In Infodesk’s latest Regulatory Forum session, “The evolution of quality intelligence activation,” we picked up a conversation that started at the RAPS Regulatory Intelligence Conference in Baltimore in March. That discussion — summarized here — explored how quality intelligence is maturing from an inspection-readiness function into a strategic capability for enterprise regulatory risk management. This webinar went a level deeper and more practical, walking through the real, end-to-end quality intelligence workflow: detection, triage, impact assessment, and closure, and where AI genuinely fits into each stage today. The webinar had over 200 registrations of quality and regulatory intelligence professionals from life sciences organizations.  

Featuring: 

  • Salahi Gorus, Commercial Director, Infodesk (host) 
  • Barbara Bovy, Head Quality Intelligence & QMS, UCB 
  • Lo Ann Thomas, Senior Director Global Regulatory Intelligence, AstraZeneca 

Both panelists have deep, hands-on experience running quality and regulatory intelligence functions at global pharmaceutical organizations, and the conversation moved quickly past theory into the operational realities: how updates get detected, who owns triage, how AI is actually being used today, and where the “build vs. buy” debate lands in 2026. 

The discussion focused on the main workflow which is common to the panelists involved.  Here are the key takeaways. 

 

  1. There’s a common regulatory ecosystem workflow

 

Although different teams manage the end-to-end regulatory and quality intelligence workflow there is a typical workflow that we have derived through our experience working with a multitude of life sciences customers. The webinar focused on each aspect from detection of the regulatory intelligence or the regulatory update itself, from triage to closure of an impact assessment. 

Fig 1: Quality Regulatory Intelligence Workflow - From detection of a Regulatory Update through triage, impact assessment, SOP and CAPA
Fig 1: Quality Regulatory Intelligence Workflow – From detection of a Regulatory Update through triage, impact assessment, SOP and CAPA

  1. Detection is still a largely manual, human-driven process

Both organizations rely on structured but manual surveillance for the major health authorities, supplemented by international market teams tracking their own local regulators. 

“We do have a central group that I actually sit in. There are individuals responsible for looking at what we call the major markets… they do the manual surveillance, right? Going out to these health authority websites, looking for guidances that potentially have impact to our business.” — Lo Ann Thomas, AstraZeneca 

UCB follows a similar model but organizes by GxP area, with dedicated owners for regulatory intelligence and a separate, more limited scope for inspection intelligence, largely centered on the FDA given its relative transparency around 483s and enforcement data. 

“The flow is quite similar between Reg Intel and Inspection Intelligence… we really want to mimic what is relevant to the operations.” — Barbara Bovy, UCB 

 

  1. Spreadsheets and email are still common — and both panelists are actively moving away from them

Excel (Spreadsheet) and SharePoint trackers and copy-paste-into-email workflows remain widespread across the industry, but both speakers were candid about the risk this creates, especially around continuity when an individual leaves or goes on leave. 

“What we discovered very early on with the Excel sheets that we were using is that we are not able to maintain the oversight that we needed, just because the volume of regulation is really increasing every year… as soon as possible, if it’s possible for any company, I would move away from the Excel sheet and the copy-pasting in the emails.” — Barbara Bovy, UCB 

AstraZeneca described a similar evolution away from disparate, homegrown tracking tools built by individual teams. 

“These little sort of homegrown groups… you don’t even have transparency across the organization, what’s going on. So we decided several years ago we needed to bring this all together.” — Lo Ann Thomas, AstraZeneca 

 

  1. Maintaining an accurate subject matter expert (SME) list is harder than it sounds

Routing an update to the right SME depends on having an up-to-date map of who owns what — and both panelists said this is a constant maintenance burden as people change roles or leave the organization. 

“It’s very hard to maintain that list, I need to say, because it is a large organization. People come and go, they don’t tell you they’ve left or they’ve changed roles, and then you’ve got to find someone to replace them.” — Lo Ann Thomas, AstraZeneca 

UCB maintains SME lists per topic across the organization, with the strongest coverage in GMP, and sees AI’s future role primarily as automating the routing logic once metadata is captured. 

“Where I would see that AI could help in the future is really in automating the routine based on certain metadata… if a certain topic is detected, then we could immediately route it to the SME who is assigned that topic.” — Barbara Bovy, UCB 

 

  1. AI’s current value is in summarization and metadata — not judgment

Both organizations are using or exploring AI to accelerate the front end of triage — quickly surfacing what a regulatory update is about and which function it likely affects — but neither is letting it make the call. 

“AI is there helpful pulling summaries together, right? Someone still really needs to read that guidance document… I would not expect an SME to just read an AI summary and go off and say this is solid and this change needs to be made.” — Lo Ann Thomas, AstraZeneca 

UCB is already using AI-generated summaries operationally to speed up triage, but keeps a human decision point firmly in place before anything moves downstream. 

“It’s a judgment call by a human, but the AI would propose you some metadata based on the different topics identified.” — Barbara Bovy, UCB 

Bovy also noted why the risk of an early-stage AI error feels manageable: any mistake in an initial AI summary gets caught later when the SME reviews the source document directly, so the cost of an AI misstep is time, not compliance exposure. 

 

  1. UCB is piloting a shift in accountability — from the Quality team chasing SMEs, to functions owning the signal

Historically, Quality teams have driven the process of chasing SMEs for input. UCB is testing a model that flips this: assigning ownership of a regulatory signal directly to the affected business function, with quality shifting into a coordination and governance role. 

“We are piloting is that we are assigning directly the function as the lead for the signal… quality is just there, coordinating the governance and the structure… but the functions, the business is really the one who is leading the assessment themselves.” — Barbara Bovy, UCB 

The rationale: when three people are all nominally assigned to review something, everyone assumes someone else will pick it up. Assigning accountability to a function, with one coordinator per function, closes that gap. 

