Question 1

Which FDA guidance applies to my AI/ML device?

Accepted Answer

If your device uses ML, the cornerstone documents are: the 2024 PCCP final guidance, the 2025 draft AI-Enabled Device Software Functions guidance, the FDA's GMLP guiding principles (with Health Canada and MHRA), and the broader Section 524B premarket cybersecurity guidance. AAMI CR34971 (AI risk extension to ISO 14971) and NIST AI RMF round out what reviewers expect to see referenced.

Question 2

What's a PCCP and do I need one?

Accepted Answer

A Predetermined Change Control Plan lets you describe and pre-authorize specific model changes (retraining cadence, new data sources, performance thresholds) so you can update post-clearance without a new submission. If your model will change after launch - and most do - you need one.

Question 3

How is AI threat modeling different from regular threat modeling?

Accepted Answer

Standard STRIDE doesn't cover model-specific risks: training data tampering, adversarial inputs, model inversion, prompt injection. We extend STRIDE with MITRE ATLAS and OWASP ML Top 10 so the threat model covers the actual attack surface - and so AAMI CR34971 risk controls have something to map to.

Question 4

Do you test LLM-based clinical features?

Accepted Answer

Yes. Prompt injection (direct and indirect), jailbreaks, tool-call abuse, hallucination characterization, and clinical-safety guardrail testing - including agentic and RAG features. We document failures in a format FDA can review.

Question 5

Will FDA actually reject my submission for missing AI security work?

Accepted Answer

Reviewers are increasingly issuing deficiencies on AI-specific items: missing PCCP, weak training data provenance, no adversarial robustness testing, inadequate transparency labeling. Getting ahead of it is faster and cheaper than responding to a hold.

Question 6

How do you address bias and fairness as a postmarket monitoring obligation?

Accepted Answer

Performance drift and bias drift are now postmarket cybersecurity-adjacent obligations - FDA's 2025 draft AI guidance and the GMLP principles both treat unintended population subgroup disparities as a quality and safety signal that must be monitored. We help define the demographic and clinical-context slices to monitor, set the threshold and trigger logic for retraining or labeling updates, integrate the monitoring with the PCCP, and document everything in a format reviewers and notified bodies expect. Bias monitoring also feeds the safety-risk file under AAMI CR34971, so a single monitoring pipeline serves both regulatory tracks.

Question 7

What about third-party foundation models and AI APIs - does FDA care about supply chain there?

Accepted Answer

Yes, increasingly. If your device or clinical workflow calls a third-party LLM (OpenAI, Anthropic, Google), uses an open-weights foundation model, or embeds a third-party CV/NLP component, that supplier sits in your AI supply chain and must appear in your SBOM with version, source, and update mechanism. We extend the threat model to cover supplier-side risks (model deprecation, silent updates, prompt-injection lateral movement, data-exfiltration paths to the supplier), document the supplier-evaluation criteria, and provide BAA/DPA language for AI vendors that handle PHI. Skipping this is one of the fastest-growing AIR patterns we see.

Question 8

How do we handle model drift and retraining without triggering a new FDA submission?

Accepted Answer

That is exactly what the PCCP is designed to permit. The PCCP pre-authorizes a defined set of model changes - retraining on new data within stated bounds, tuning hyperparameters within a range, swapping in approved new data sources - so long as performance remains within pre-specified limits and the change-control process is followed. We help you write a PCCP that's broad enough to cover the changes you actually want to make in the next 12-24 months, narrow enough that FDA will accept it, and operationalized enough that engineering can ship retrains without a regulatory gating step on every release.

Question 9

What are the transparency labeling requirements and how granular do they need to be?

Accepted Answer

FDA's 2025 draft AI-Enabled Device Software Functions guidance asks for transparency about device function, performance, training data characteristics, intended user, intended use environment, limitations, and maintenance. Practically that means a model card-style summary in the labeling, a separate user-facing explanation of how the model behaves on edge cases, demographic-performance breakdowns where clinically relevant, and a clear statement of what the device does and does not do. We draft the transparency artifacts in plain English, validate them against the relevant guidance section, and integrate them with your IFU and clinician-facing materials.

Question 10

How does AI security work integrate with our broader SDLC and quality system?

Accepted Answer

AI security artifacts (threat model, adversarial test results, PCCP, transparency labeling, drift-monitoring plan) need to live inside your SDLC and QMS, not as a parallel program. We integrate the deliverables with your design controls (21 CFR 820.30), risk management file (ISO 14971 + AAMI CR34971), software-of-unknown-provenance documentation (IEC 62304), and post-market surveillance plan. The result is one inspectable system - so when an FDA reviewer or notified body asks how AI risks map to your QMS, the answer is in your existing files rather than a separate AI binder that has to be reconciled.

AI Attacks Are Real. FDA Expects You to Defend Against Them.

Why generic pen tests miss AI risk

The model is part of the attack surface

Risk lives in the data, not the code

FDA wants the lifecycle, not a snapshot

AI attack surface we cover

Adversarial inputs (evasion)

Training-time attacks (poisoning & backdoors)

Privacy attacks

LLM & generative-feature risks

AI/ML-specific attack surface

How we engage

1 · AI threat model

2 · Adversarial test plan

3 · Test execution

4 · PCCP & transparency artifacts

5 · Lifecycle & monitoring plan

Reviewer-ready deliverables in one engagement

Public premarket cybersecurity history

FDA AI/ML cybersecurity draft guidance (Jan 2025)

DICOM PE-in-preamble research (reinforced for AI ingest)

Related Premarket services

Full-Service FDA Premarket Cybersecurity

FDA Deficiency Response

FDA-Compliant SBOM Services

AI/ML security FAQs

Backed by MedTech leaders.

AI/ML Medical Device Security - scoped, fixed-fee, FDA-ready.