Skip to main content
BlogIn the News
 / 
Perspectives

You Can't Validate AI You Don't Control: Closing the Context Gap in Regulated Development

Lee Chickering
 and 
  •  
July 7, 2026

Table of Contents

The Reason AI Validation in Regulated Development Keeps Stalling

AI is moving into regulated product development fast. Quality and regulatory teams now have to prove that a tool or model they can't fully predict performs consistently enough to trust. Unfortunately,  AI doesn't guarantee consistency.

Traditional software is deterministic. Plug in the same input and get the same output, every time. Conversely, large language models are probabilistic. Even a frozen model on identical hardware can answer the same prompt differently, and the foundation model your team validated six months ago may not be the one running today.

But probabilistic output isn't the real reason AI validation stalls. Most teams are tackling the wrong problem first by writing protocols for a model that was never given enough context to be trustworthy.

Why a Risk-Based Approach is Fundamental

A risk-based approach to AI validation is not only a regulatory expectation, but a practical necessity. Not all AI output carries the same risk. An AI that drafts a first-pass requirement for human review has a fundamentally different risk profile than one that autonomously approves a release gate. Applying the same rigor to both is inefficient and misleading. It implies an equivalence that doesn't exist.

A well-structured risk-based approach requires four things:

  • Clear intended use. What is the AI feature doing, who is the intended user, and what decision does the output inform?
  • Mapped operational risk. Where in the lifecycle does the output land, and what happens if it's wrong?
  • Pre-defined quality metrics. Precision, recall, consistency, and domain accuracy, established before the study rather than after you see the results.
  • Continuous monitoring by design. AI isn't a one-time validation event. It requires ongoing metric tracking and a documented strategy for when performance degrades or the foundation model changes.

This is achievable, but it requires something most general-purpose AI tools aren't built to provide: a stable, controlled context you can evaluate, monitor, and defend. Right now, this is where most teams are falling short.

The Context Gap: Why General-Purpose AI Fails Regulated Workflows Even When the Outputs Look Legitimate

For large language models, context is everything.

The Context Gap is the structural distance between what a foundation model knows and what it needs to know in order to reason correctly about a specific project. It's why fluent, plausible AI outputs can be wrong in unobvious ways that won’t surface until an auditor pulls on a seemingly intact traceability thread.

A foundation model like Claude or ChatGPT comes loaded with knowledge from the internet, code repositories, and billions of pages of text. That base intelligence is remarkable. It can reason, synthesize, and generate at a level that seemed impossible five years ago.

What limits a foundation model is project knowledge. It cannot grasp that your risk control tied to SWR-047 was deferred in the last release, or that your team adopted a new anomaly classification policy in Q3, or if the suggested requirements for your cybersecurity module conflicts with an existing IEC 62304 traceability link in Jira. It doesn't have the context of your QMS.

When a quality engineer or systems architect asks a generic AI tool for help with a change impact analysis, the response is only as good as the context it received. If that context is a single document upload, the model is reasoning in a vacuum. The output can be well-formatted, technically fluent, and consistent with general medical device principles, and still be wrong about your system in ways that won't be initially obvious. That isn't a criticism of the models, it’s the nature of how they operate.

This becomes dangerous when teams fail to identify the gap in an AI-produced output.

The teams getting the most value from AI in regulated development give the model the context it actually needs. They connect their compliance data, requirements, risk management artifacts, and QMS, so the AI has something meaningful to reason over. Better prompts aren't enough to address this gap, but better architecture is.

Closing the Context Gap: The Architecture to Validate AI

What separates Ketryx AI from a general-purpose LLM pointed at your compliance tools isn't the foundation model. We use the same frontier models, Claude and ChatGPT, that you'd access through any commercial API.

The difference is the unified knowledge graph underneath.

When Ketryx AI reasons about change impact, it isn't retrieving isolated document snippets. It operates across a connected, visible product lifecycle: requirements in Jira, code in GitHub, test cases in TestRail, risks, risk controls, anomalies, and SBOM artifacts, all connected as a graph with understood relationships rather than sitting in separate systems. It knows where your requirements link to risk, the corresponding traces to test cases, and what was last approved for release.

That context isn't assembled on the fly from keyword retrieval. It's part of the platform's architecture. And because the architecture is the same across every project and customer interaction, it can be evaluated, benchmarked, and validated in a way ad-hoc integrations cannot.

Ketryx AI also differentiates by its coverage. One of the most common failure modes in generative AI is completeness. When you ask an AI to run a change impact analysis across 800 requirements, there's a meaningful difference between one that probably analyzed all of them and one that deterministically did. LLMs operating over long-context document dumps can and do miss items. Probabilistic reasoning over large, unstructured inputs has no coverage guarantee by design, no matter how careful the model is.

