//AI SECURITY & GOVERNANCE

Navigate the AI Governance Landscape in Healthcare and Life Sciences

EU AI Act. FDA AI/ML SaMD. EU MDR. MHRA. The regulatory requirements for AI in healthcare are complex, overlapping, and moving fast. Periculo provides specialist AI security and governance consulting to help medtech companies, pharma organisations, and health systems deploy AI responsibly — and pass the scrutiny that comes with it.

The AI Regulatory Landscape in Healthcare

Three converging regulatory frameworks are reshaping AI deployment across healthcare and life sciences. Understanding how they interact is critical for any organisation developing or deploying AI in clinical environments.

EU AI Act — August 2027 Deadline

High-risk AI systems used in clinical decision-making must achieve full EU AI Act compliance by August 2027. When combined with EU MDR obligations for AI-enabled medical devices, this creates a dual compliance challenge that requires coordinated technical documentation and conformity assessment. MDCG 2025-6 clarifies the interplay but satisfying EU MDR does not equal EU AI Act compliance.

FDA AI/ML SaMD — Total Product Lifecycle

The FDA's framework for AI and ML-based Software as a Medical Device establishes cybersecurity and governance requirements throughout the full product lifecycle. Premarket submissions require a cybersecurity management plan, threat model, and security architecture documentation. Post-market requirements include ongoing surveillance and change management for adaptive AI systems.

MHRA & NHS — UK Market Requirements

The MHRA is developing a dedicated AI as a Medical Device framework for the UK market. NHS procurement requirements now explicitly gate on AI governance documentation — 'governed AI' is increasingly a deciding factor in NHS supplier selection. Digital health companies selling into UK health systems need governance frameworks that satisfy both MHRA and NHS procurement expectations.

GxP & ICH — Pharma AI Governance

Pharmaceutical organisations deploying AI in drug discovery, clinical trials, and pharmacovigilance must satisfy GxP validation requirements, ICH E6(R3) obligations, and the EU AI Act's high-risk classification for clinical trial AI. These frameworks were not designed for adaptive AI systems and require specialist interpretation to implement proportionately.

EU AI ACT & EU MDR

FDA AI/ML SAMD

PHARMA & LIFE SCIENCES

HEALTH SYSTEMS

AI SECURITY TESTING

EU AI Act + EU MDR Compliance

We support medtech companies through gap assessment against both EU MDR and EU AI Act simultaneously, technical file documentation, conformity assessment preparation, and notified body engagement. We map the MDCG 2025-6 interplay specifically to your device and AI system.

MDR compliance does not equal EU AI Act compliance. The evidence requirements are different and must be addressed in parallel — starting now if you have a 2027 deadline in scope.

We produce the AI-specific technical documentation required under Annex IV of the EU AI Act and map it against your existing MDR technical file to identify gaps.

FDA Cybersecurity for AI/ML-Based SaMD

We support manufacturers preparing 510(k), De Novo, and PMA submissions with AI-specific cybersecurity documentation: cybersecurity management plan, threat model, SBOM, and security architecture documentation aligned to FDA's 2025 final guidance.

For adaptive AI/ML systems, we design change management and post-market monitoring programmes that satisfy FDA's Total Product Lifecycle approach — addressing the unique challenge of AI systems that update after deployment.

We provide cybersecurity documentation that FDA reviewers expect, reducing premarket submission cycles and post-market deficiency letters.

AI Governance for Pharma and Life Sciences

We build AI governance frameworks for pharma organisations that align to existing quality management systems — covering AI inventory, risk classification, validation documentation for GxP environments, and audit trail requirements.

We interpret ICH E6(R3) and EU AI Act requirements for clinical trial AI specifically — helping organisations understand what compliance looks like for AI tools used in patient selection, trial management, and pharmacovigilance.

Our frameworks are proportionate to risk and designed to integrate with existing QMS processes rather than requiring re-architecture.

Enterprise AI Governance for Health Systems

We provide enterprise AI assurance programmes for health systems deploying AI at scale — giving boards, commissioners, and risk committees the independent assurance they require. Continuous oversight, regular framework reviews, and incident response readiness.

We conduct independent AI security due diligence for health systems procuring AI from third-party vendors — assessing security posture, regulatory readiness, and governance maturity before contracts are signed.

Our assurance documentation is designed to satisfy NHS England AI Framework requirements, CQC inspection expectations, and the evidence demands of NHS commissioners.

AI Security Assessment & CREST Penetration Testing

We provide CREST-accredited AI security assessments covering threat vectors that standard penetration testing misses: prompt injection, adversarial inputs, model supply chain attacks, and AI agent attack surfaces in clinical environments.

Our assessments produce cybersecurity documentation in the format required for FDA premarket submissions, MHRA technical files, and notified body review under EU MDR — not just a penetration test report.

For AI agents operating in clinical or operational environments, we assess audit trail completeness, access controls, human oversight implementation, and kill switch design.

Frequently Asked Questions

What is the EU AI Act deadline for AI medical devices?

High-risk AI systems already on the market must achieve full EU AI Act compliance by August 2, 2027. New high-risk AI systems must comply from August 2026. Conformity assessment under both EU MDR and EU AI Act can take 18-24 months — organisations that have not started are already behind schedule.

Does EU MDR compliance cover EU AI Act requirements?

What FDA documentation is required for AI/ML-based SaMD?

How does the EU AI Act classify pharma AI systems?

What makes AI security different from standard cybersecurity?

How does Periculo differ from a generalist cybersecurity firm?