Reflections | KENX AI in GxP 2026 | San Diego, CA
By Dori Gonzalez-Acevedo, Founder & CEO, ProcellaRX
I have been using the artichoke as a teaching model for years. Cross-section an artichoke and what you see is a layered architecture, each layer dependent on the one beneath it, all of them protecting a heart that only becomes accessible once the outer layers are properly developed. You cannot reach the heart by yanking at the outermost leaf. You have to build your way in.
The industry's relationship with AI looks exactly like someone trying to eat an artichoke from the outside in.
I walked into KENX AI in GxP West as the moderator of the morning's industry panel. I walked out with confirmation of what I already suspected: the conversations are sharp, the talent is real, and the industry keeps reaching for the outer leaf — the tool, the platform, the use case — without asking whether the heart is ready to support it.
Let me be more specific.
The room held 127 practitioners, executives, and vendors from GSK, BMS, Gilead, Moderna, AstraZeneca, Thermo Fisher, Abbott, and more. The conversations were sharp. The energy was real. And the same thesis kept surfacing from every corner — in every session, in every hallway — phrased differently each time but pointing at the same truth:
The outer leaf of the artichoke is visible, accessible, and easy to grab. AI tools, platforms, use cases, they are everywhere! What is harder to build, and what nobody is selling you, is the heart: the governance design, the process maturity, the curated data foundation and most importantly the quality decisions from leadership that makes any of those tools defensible once a regulator asks you to explain how they work.
Colby Ford from Tuple said it from the data infrastructure side: asking an AI agent to "please don't share PII" in a prompt instruction is not governance. That's asking it nicely. Real governance is enforced by policy, by evaluators, by controls that explicitly block behavior, not by courtesy.
Our own, Staci Spencer, VP of Quality at ProcellaRX, said it from the quality maturity side: if your process maturity is sitting between Level 1 and Level 2, your AI maturity will never reach Level 4 or 5. There is a dependency. The ceiling on your AI ambition is set by the floor of your process discipline. You cannot automate what you haven't standardized.
The companies getting this wrong are the ones that haven't answered the most fundamental question on the table. Are you in the business of developing therapies — or are you in the business of the data that makes those therapies possible? Because the answer determines everything about how you govern AI.
I moderated the first mornings panel: Harness the Momentum: Advancing AI Across the GxP Ecosystem with Tim Roy Kirkelie (GenariAI), Ankita Mishra (Evinova/AstraZeneca), Bhaskar Arya (BMS), and Mike Salem (Gilead).
About forty minutes in, Tim used the word "trust." I stopped him.
"Everyone has to define what they mean by trust."
Tim's answer came from years of auditing, and from co-founding GenariAI with the experience of watching ML tools outlive their original context. Trust is trust and verify: you take people at their word, you take vendors at their word, but you go in and prove it. The harder question for AI, Tim noted, is what you do when the system has become someone's "baby" embedded in the organization for years, no one willing to replace it, governance built around protecting the tool rather than interrogating it. That institutional attachment is where trust stops being rigorous and starts being comfortable. Ankita's was accountability-driven: trust is knowing your responsibility to your customer and reflecting that in your product. Bhaskar's was the most technically precise: trust in an AI model is not the same as trust in a validated deterministic system. With a traditional system, you expect the same output from the same input every time. With a probabilistic model, you define acceptance thresholds, and you justify why the model's decisions fall within them consistently. Human-in-the-loop is a mechanism, not a definition of trust. Mike split the question entirely: there is trust in your people, and there is trust in your model, and those require completely different validation approaches.
Four panelists. Four definitions. All of them correct for their context. All of them different.
That is the problem.
We have built a regulatory ecosystem on shared language that isn't actually shared. "Trust," "validation," "risk-based", these words mean different things to a quality director at a cell therapy company than they mean to a data scientist who came from defense and has been building ML systems for fifteen years. When we layer AI on top of that semantic gap, it becomes a governance gap. And governance gaps become 483s.
My challenge to every organization in that room and every organization reading this: define what trust means before you buy another tool.
There has been significant industry anxiety about an FDA enforcement action that some have been circulating as an AI cautionary tale.
I want to be direct: that action had nothing to do with AI.
I was at ISPE in Copenhagen three weeks ago. FDA said it explicitly, on stage: the citation was a GMP baseline failure. AI was cited in the 483 as a footnote essentially, not as the cause. The organization did not have foundational GMPs in place at ALL. That is what the regulators found. AI was incidental.
Bhaskar Arya reinforced this from the BMS perspective: the organizations succeeding at AI adoption are the ones that included quality as a design partner from the beginning, not a gatekeeper at the end, not a reviewer after the fact. A design participant.
A Case Study in Automation Theater
I will not name the presenter or the company. But there was a session in the afternoon that illustrated, in real time, the most dangerous pattern I see in this industry right now: AI applied (in theory) to a problem that the existing validated system already solves, that they have NOT yet fixed.
The use case was AI-enabled batch record review in an MES environment.
I interrupted with a question. If your MES is correctly configured, where exactly are you inserting the AI? A properly validated, properly configured MES already enforces field-level logic. It flags out-of-range values. It controls what a user can enter. It was built and validated to do exactly this. So what is the AI doing that the system isn't already doing?
The honest answer, when we worked down to it: the objective is they want remove the human reviewer.
That is a legitimate goal. But the criteria for replacing a human reviewer is equivalency or better, and you cannot establish equivalency without a baseline. When I asked what the current human accuracy baseline was, the answer was approximate, I would be surprised if they truly calculate it, I have seen many large pharma testing center of excellence and none that I'm aware of go to this level of discretion in testing.