Ketryx AI uses the structure of item-level projects to guarantee that every item in scope receives analysis. That guarantee is a verifiable, traceable fact, not an LLM estimate. It's a fundamentally different level of trust than any tool operating over a document dump can offer.

Every output the AI produces operates within a Part 11-compliant approval workflow. Each one is reviewed, approved, and traceable before it becomes part of the record. The human is in the loop by design, and their review is what makes the whole system auditable.

Build vs. Buy: The Honest Answer for Regulated Teams

At some point in every AI conversation with regulated companies, someone asks whether they could just build this themselves.

It's a fair question. Foundation models are accessible via API, MCP servers are increasingly available for popular tools, and a sophisticated team could theoretically wire up a change impact or anomaly triage workflow.

The honest answer: you could. But you'd be building Ketryx.

The Ketryx-built unified knowledge graph that closes the Context Gap didn't emerge from connecting a few API endpoints. It's a validated, live view of your entire product lifecycle. Without it, you could build an AI that answers questions about your Jira tickets. You couldn’t build one that understands how those tickets relate to your risk items, regulatory submissions, and QMS procedures in a way that is validated and defensible.

Even with strong engineering resources, building this to production quality takes years, not quarters: the security posture, validated integrations, evaluation framework, compliance audit trails, and recursive validation loops all have to come first. And the engineering investment comes before the AI investment.

The build path also surfaces costs not advertised up front:

  • Evaluation infrastructure. AI systems require continuous benchmarking to confirm they perform as expected when the underlying model updates. Without it, you can’t identify AI drift.
  • Regulatory alignment. Meeting IEC 62304, ISO 14971, 21 CFR Part 11, and FDA AI/ML guidance requires domain expertise baked into the system design, not layered on later.
  • Data security. Ketryx customers get zero data retention on LLM requests by default, an enterprise agreement we've negotiated on behalf of all our customers. Replicating that internally requires legal and infrastructure investment.
  • Model maintenance. When Anthropic releases a new version of Claude, it's in Ketryx within days. An internal team would need an ongoing process to evaluate and deploy model updates, plus a validation approach for each one.

Internal teams can almost certainly build compliant AI. The harder question is where that engineering capacity creates the most value: on a compliance infrastructure problem, or on the medical device portfolio it's meant to accelerate.

What Validated AI in Life Sciences Actually Looks Like in Production

The best frame for AI validation borrows from how you'd validate any other tool or instrument in your process.

You don't need 100% precision and 100% recall. No validated tool achieves that. You do need a defined set of performance bounds, tied to the risk of the specific use case, with evidence the system performs within them, and a monitoring strategy for when it doesn't.

For Ketryx AI, that looks like:

  • Published use-case benchmarks for change impact assessment, requirement conflict detection, and complaint classification, developed with domain experts against real-world datasets rather than curated demos.
  • User studies with structured evaluations of AI-assisted workflows that measure both output quality and the appropriateness of human review. We care how teams use the AI, not just what it produces.
  • Continuous performance monitoring tied to production usage, with defined thresholds for escalation. Validation continues for as long as the system runs in production.
  • Model-aware evaluation design benchmarks built to distinguish platform-level performance from underlying model capability. This way improvements are attributed accurately when the foundation model changes.

This is the same rigor your quality team applies to everything else in your process: calibrated to risk, grounded in evidence, continuously maintained. It is not validation theater. The difference is that it starts from a foundation where the Context Gap has already been addressed. The AI validated already has the project-specific context required to be trustworthy, instead of reasoning in a vacuum.

The Teams That Get There First Aren't Waiting

AI validation in life sciences isn't intractable. It requires a risk-based approach, a commitment to continuous monitoring, and above all, an AI system built on context that can be evaluated and defended.

The Context Gap is widest for general-purpose tools operating over unstructured document dumps. It's narrowest for systems built around connected lifecycle data. A unified knowledge graph, deterministic coverage guarantees, validated agent benchmarks, and Part 11-compliant approval workflows aren't things you approximate with an MCP server pointed at your Jira instance. They're the product of architectural investment in making AI trustworthy inside regulated development.

The teams that deliver their next product cycle fastest aren't waiting to find out whether AI validation is possible. They've already built on it.

Ketryx is trusted by four of the world's top five medical device manufacturers. To see how Ketryx AI can close the Context Gap for your development team, request a demo.

Interview transcript

Lee Chickering
Director, Quality
Ketryx

Lee Chickering is Director of Quality at Ketryx and an expert in quality assurance and regulatory compliance, specializing in bridging quality management and customer success to drive operational excellence in the life sciences industry. With a diverse background spanning manufacturing, project management, and compliance at companies like Amgen, he has led the implementation of Quality Management Systems (QMS) aligned with ISO 13485, ISO 14971, and IEC 62304. Passionate about advancing quality in life sciences, he thrives on collaborating with organizations to enhance efficiency, compliance, and innovation.