AI use cases

Short version: RCI structures the preliminary assessment of AI use cases in pharma and MedTech. Its core is risk-based triage that combines structured use case data, semantic text analysis, regulatory retrieval and continuous monitoring. The solution does not provide autonomous approval; it provides a traceable, auditable decision basis for Compliance, Legal, Privacy, Medical Affairs and QA.[1-6]

1

Use Case Intake

Collection of purpose, target group, data categories, countries, vendor, output type, channel and possible intended medical purpose.[1-5]

PurposeDataContext
2

Preprocessing

De-identification, coding of structured features, semantic preparation of the description and checks for missing mandatory information.[2,6,12]

De-IDSemanticsCompleteness
3

Risk Classification

A rule- and model-supported preliminary assessment of structured and semantic features classifies the use case as low, medium or high risk and names the affected regulatory domains. The output follows EU AI Act risk categories and relevant sectoral requirements; XAI and rationale elements support review traceability.[1,3-6,9]

RulesModelXAI
4

Regulatory Retrieval

RAG can retrieve relevant standards, guidance and internal policies and prepare a source-bound rationale with proposed controls; the expert assessment remains part of the review.[7,8]

RAGSourcesControls
5

Expert Review & Memo

Compliance, Legal, Privacy, Medical Affairs and, where relevant, QA review the draft memo, risk class, sources and need for escalation. Monitoring can include sources such as EUR-Lex, the European Commission, EMA and BfArM. Relevant changes trigger review, re-validation and updates to triage rules; retraining is indicated only when there is validated need.[1,3,5,11,12,14]

Expert ReviewSourcesMonitoring
LOW RISK

Standardized governance

  • Internal tools with no direct patient or HCP impact
  • Standard controls, documentation and monitoring
  • Release possible via defined compliance role
MEDIUM RISK

In-depth examination

  • HCP communications, CRM, marketing or personal data
  • Reviewed by Legal, Privacy and Medical Affairs
  • Conditions, adjustments or escalation possible
HIGH RISK

Escalation & formal control

  • Patient-related use, clinical decision support or medical purpose
  • Expanded requirements for risk, data, transparency and human oversight
  • No release without a qualified human decision

Closed-Loop Governance

RCI is designed as a continuously updateable governance system: classification, regulatory references, expert overrides, monitoring signals and performance metrics feed into rule maintenance, model calibration, re-validation and, where required, retraining.[1,6,11,12]

Audit Trail

  • Input data, data version and model version
  • Uncertainty, rationale elements and risk class
  • Regulatory sources and RAG hits
  • Change signals, re-validation and final decision
⚠️

Risks & Mitigation

  • Underclassification: HIGH recall as primary metric, escalation thresholds[1,3,5,6]
  • Bias: distribution audits, fairness checks, subgroup analysis[6,9,10]
  • Automation bias: DRAFT marking, uncertainty display, review and override documentation[11,12]
  • Regulatory drift: source monitoring and re-validation triggers[1,12]

Performance & Validation

  • HIGH-class recall, precision, Macro-F1 and misclassification analysis
  • Calibration metrics where probabilistic scores are used
  • Citation accuracy and hallucination rate for RAG outputs[7,8]
  • Hold-out test, cross-validation and external expert assessment[12,13]
⚖️

Responsibilities

  • Provider/manufacturer: design, validation, technical documentation, monitoring
  • Deployer/operator: appropriate use, human oversight, organizational controls
  • Expert: professional responsibility for the signed decision
  • Principle: responsibilities depend on role, control, use context and applicable legal framework.[1,3,14]
Core of the triage logic: The more an AI use case touches clinical decisions, patient safety, personal data or regulatory-protected communication spaces, the higher the requirements for evidence, validation, documentation, monitoring and human control.[1-6,11,12]

Validation Strategy

Multi-level: internal technical validation, clinical-regulatory expert assessment, subgroup and robustness analysis, continuous monitoring after deployment.[1,6,9,12,13]

Expected Outcomes

The intended outcomes are faster compliance triage, more consistent risk assessment, better traceability, earlier escalation of critical use cases and the development of a longitudinal compliance dataset. Actual benefit must be measured in piloting and operation.