 

  1. Chasing SME responses remains one of the most persistent operational headaches

Even with a clear process on paper, getting SMEs to actually complete their impact assessments in a timely way is a recurring struggle — and automated reminders aren’t necessarily the fix. 

“You can have automation built into a system to remind people, but I’ve also found that those notifications really annoy people… it’s a lot of continuously, let’s say, handheld, to handheld people.” — Lo Ann Thomas, AstraZeneca 

Thomas noted this ultimately falls back on the intelligence team’s own accountability: identifying a signal is only the first half of the job — following through until it’s actually closed is the other. 

 

  1. The “build vs. buy” debate keeps coming back to maintainability

This question — a continuation of a discussion first raised at the last RAPS Regulatory Intelligence Conference in March— resurfaced directly in this session. Both panelists agree that building a proprietary system in-house carries a real long-term risk, even if it feels attractive up front. 

“What I have seen in the past with these systems built internally is trying to maintain them, trying to find the people that first built them and how they operate… people come and go. So I think it’s very hard to internally maintain a system, especially these legacy systems when technology is changing so quickly.” — Lo Ann Thomas, AstraZeneca 

UCB has taken an even firmer position, choosing to delegate the technology layer entirely to a vendor so internal resources can stay focused on the human side of the process. 

“Honestly, I don’t believe that it is our expertise to build and customize such platforms or systems… we prefer to delegate it to a vendor, so we could be relieved of those aside activities.” — Barbara Bovy, UCB 

 

  1. Where to draw the GxP validation line is still genuinely unsettled

One of the liveliest exchanges of the session centered on whether the surveillance and tracking system itself needs to be treated as a GxP-validated system, or whether that requirement only kicks in once a change is actually implemented. 

“We don’t consider that a GXP system. It’s what is that impact… documenting any necessary change within the appropriate system. That’s where the GXP part takes place.” — Lo Ann Thomas, AstraZeneca 

Bovy agreed in principle but noted UCB is actively debating this internally, particularly as it considers connecting its intelligence platform directly to its documentation management system. 

“What will be important to prove to an inspector is that you have been compliant on the date when the regulation became effective. That’s the most important. However… where I see the need to do the validation… that’s what we are currently discussing in UCB.” — Barbara Bovy, UCB 

 

  1. “Just use free AI” isn’t a serious option for regulated organizations

Asked directly whether teams could simply substitute free, consumer AI tools for a purpose-built system, both panelists were unambiguous. 

“We don’t want to go out and train these open models with our data either, right? So it’s something that internally we need to control as a company.” — Lo Ann Thomas, AstraZeneca 

Bovy added that while leadership sees the potential for AI to reduce headcount pressure, it isn’t a substitute for the governance and human oversight the process requires. 

“AI could really help us reduce the number of FTEs that are engaged in this. I think it can facilitate, however, it will not replace the proper impact assessment… you will still need this human touch in the loop.” — Barbara Bovy, UCB 

 

  1. Team sizes vary widely, and are shifting as scope expands

AstraZeneca runs global-market surveillance (FDA, EMA, ICH, WHO, MHRA) with three people rotating responsibility, supplemented by dedicated staff in international markets. UCB is in the middle of expanding scope from GxP-only to full corporate regulatory intelligence, which is reshaping its headcount model. 

“We have 10 FTEs across the organization, but most of them are not… it would be 25 people, more or less, working part time on the Reg Intel.” — Barbara Bovy, UCB

 

  1. Poll results

Q1) How does your organization primarily track regulatory updates and the actions arising from the today?

38% – SharePoint or a shared document repository
23% – Excel spreadsheets or shared trackers
21% – A dedicated regulatory intelligence platform (like Infodesk)
17% – Email and manual copy-paste from agency sites

Q2) Where does your process slow down the most, from update to documented impact assessment?

54% – Completing the impact assessment
22% – Linking it through to SOP changes and CAPA
15% – Getting it to the right SME
6% – Detecting the update in the first place

Q3) If an inspector asked you to demonstrate traceability from a regulatory update to the resulting SOP change, how confident would you be?

54% – Somewhat, but it would take effort to pull together
21% – Not confident, the trail is fragmented
15% – Very confident, it is fully documented and linked
9% – We could not reliably show it

 

In summary: activation, not just monitoring 

Taken together, these takeaways echo the theme that ran through the RAPS panel back in March: intelligence only creates value once it travels the full distance from signal to decision to visible operational change. What this session added was the practical texture — the SME lists that are hard to keep current, the notification fatigue, the build-vs-buy calculus, and the genuinely unresolved question of where GxP validation begins. AI is already helping teams move faster at the front end of that journey, but every panelist was consistent: the human in the loop isn’t going away, and organizations that try to skip it are taking on risk they can’t fully see. 

 

How Infodesk helps 

At Infodesk, we’re human first, always. We use AI to elevate human judgment, not to replace it — because in high-pressure, inspection-ready environments, explainability matters as much as speed. 

Infodesk’s regulatory and quality intelligence activation framework is built around the same three stages this panel described in practice: 

  1. Observation — continuous, automated regulatory sensing across health authorities, guidance, enforcement, and safety sources, reducing the manual surveillance burden described above. 
  2. Interpretation — agentic AI with humans in the loop, helping teams triage and summarize updates consistently, without removing the SME’s role in reading the source document. 
  3. Activation — turning insight into a documented, auditable impact assessment through the Infodesk Regulatory Workflow Solution, which centralizes updates, routes them to the right SMEs, and tracks decisions and timelines end to end. 

If your team is wrestling with any of the challenges raised in this session — SME routing, chasing responses, or deciding how far to take AI in a validated environment — talk to us. 

Watch and listen to the webinar in your own time: Download the on-demand video