You cannot govern what you have not measured. You cannot claim AI improvement without knowing what you are improving from. And you cannot validate an AI system whose acceptance criteria are based on a performance floor you have never formally established.
This is automation theater: the appearance of AI-driven innovation layered on top of a system that, if properly implemented from the beginning, would have made the AI layer unnecessary.
Chris Ferrell, CTO of Valkit.ai, put the structural version of this problem precisely in his afternoon session. He drew a hard line between two architectures: AI as the system, where the model holds the business logic, decisions live in the conversation rather than a system of record, and a regulator asking you to reproduce an output has nowhere traceable to point, and system-driven AI, where structured data and workflows live independently, AI reads context and generates output, and every result traces back to a real record in the system.
The industry needs to get sharper at the foundational question: not can AI do this? but does this problem actually require AI to solve it, and if so, where does the intelligence actually live? Use case rigor is not a nice-to-have. It is the difference between defensible transformation and expensive decoration.
Compliance as Code: From Documents People Interpret to Rules Systems Execute was delivered by our own Staci Spencer, VP of Quality at ProcellaRX. I am proud of what she put in front of that room.
Compliance as Code is ProcellaRX's framework for the transition the industry knows it needs to make but hasn't yet operationalized. Staci laid out the five-stage maturity arc we use with clients:
The insight that the room needed to hear: AI maturity is ceiling-capped by process maturity. The industry has been attempting to skip rungs on the ladder, deploying autonomous systems on top of fragmented, undocumented, or inconsistent processes, and wondering why the results don't hold.
Staci also named the Gartner hype cycle honestly. Life sciences as an industry is in the trough of disillusionment. Not because AI failed to deliver. Because organizations have not done the iterative work to integrate it into actual operations. The enthusiasm was real in 2023. The friction is real in 2026. The productivity gains are coming but only for organizations willing to do the unsexy foundational work first.
Three decisions for transformation: discard the legacy and the familiar; collaborate across SMEs and tools iteratively; unify your processes, because AI needs a linear, escalating decision structure to interpret risk correctly. Otherwise you have built a beautiful pipeline that terminates in ambiguity.
That is what ProcellaRX helps organizations build through.
The best demonstration of the day's thesis did not come from a governance framework or a maturity model. It came from Mike Salem, Director of Data Science and Global Quality at Gilead AND a Mathematician, walking a room through a supply chain problem he almost failed to solve.
The problem was inventory pools and channels, understanding how product moves through a global supply network, where it can be shipped, where it is restricted, and how much shelf life remains at each node. Sounds tractable. Then the file arrived: tens of thousands of rows. A network graph that, when zoomed in, was still illegible. A tree directory structure that his supply chain colleague looked at and said, no, that is not going to work.
What got him to the answer was not a more sophisticated algorithm. It was sitting down with the business user and asking: show me what you actually want to see. Write it down. Give me an example.
That conversation between the data scientist and the person who lives inside the problem, produced a piece of code short enough to fit on a single slide that solved what months of Excel analysis could not.
Mike also introduced a concept that should be in every AI governance conversation the industry is having: context poisoning. When a retrieval system returns results based on similarity alone, it can surface technically accurate information that is wrong for the context of the question being asked. The solution is Graph RAG — grounding AI retrieval in connected, relational data rather than raw vector proximity. The graph does not just find similar documents. It traces relationships, surfaces hidden connections between quality events, and provides the explainability and traceability that a regulator, or an auditor, will eventually ask you to demonstrate.
That last word matters. Explainability. Traceability. The two properties that every speaker at this conference said AI systems need. And the only way to get there is to build the data foundation that makes them possible, not after the model is deployed, not as a documentation exercise after the fact, but by design, from the beginning.
That is what the day kept saying, in every room, from every angle.
The technology is not the problem. The foundation is.
Every conversation in San Diego pointed to the same starting question, not "what AI should we buy?" but "do we actually know where we stand?"
Most organizations don't. Not honestly. They have a sense of where the gaps are. They have a list of initiatives in flight. What they often don't have is a structured, defensible picture of their current AI governance maturity, their process readiness, and the specific gap between where they are and where they need to be before AI can deliver on its promise.
In the artichoke model, that picture is a cross-section. It shows you exactly which layers are intact, which are underdeveloped, and what it will take to reach the heart. Without it, you are pulling at leaves and calling it progress.
Chris Ferrell offered three questions every organization should be asking any AI vendor right now: Where does the intelligence live, in the model, or in your system of record? Do you own your data and control the model? Can you validate and defend this system, can outputs be traced, reproduced, and explained in an audit? These are not procurement questions. They are governance design questions. And most organizations are not asking them early enough.
That cross-section, and that conversation, is exactly what ProcellaRX's Strategic Assessments are built to provide.
We work with pharmaceutical, biotech, and medical device organizations to assess AI governance foundations, process maturity, digital validation readiness, and quality culture and we translate that into a clear, prioritized roadmap that your organization can actually execute.
If you were in San Diego and recognized your organization in any of what I described here or if you weren't in the room but you know the conversation applies I would like to have that conversation with you.
Let's schedule 30 minutes. No pitch deck. Just an honest conversation about where you are and what it would take to get where you need to be.
Connect with me on LinkedIn or reach us directly at procellarx.co.
Dori Gonzalez-Acevedo is the Founder & CEO of ProcellaRX LLC, Co-Lead of the ISPE Digital Validation Subcommittee, and co-author of the ISPE Good Practice Guide on Digital Validation. ProcellaRX is a Gold Sponsor of KENX AI in GxP 2026.