Management Implication

RCI can reduce manual pre-audit effort and support scalable AI governance. Its strategic value lies in standardization, auditability and regulatory responsiveness.

Sources & Basis:
  1. European Parliament, Council of the European Union. Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence. Official Journal of the European Union. 2024 Jul 12;L2024/1689.
  2. European Parliament, Council of the European Union. Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing of personal data and on the free movement of such data. Official Journal of the European Union. 2016 May 4;L119:1-88.
  3. Aboy M, Minssen T, Vayena E. Navigating the EU AI Act: implications for regulated digital medical products. NPJ Digit Med. 2024;7:237. doi:10.1038/s41746-024-01232-3.
  4. Gilbert S. The EU passes the AI Act and its implications for digital medicine are unclear. NPJ Digit Med. 2024;7:135. doi:10.1038/s41746-024-01116-6.
  5. Niazi SK. Regulatory perspectives for AI/ML implementation in pharmaceutical GMP environments. Pharmaceuticals. 2025;18:901. doi:10.3390/ph18060901.
  6. Lekadir K, Quaglio G, Tselioudis Garmendia A, Gallin C. Artificial intelligence in healthcare: applications, risks, and ethical and societal impacts. Brussels: European Parliamentary Research Service; 2022. Available from: https://www.europarl.europa.eu/thinktank/en/document/EPRS_STU(2022)729512.
  7. Yang R, et al. Retrieval-augmented generation for generative artificial intelligence in health care. NPJ Health Syst. 2025;2:2. doi:10.1038/s44401-024-00004-1.
  8. Nishisako S, Higashi T, Wakao F. Reducing hallucinations and trade-offs in responses in generative AI chatbots for cancer information: development and evaluation study. JMIR Cancer. 2025;11:e70176. doi:10.2196/70176.
  9. Yang Y, Lin M, Zhao H, Peng Y, Huang F, Lu Z. A survey of recent methods for addressing AI fairness and bias in biomedicine. J Biomed Inform. 2024;154:104646. doi:10.1016/j.jbi.2024.104646.
  10. Obermeyer Z, Powers B, Vogeli C, Mullainathan S. Dissecting racial bias in an algorithm used to manage the health of populations. Science. 2019;366(6464):447-453. doi:10.1126/science.aax2342.
  11. Olawade DB, et al. Human in the loop artificial intelligence in healthcare: applications, outcomes, and implementation challenges. Int J Med Inform. 2026;213:106362. doi:10.1016/j.ijmedinf.2026.106362.
  12. Palama V, Kadiri C, Babarinde AO, Nwanze J, Adekoya AF, Ejuone OG. Auditing and monitoring artificial intelligence systems in healthcare: a multilayer framework for bias detection, explainability, and regulatory compliance. Cureus. 2026;18(3):e104547. doi:10.7759/cureus.104547.
  13. Collins GS, Reitsma JB, Altman DG, Moons KGM. Transparent Reporting of a multivariable prediction model for Individual Prognosis Or Diagnosis (TRIPOD): the TRIPOD statement. Ann Intern Med. 2015;162:55-63.
  14. Chau MT, Spuur KM, White S, et al. Malpractice in the machine age: legal and ethical responses to machine learning in medical imaging. Radiography. 2026;32:103339. doi:10.1016/j.radi.2026.103339.
⚠ Disclaimer

This material was prepared with the greatest care. It does not replace legal, medical or professional advice. No warranty for completeness or timeliness.

AI-assisted creation

Parts of this document were created with the support of generative AI and editorially reviewed. This content is not a substitute for legal, medical or professional advice. (EU AI Act Art. 50)