Playbook · AI/ML SaMD

AI/ML Medical Device PCCP & Cybersecurity Guide

How to build a Predetermined Change Control Plan for AI/ML SaMD that survives FDA review - and how to threat-model the model itself (poisoning, inversion, adversarial inputs, prompt injection).

All playbooks

Updated May 2026 7 pages 16-min read Download PDF

Why this matters

AI/ML-enabled SaMD presents unique cybersecurity threats - the model itself is an asset that can be attacked. The FDA's 2026 cybersecurity guidance specifically calls out poisoning, inversion, adversarial inputs, and prompt injection. At the same time, the FDA's PCCP framework lets you pre-authorize model updates without a new submission - but only if the plan is precise, bounded, and verifiable.

Key takeaway: A PCCP without a cybersecurity dimension is incomplete. Every modification protocol step needs a security check - not just performance metrics.

PCCP - the three required components

Description of Modifications - exactly what can change (weights, thresholds, features, architecture)
Modification Protocol - verification, validation, performance, and security checks per change type
Impact Assessment - benefit/risk analysis for each modification, tied to ISO 14971

ML-specific threats to model

Data poisoning - adversary corrupts training or fine-tuning data
Model inversion - extract training data from model outputs
Membership inference - determine if a record was in training set
Adversarial inputs - crafted inputs that flip model decisions
Model theft / extraction - query-based reconstruction
Prompt injection - for LLM-backed SaMD, override system instructions
Supply chain - compromised pre-trained models, datasets, or libraries

ML-BOM - the bill of materials for your model

Use CycloneDX 1.5 ML-BOM extension
Include training datasets, pre-trained base models, and fine-tuning data
Document model architecture, training framework, and hyperparameters
Hash and version every model artifact
Track model provenance through the deployment pipeline

Monitoring - drift and cybersecurity together

Performance drift (clinical metrics) - already required by GMLP
Input distribution drift - early signal of adversarial probing
Output anomaly detection - catch evasion and inversion attempts
Inference rate-limiting - defense against extraction attacks
Logging sufficient for forensic review of suspected attacks

What's in the full PDF

PCCP template aligned to the FDA's Final Guidance (Dec 2024)
Full ML threat catalog with mitigations and detections
ML-BOM example in CycloneDX 1.5
Drift + security monitoring runbook
GMLP × 2026 cybersecurity guidance crosswalk

Want the full 7-page playbook?

Includes every checklist, table, and template - formatted for printing and sharing.

Download PDF

What's inside

PCCP structure that reviewers accept
ML-specific threat catalog (poisoning, inversion, adversarial, prompt injection)
ML-BOM in CycloneDX 1.5
Monitoring drift + cybersecurity together
GMLP alignment with the 2026 cybersecurity guidance

Get the next playbook

Subscribe to The Monthly Pulse for new playbooks, FDA updates, and field notes.

Other playbooks

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.

Book strategy session Explore services