Generative AI Can Write The Code, But Who Builds In The Quality?

By Ricardo Torres-Rivera, PMP, CEO and president, Xevalics Consulting, LLC

The promise is compelling and it is everywhere. Generative artificial intelligence (AI) tools like ChatGPT, Claude, Copilot, Gemini, and others, have made it possible for virtually anyone to produce functional software through natural language prompting. The market calls it “vibe coding”: describe what they want in plain language, and the AI writes the code for them. No computer science degree is required. No formal software engineering training. Just a prompt and a working application.

For pharmaceutical leaders, the appeal is obvious. Imagine quality teams building their own deviation tracking dashboards. Scientists creating custom data analysis tools for stability studies. Validation engineers generating test scripts in minutes instead of days. Operational staff automating batch record reviews. The productivity gains are real, and the democratization of software creation is, in many respects, a genuine step forward.

But there is a critical difference between software that works and software that has quality built in. And in pharmaceutical manufacturing, clinical development, nonclinical research, and GMP operations, that difference is not academic. It is the distance between a system that supports regulated decisions and one that collapses under the weight of its first inspection. This article is not an argument against generative AI-assisted development or code democratization. It is an argument for discipline, for recognizing that the principles of quality that have governed our industry for decades do not become optional because the tool has changed. And it is a caution to leaders who may be embracing the promise of vibe coding without fully considering what is at stake when quality is not built into the process.

The Promise And The Blind Spot

Across the pharmaceutical industry, executive teams are hearing a promising message: generative AI can turn anyone into a programmer. Vendors promote it. Conference keynotes celebrate it. Internal innovation teams pilot it. The narrative is that vibe coding eliminates the bottleneck of IT dependency and empowers domain experts to build their own solutions.

And much of that is true. A quality assurance analyst who understands deviation workflows may, in fact, be better positioned to design a deviation tracking tool than a software developer who does not understand GMP. A laboratory scientist who knows the data may be the right person to create an analytical trending dashboard. Giving these experts the ability to build is powerful.

The blind spot is this: domain expertise is not the same as software engineering discipline. The people who went through formal training in software development learned why they define requirements before they write code, why they version control every change, why they test against specifications rather than assumptions, why they document architecture decisions, and why they validate before deploying. These disciplines exist not because of bureaucracy, but because systems at scale break in ways that prototypes never reveal, especially in regulated environments where the consequences of failure may affect patient safety, data integrity, and regulatory standing.

Generative AI tools skip all of that institutional knowledge. They deliver the output without the discipline. And when leaders encourage adoption without ensuring that quality is part of the process, they are not accelerating innovation, they are accelerating risk.

A Regression The Industry Should Recognize

For more than 40 years, the quality management discipline has fought a single battle: moving organizations from inspecting quality at the end to building quality into the process from the beginning. The pharmaceutical industry, more than most, should recognize this because it lived through it.

W. Edwards Deming made this the centerpiece of his philosophy. Point 3 of his famous 14 Points for Management is unambiguous: “Cease dependence on inspection to achieve quality. Eliminate the need for inspection on a mass basis by building quality into the product in the first place.” Deming understood that by the time they inspect, the waste has already been created. The defect is already in the system.¹

Philip B. Crosby reinforced this with an even sharper formulation. In his 1979 landmark Quality Is Free, Crosby defined quality as conformance to requirements, not as “excellence,” not as “exceeding expectations,” but as the disciplined act of meeting clearly defined conformance to requirements. His goal was to do things right the first time, because the true cost of quality is not prevention, it is the price of nonconformance, in today’s words: rework, recalls, audit findings, failed batches, and the erosion of regulatory trust.²

Joseph M. Juran taught us that quality must be planned, not merely inspected or controlled after the fact. His Juran Trilogy, Quality Planning, Quality Control, Quality Improvement, placed the decisive moment at the design and planning stage, where products, processes, and controls are structured to meet customer needs. If the planning is flawed, no amount of downstream inspection or correction can truly fix it.³

Jack Welch operationalized these principles at General Electric through Six Sigma, proving that building quality into processes at enterprise scale was competitive strategy, not academic theory. The pharmaceutical industry embraced the same logic through quality by design (QbD), the principle that product quality cannot be tested into a drug through final batch sampling but must be built into the manufacturing process through scientific understanding of every variable. That philosophy became the foundation of ICH Q8, Q9, and Q10, and it reshaped how our entire industry thinks about process design, risk management, and quality systems.^4,5,6

Leaders like Welch fought this battle and won it. Regulatory frameworks codified it. The FDA’s quality systems approach, Good Automated Manufacturing Practice (GAMP) 5, and computer software assurance all reflect the same foundational insight: quality is built in, not inspected at the end.^7,8

And now, in the rush to adopt vibe coding and generative AI-assisted development, the industry risks quietly undoing that progress. The dominant generative AI coding workflow today – prompt, receive code, test superficially, deploy — is fundamentally an inspect-at-the-end model. Requirements are informal or absent. Validation evidence is nowhere to be found. It is a return to the very mentality that Deming, Crosby, and Juran spent their careers dismantling.

The Accountability Gap In Pharma

Generative AI does not have a quality problem. It has an accountability problem.

Consider what is already happening in pharmaceutical organizations. A quality engineer uses ChatGPT to generate a Python script that automates environmental monitoring data review. A validation specialist prompts an AI to create test protocols. A laboratory analyst builds a custom tool to flag out-of-specification results. A manufacturing team develops a dashboard to track batch yield trends. Each of these may function correctly. Each may save time. But were requirements defined before the code was generated? Was intended use documented? Was the system assessed for GxP impact? Is there any traceability between what the system does and what it was designed to do? Is there change control if the prompt is modified tomorrow?

