Governance Beyond RBAC

What RBAC Does Well — and Where It Stops

RBAC effectively controls who can access what systems, data, and functions. It enforces identity-based permissions, supports separation of duties, and provides a clear audit trail of access events. In pharma and medtech, RBAC ensures that only authorized personnel can access batch records, sign off on quality events, or view patient data.

But RBAC governs the "can" — not the "should." Microsoft's guidance on AI agent authorization (April 2026) draws this distinction explicitly: OAuth and API permissions answer "can the agent call this API?" They do not answer "should the agent execute this action given business policy, compliance constraints, data boundaries, and approval thresholds?" That gap requires a separate runtime authorization decision plane.

An AI system with full RBAC-granted access to process data, batch records, and deviation histories can still make an ungoverned decision — recommending batch release based on incomplete evidence, or closing a CAPA without adequate root-cause analysis. RBAC never asks: was the reasoning sound? Was the evidence sufficient? Was the right data available at the time the decision was made?

Five Governance Dimensions Beyond Access Control

Regulated AI operations require governance across dimensions that RBAC was never designed to address:

1. Decision Provenance

Knowing that User X accessed System Y at Time Z tells you nothing about what conclusion was drawn, what evidence supported it, or what downstream impact followed. Decision provenance captures the complete genesis of every operational decision:

  • Who made or approved the decision (human or AI-assisted)
  • What information was available and considered at decision time
  • What alternatives were evaluated and why one was chosen
  • What the reasoning chain was from evidence to conclusion

The EU AI Act (Regulation 2024/1689) requires that high-risk AI systems maintain detailed logs including input data, decisions produced, and logic applied — enabling "traceability of results" and supporting human oversight. The FDA's 7-step credibility framework (January 2025) requires documentation from data quality assessment through model validation to uncertainty quantification.

2. Evidence Lineage

In traditional operations, evidence lineage is implicit — the batch record captures materials, parameters, and results in sequence. When AI enters the picture, evidence lineage must become explicit and machine-verifiable:

  • Every recommendation links to identifiable source data with document IDs and version numbers
  • Every stage of processing is recorded — from raw data to intermediate analysis to final conclusion
  • The ISPE GAMP AI Guide (July 2025, 290 pages) extends ALCOA+ principles to AI: every model input, prompt, and output must be treated as a GxP record with full traceability

The joint FDA/EMA Guiding Principles (January 2026) mandate "traceable, verifiable documentation of data provenance, processing steps, and analytical decisions, consistent with GxP expectations."

3. Reasoning Chain Auditability

Earlier rule-based systems were intrinsically auditable — the chain from input to recommendation could be reconstructed. Current LLM-based systems present a qualitatively different challenge: they engage in probabilistic reasoning over high-dimensional representations, introducing risks of hallucination and unstable outputs.

EU GMP Annex 22 addresses this directly: only static, deterministic ML models may be used in GMP-critical applications. Generative and adaptive AI is excluded from critical GxP functions precisely because reasoning chains cannot be reliably reconstructed. Explainability techniques such as SHAP (Shapley Additive Explanations) and LIME are cited as acceptable methods for making model decisions interpretable.

4. Temporal Governance

Point-in-time audits are fundamentally incompatible with AI operations. An audit conducted on one day becomes an obsolete safety measure the next morning when autonomous systems execute thousands of decisions. The gap between deployment and discovery is where institutional risk accumulates.

For pharma specifically, temporal governance answers critical questions:

  • Was the stability data current when the batch release decision was made?
  • Was the most recent OOS investigation closed before the AI recommended shipping?
  • Did the model have access to the latest recall notice before clearing the deviation?
  • Was the operator's training certification valid at the time of the event?

These are questions RBAC cannot answer. Governance must become a continuous, real-time data stream rather than periodic manual events.

5. Contextual Authorization

The shift from "does this identity have the right role?" to "given the current operational context, should this action be allowed?" is the core of contextual authorization.

An AI system might have RBAC permission to recommend batch disposition, but contextual authorization would block that action if:

  • A related deviation is still under investigation
  • Environmental monitoring data for the cleanroom is pending review
  • The qualified person has not yet reviewed the in-process controls
  • A related CAPA effectiveness check is overdue

Dynamic enforcement mechanisms include time-bound permissions, conditional approvals, and policies that adapt as operational conditions change — far beyond what static role assignments can deliver.

Why Traditional IT Governance Falls Short

Traditional IT governance frameworks — RBAC, IAM, SOC 2 — were not designed for AI systems:

  • RBAC controls who can access systems but not whether an AI's decision was appropriate given the evidence
  • SOC 2 verifies security controls and availability but does not address model bias, explainability, or decision provenance
  • Change management governs code deployments but not when an AI model drifts or training data becomes stale
  • Incident response handles system outages but not an AI producing confident, wrong recommendations that nobody detects because the system is technically "up"

ISPE's analysis of AI governance in GxP environments identifies ten policy areas that AI governance must address — only two overlap meaningfully with traditional IT governance. The remaining eight — data privacy, fairness, transparency, accountability, human-AI interaction, continuous monitoring, stakeholder engagement, and training — represent governance dimensions that SOC 2, IAM, and RBAC do not touch.

The Real-World Consequence of Ungoverned AI Decisions

The Purolea case (April 2026) is the definitive example. The AI agents had correct system access — they could read regulatory databases, generate documents, and populate the quality system. RBAC was not the failure. The failure was that no governance existed for the decisions the AI was making:

  • The AI generated drug product specifications — nobody governed whether they were correct or complete
  • The AI created master production records — nobody governed whether process parameters were validated
  • The AI was unaware that process validation was required — nobody governed whether the AI's regulatory knowledge was comprehensive

The firm's defense — "the AI never told us" — reveals the core problem: they had access governance but zero decision governance.

From Access Governance to Decision Governance to Outcome Governance

The maturity model for AI governance in regulated operations has three phases:

  1. Access Governance (traditional IT) — Who can use this system? Controls: RBAC, IAM, MFA, encryption. Audit question: "Did an unauthorized person access the system?"
  2. Decision Governance (operational AI) — How are AI-influenced decisions made, documented, and approved? Controls: decision provenance, evidence lineage, contextual authorization, policy-as-code. Audit question: "Was this decision appropriate given the evidence and operational state?"
  3. Outcome Governance (autonomous AI) — Are aggregate outcomes within acceptable bounds? Controls: continuous monitoring, feedback loops, drift detection, real-time compliance dashboards. Audit question: "When outcomes deviate, does the system self-correct or escalate?"

Most regulated organizations have mature Phase 1 governance. The gap — and the risk — is in Phases 2 and 3. Access control tells you who is in the room. Operational governance tells you why a decision was made, what supported it, and whether it can withstand scrutiny.