R
THRIVE™ · REGULATORY

Compliance is a moving target. Are you tracking it?

Healthcare AI operates within a complex and evolving regulatory environment. Regulatory readiness is the institutional capacity to comply, document, monitor, and respond — not just to know what the rules are, but to keep pace as they change.

Assess your readiness

AI regulation is fragmenting across jurisdictions — FDA, EU AI Act, MHRA, TGA — each with different classification systems, documentation requirements, and post-market obligations. Most healthcare organisations treat regulatory compliance as a procurement checkbox rather than an ongoing institutional capability. The result: deployed AI systems operating outside their approved scope, missing change-control documentation, and no process for when a regulator asks questions.

Regulatory readiness isn’t knowing what the rules are today. It’s the institutional muscle to respond when they change tomorrow.

THRIVE Regulatory assessment evaluates your compliance posture across approval pathways, documentation governance, post-market surveillance, lifecycle change management, and patient consent architecture — identifying gaps before regulators find them.

What we assess

Core capabilities

Approval Pathway Awareness

Understanding of 510(k), De Novo, PMA, and CE mark pathways and their specific implications for AI systems in clinical use.

IAEAFDA

Risk Classification

Capacity to correctly classify AI medical devices by risk level and apply the appropriate scrutiny.

IAEAFDAWHOREADI

Intended Use Clarity

Precision of definition of AI system scope, contraindications, target population, and intended clinical environment.

IAEAFDAREADI

Documentation Governance

Version control, change management, and audit-trail infrastructure for ongoing regulatory compliance.

IAEAFDAWHO

Post-Market Surveillance & PCCP

Compliance with predetermined change control plans, mandatory incident reporting, and surveillance posture across the AI lifecycle.

IAEAFDAWHOREADI

Lifecycle Change Governance

Policies governing algorithm updates, model retraining, and scope changes throughout the AI product lifecycle.

IAEAFDAWHO

Patient Autonomy & Consent Architecture

Institutional capacity to inform patients when AI contributes to clinical decisions and to obtain meaningful consent.

WHOREADI

Independent Review Capability

Capacity to subject AI systems to external review, validation, or audit independent of the vendor.

FDAWHO

Privacy Compliance

MOVED

HIPAA, GDPR, and patient consent architecture governing collection, storage, processing, and use of healthcare data in AI pipelines.

IAEAWHOREADI
Platform integration

How Regulatory connects

THRIVETHRIVE
R ↔ E

Regulatory readiness asks ‘are we compliant?’ — Evaluation readiness asks ‘are we actually checking?’. Post-market surveillance obligations (R) require monitoring capabilities (E).

R ↔ T

Regulatory classification determines what evidence the institution is obligated to demand at the Technical level.

R ↔ V

Documentation governance (R) and procurement lifecycle readiness (V) must align — contracts must reflect regulatory obligations.

Evidence base

What the literature says

The clinical deployment of AI systems requires an adequate regulatory framework and highly educated, well-trained health professionals to ensure safe, ethical and beneficial use of such systems.

IAEA PC9134 (2025)

The proliferation of AI could lead to the delivery of healthcare services in unregulated contexts and by unregulated providers, which might create challenges for government oversight of health care.

WHO, Ethics & Governance of AI for Health (2021)

Good software engineering practices, data quality assurance, data management, and robust cybersecurity practices — these include methodical risk management and design process that can appropriately capture and communicate design, implementation, and risk management decisions.

FDA, Good Machine Learning Practice (2021)
FAQs

Common questions

Because AI compliance is unlike device compliance. Algorithm change control, predetermined change control plans (PCCP), post-market surveillance of self-updating systems, and AI-specific consent obligations are new regulatory domains. Most compliance teams haven’t built the muscle for them yet.

THRIVE is grounded in four international reference standards (IAEA PC9134, WHO Ethics & Governance, READI, FDA GMLP) and maps against the regulatory requirements of the jurisdictions where your organisation operates — including FDA, EU AI Act, MHRA, and TGA pathways.

Post-market surveillance. Organisations deploy AI, file initial documentation, and assume the job is done. But regulatory obligations don’t end at deployment — they intensify. Most institutions have no structured process for monitoring compliance after go-live.

Ready to assess your Regulatory readiness?

Get started