In most cases, the answer to every one of these questions is no.

Crosby would recognize this immediately. The code may conform, but conform to what? If requirements were never formally defined, if fitness for use was never evaluated, if intended use was never articulated, then there is nothing meaningful to conform to. The programmer has achieved what amounts to perfect conformance to the wrong target — impressive execution of a requirement that was never properly specified.^2,9

For leaders encouraging their teams to leverage vibe coding, this is the question that should give pause: when an inspector asks how a system that influences GMP records, batch disposition, or regulatory submissions was designed, developed, and validated, what will a team show them?

New Risks In Pharmaceutical Operations

Code democratization is a good thing. Expanding who can build tools that serve quality, manufacturing, and laboratory operations has genuine value. The concern is not that more people are creating software. The concern is that quality is not being built into the process when they do.

Generative AI also introduces risk dimensions that traditional software development and validation practices were never designed to address. These are not speculative concerns. They are emerging realities in pharmaceutical operations right now.

Prompts as executable logic. When a quality team uses an AI tool to analyze deviation trends, or when a laboratory uses generative AI to interpret stability data, the prompt functions as the logic that governs the analysis. A small change in wording can materially change the output. Yet prompts are typically informal, un-versioned, and uncontrolled. In a GMP environment where every algorithm and calculation affecting product quality must be validated, this is an uncontrolled logic layer hiding in plain sight.

Non-deterministic outputs. Traditional validated systems follow a fundamental rule: the same input produces the same output. Large language models do not guarantee this. Their outputs are probabilistic. For any pharmaceutical process where reproducibility is a regulatory expectation, batch release calculations, stability trending, and analytical data review must themselves be reproducible. This is not a minor technical detail. It is a direct challenge to the principles of data integrity and scientific reproducibility.

Model and version drift. AI providers routinely update their models, sometimes without advance notice. An analysis performed today may produce different results tomorrow on a silently updated version of the model. For pharmaceutical organizations that must demonstrate that their systems produce consistent, reproducible results under controlled conditions, silent model changes represent an uncontrolled variable with direct regulatory implications.

Context injection. When retrieval-augmented generation (RAG), plugins, or external data sources feed information into an AI system, the output becomes dependent on context that may change over time. A deviation analysis tool that pulls from a dynamic knowledge base may produce different conclusions next month — not because the prompt changed, but because the underlying context shifted without any record of the change.

These risks do not invalidate generative AI as a tool for pharmaceutical operations. But they demand that organizations treat AI-assisted development with the same quality discipline, and arguably more, than traditional computerized system validation. Juran’s lesson holds: if the planning phase does not account for these failure modes, no amount of downstream testing will catch them all.³

What Comes Next

The risks are real, the regression is underway, and the accountability gap is widening. Prompts are functioning as uncontrolled executable logic. Non-deterministic outputs are entering regulated workflows. Model versions are shifting beneath systems that were never designed to detect the change. These are not theoretical concerns — they are the operational reality of generative AI adoption in pharmaceutical environments today.

But naming the problem is not the same as solving it. The quality pioneers — Deming, Crosby, Juran — gave us the principles. The question now is whether our industry will apply them to this new generation of tools with the same rigor it brought to drug manufacturing, process validation, and computerized system assurance.

In Part 2 of this series, we address what regulators are already asking, reclaim a working definition of quality for the generative AI era, and translate these principles into concrete starting points, from prompting standards and human-in-the-loop controls to AI governance policy, process transparency, and the credibility frameworks that FDA’s draft guidance increasingly expects.

References

1. Deming, W. Edwards. Out of the Crisis. MIT Press, 1986.
2. Crosby, Philip B. Quality Is Free: The Art of Making Quality Certain. McGraw-Hill, 1979.
3. Juran, Joseph M., and A. Blanton Godfrey, editors. Juran’s Quality Handbook. 5th ed., McGraw-Hill, 1999.
4. ICH Q8(R2) — Pharmaceutical Development. International Council for Harmonisation, 2009.
5. ICH Q9(R1) — Quality Risk Management. International Council for Harmonisation, 2023.
6. ICH Q10 — Pharmaceutical Quality System. International Council for Harmonisation, 2008.
7. FDA — Computer Software Assurance for Production and Quality System Software (Final Guidance, September 24, 2025). https://www.fda.gov/regulatory-information/search-fda-guidance-documents/computer-software-assurance-production-and-quality-system-software
8. ISPE GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems. 2nd ed., International Society for Pharmaceutical Engineering, 2022.
9. Torres-Rivera, Ricardo. “Quality and Critical Thinking: Preventing ‘Perfect Conformance’ to the Wrong Target.” Xevalics Consulting, LLC, January 31, 2026. https://xevalics.com/quality-and-critical-thinking-preventing-perfect-conformance-to-the-wrong-target/

Transparency Statement

This article was developed with the assistance of AI tools for research and drafting. The author has reviewed, edited, and takes full responsibility for all content.

Regulatory and Compliance Disclaimer

This article is provided for informational and educational purposes only and does not constitute regulatory guidance, legal advice, or an official interpretation of applicable laws, regulations, or guidance documents. Organizations remain solely responsible for determining regulatory applicability and compliance.

About the Author:

Ricardo Torres-Rivera, PMP, is the CEO and president of Xevalics Consulting, LLC, a Minneapolis-based firm specializing in computer systems validation (CSV), computer software assurance (CSA), data integrity, GLP compliance, and project management for regulated life sciences organizations. He chairs the SQA CVIC Steering Committee and the CVIC AI Subcommittee and is a recognized speaker and instructor in the quality and compliance community.