Governance as an immune system: why structure beats policy.

The phrase quality system is older than most pharma quality functions. Juran, Deming, Crosby and the post-war manufacturing thinkers built the architecture; ISO 9001 (1987) codified it; ISO 13485 (1996) translated it for medical devices; ICH Q10 (2008) absorbed it for pharmaceutical quality systems; ICH Q9(R1) (2023) elaborated risk-management; ISO/IEC 42001 (2023) extended it to AI. The architecture is durable. What changes per decade is what the system has to absorb. The 2020s are the decade where the system has to absorb AI without ceasing to be the system.

The companies that can do this are the companies that have understood quality governance as structure rather than as policy. The two words mean different things. A policy is a written rule. A structure is the operational mechanism that lets the rule operate. A policy without structure is a binder. A structure without policy is unprincipled. Both together, working in production, are the immune system the regulator is now expecting.

/ 01What policy looks like, alone.

A typical pre-2020 pharma quality manual contains policies on document control, change control, deviation handling, CAPA, training, validation, supplier qualification, internal audit, management review. Each policy is well-written. Each policy is signed off. Each policy is filed in the QMS document library. The pharma has policies. The pharma also, in many cases, has 483 observations, recurring deviations, validation backlogs, and an internal audit that finds the same gaps quarter after quarter.

The gap is not at the policy layer. The policies exist and read correctly. The gap is at the structural layer — the operational mechanism that would make the policies operate rather than sit. Document-control policy without an operational document-management system that enforces version control, signed approvals, retrieval, and obsolescence produces a compliance theatre. Change-control policy without an integrated workflow that routes proposed changes through impact assessment, approval, implementation verification, and effectiveness check produces a paper trail without a process. Training policy without an LMS that records competency before the activity is performed produces a binder of certificates that says nothing about whether the work is competent.

/ 02What structure looks like.

Structure is the operational mechanism that makes the policy run. Not the document; the mechanism. Examples that operate in mature pharma quality systems:

• Electronic document-management system that prevents retrieval of obsolete versions, requires signed approval before a document becomes effective, and cannot be circumvented by users
• Integrated change-control workflow that automatically generates the impact-assessment routing based on change category, prevents implementation without approval, and triggers effectiveness check at a pre-defined post-implementation date
• Deviation-investigation workflow that requires root-cause analysis to a documented depth, links to CAPA where applicable, and is monitored for recurrence by an automatic trend report
• LMS that prevents the user from performing GxP-tagged activities until the relevant training record is current, and automatically expires training at re-qualification intervals
• Supplier-management system that maintains qualification status, prevents purchase from un-qualified sources at the procurement layer, and routes annual re-qualifications without manual chasing
• Audit-trail review tooling that flags anomalous patterns to QA without requiring manual sampling

Each of these is a structural answer to a policy. The structure is what makes the policy operational. The same architecture, applied to AI, is what makes ISO/IEC 42001 or the EU AI Act or GMP Annex 22 work in production rather than in a binder.

/ 03Why AI compresses the timeline.

The pharma quality system has had forty years to migrate from policy to structure. Many companies have completed parts of the migration; few have completed all of it. AI does not allow another forty-year migration. The AI deployment cycle is two to four years; the regulatory clock is two to three years; the failure modes (hallucination, drift, prompt injection, data integrity gaps) operate at minute-to-day timescales. Policy without structure cannot respond at that speed. The structure has to be operational on day one of deployment, not built in retrospect after the audit finding.

The companies that already have structural quality systems extend them to AI; the addition is incremental. The companies that have only policy try to extend that to AI; the addition is everything they should have been doing for the last twenty years, in a single deployment cycle. Most fail.

The regulators are not asking for more policy. The regulators are asking for the structural mechanism that makes the policy run. AI exposes whether the structure exists; it does not create the gap.

/ 04The immune system reading.

An immune system is not a list of pathogens. It is a structural mechanism — innate response, adaptive memory, regulatory cells, communication signalling — that lets the organism encounter pathogens it has never seen before and respond appropriately. The mechanism is what produces immunity; the encounter list is what the mechanism handles. A patient with a list of pathogens but no immune mechanism is in trouble.

Quality governance reads the same way. The list of compliance obligations is the pathogen catalogue. The QMS is the immune system. Companies that have invested in the system can absorb new obligations — EU AI Act, GMP Annex 22, QMSR, ICH M11, ICH E6 R3, ICH M13A — incrementally. Companies that have only the catalogue must rebuild structure for each new obligation. The cost difference compounds.

The vaccine framing in the manifesto note is the externally facing version of this argument. Vaccination prepares the immune system for an encounter; the immune system is the structural mechanism that absorbs the agent. Both metaphors describe the same architectural fact: it is the structure that does the work.

/ 05What this looks like at the working level.

For a pharma considering its 2026 AI governance posture:

• Map every AI use to the existing QMS document hierarchy. If the QMS does not have a place for a given AI use, the QMS has a structural gap, not a documentation one
• For each AI use, identify which structural mechanism enforces the relevant control. Not which policy says it; which mechanism makes it run
• Where the mechanism does not exist, design it. Build the workflow, the integration, the gating logic, the audit-trail capture
• Test the mechanism under conditions that simulate failure modes. Hallucination, drift, prompt injection, data-integrity gap. The test is whether the mechanism catches the failure
• Operate the mechanism continuously. The structure is not a one-time qualification; it runs alongside the AI

/ 06What this does not look like.

It does not look like writing more policies. It does not look like creating an AI ethics committee that meets quarterly without operational authority. It does not look like a 30-page policy document that sits in the QMS library unread. It does not look like an AI governance framework that is separate from the existing QMS rather than integrated into it. Each of these is policy without structure. Each of these will fail the inspection that walks from policy to evidence to mechanism.

The pharma quality function has spent forty years learning that structure beats policy. The AI conversation in 2026 is the same lesson, applied at a faster timescale. The companies that hold this distinction will absorb AI without producing a quality crisis. The companies that do not will discover, expensively, that policy was never the load-bearing layer.