Why Compliance Technology Is About to Get Interesting
The enterprise software market has a pattern: an industry runs on old software for a long time, then a structural change makes the old software obviously inadequate, and a wave of new companies captures the replacement. CRM ran on spreadsheets and rolodexes until Salesforce. Financial modeling ran on spreadsheets and terminal windows until Bloomberg, then until modern fintech. HR ran on spreadsheets and filing cabinets until Workday.
Pharmaceutical compliance is running on spreadsheets. In 2026.
This isn't for lack of trying. The incumbents — Veeva, MasterControl, Pilgrim (now ETQ), TrackWise — have been selling quality management systems into regulated industries for decades. Their products exist, companies pay for them, and auditors accept them. The problem is that they were designed in an era of paper binders and periodic audit cycles, not continuous compliance monitoring and real-time supply chain visibility.
The structural change that's going to force a reckoning: AI-powered document processing that makes manual data entry economically indefensible.
The Current State Is Worse Than You Think
Let me describe what a typical pharmaceutical supplier qualification process looks like today.
A regulated pharmaceutical manufacturer must verify that every supplier providing materials used in their products meets quality standards. This means collecting documentation — certificates of analysis, GMP certifications, audit reports — and verifying them against specifications before any material enters the supply chain.
In practice:
A purchasing employee emails a supplier requesting their current GMP certificate. The supplier's quality team finds the certificate in their own system, downloads it as a PDF, and sends it back. The purchasing employee downloads the PDF, checks the expiration date, and files it in a SharePoint folder organized by supplier name. They log the receipt in a spreadsheet. When the certificate expires in a year, someone (theoretically) will remember to request a new one.
At audit time, the quality team exports the spreadsheet, prints the PDFs, assembles a binder, and presents it to the FDA inspector. If the inspector asks for certificate history for a specific supplier, the quality team searches the SharePoint folder and the spreadsheet.
This is not a niche or edge-case process. This is the baseline at a significant fraction of pharmaceutical and medical device companies — including large ones.
The reasons are structural. Changing compliance processes at a regulated company requires validation of the new system, which requires time and money. The FDA has specific requirements for how electronic records are maintained (21 CFR Part 11), and meeting those requirements is genuinely complex. The people making the decision to change are often QA directors who are measured on audit outcomes, not on efficiency — and the current process, however inefficient, passes audits.
So the system persists.
Where AI Enters
Document processing is now a solved problem at a level of quality that was unachievable five years ago.
A GMP certificate is a structured document. It has an issuing authority, an expiration date, a certificate number, a list of activities covered, and a company name. A modern vision-language model can extract these fields from a PDF with accuracy rates that match or exceed human processing, at a fraction of the cost, in milliseconds.
For pharmaceutical compliance, this changes the economics of document intake fundamentally. The labor-intensive part of supplier qualification — collecting documents, extracting relevant data, filing them, and checking expiration dates — can be automated. The human role becomes exception handling: reviewing extractions where the model wasn't confident, approving non-standard documents that don't fit the expected format, and making judgment calls about whether a specific deviation from specification is acceptable.
This is happening. The technology works. The bottleneck is now the compliance data model underneath, not the AI layer on top.
The Compliance Data Model Problem
The reason the AI layer alone doesn't solve the problem: the underlying data model that most quality management systems use was designed for paper.
A paper-based system thinks of a GMP certificate as a document: an artifact to be stored, associated with a supplier, and retrieved. The relevant questions are: do we have it? Is it current? Where is it filed?
An integrated compliance data model should think of a GMP certificate as structured data with rich relationships: this certificate, issued by this notified body, is valid through this date, for these activities, under this regulatory framework, and is referenced by these supplier qualification records, which are in turn referenced by these incoming material assessments, which are referenced by these batch records.
With that model, you can answer questions that are currently impossible without manual research:
- If this certificate expires next month, which of our products are affected?
- If this supplier loses their GMP status, what do we need to quarantine?
- If the FDA issues a warning letter about a notified body, which of our suppliers might be affected?
The incumbent quality management systems have the document-storage version. They store certificates and link them to suppliers. But the relationship graph is shallow, the data model is poorly normalized, and the integration with other enterprise systems (ERP, LIMS, batch record systems) is limited.
Building a compliance platform that can answer the second set of questions requires a fundamentally different architecture. Not an add-on to an existing document management system — a new data model with integrations as a first-class design requirement.
What the Next Generation Looks Like
I'll describe what we're building at Cohera, but the architectural pattern is the same regardless of which company builds it.
Integration-first: The compliance data layer needs to connect to the systems where the underlying facts live — the ERP (what materials are we using?), the LIMS (what tests have we run?), the batch record system (which batches used which materials?). These integrations can't be manual data exports. They need to be live connections.
Event-driven compliance monitoring: Instead of periodic certification collection, the system should monitor compliance events in real time. A certificate is expiring in 90 days. A supplier just received an FDA warning letter (automatically detected via regulatory intelligence feed). A batch was created using a material from an unqualified supplier. Each of these events should trigger automated workflows.
Audit trail by design: 21 CFR Part 11 requires electronic records to have audit trails that capture who did what, when, and why. This can't be bolted on afterward. The data model needs to represent state changes as immutable events — every modification to a compliance record creates a new event, linked to the previous state, with attribution and timestamp. This is the append-only log pattern from database design, applied to compliance data.
AI-assisted, not AI-automated: Fully automated compliance is a trap. Regulators expect human decision-making at critical control points. The right architecture uses AI to handle the mechanical work (document extraction, duplicate detection, expiration monitoring) while routing decisions that require judgment to human reviewers. The AI is the intake mechanism; the human is the decision-maker.
The Market Timing Question
Why now? The AI capabilities have existed in some form for several years. Why is this the moment?
Three things are converging.
Model quality crossed a threshold. There's a difference between AI that gets document extraction right 80% of the time and AI that gets it right 98% of the time. At 80%, you need humans reviewing everything, making the ROI marginal. At 98%, you need humans reviewing the 2% of exceptions, and the economics are transformative. We're past the threshold for structured pharmaceutical compliance documents.
Supply chain pressure has made the status quo expensive. The COVID-19 pandemic exposed how fragile pharmaceutical supply chains are when you have poor visibility into supplier status. The regulatory response — increased FDA scrutiny of supply chain controls — created demand for better tooling.
The enterprise software buying environment has changed. Regulated companies have become more willing to adopt modern SaaS, particularly if it integrates with their existing systems rather than replacing them. The "don't touch what works" mentality is giving way to "integrate what works with what's better." This reduces the activation energy for adopting new compliance infrastructure.
What Won't Change
One thing that's easy to get wrong when building in this space: assuming that because the technology has changed, the compliance requirements will change to match.
They won't, at least not in the timeframe that matters for a company you're building today.
21 CFR Part 11 was written in 1997. It has been updated once, with guidance in 2003. The FDA's approach to validating computer systems used in regulated processes has been remarkably stable for twenty-five years. The core requirements — audit trails, access controls, electronic signature, system validation — aren't going away, and they're not being rewritten to accommodate AI.
This means building compliance technology requires understanding the regulatory framework deeply, not optimistically. You cannot cut corners on audit trail requirements because they're inconvenient to implement. You cannot skip system validation because it slows down your release cycle. You cannot design away the requirement for human decision-making at critical control points because automating it would be more elegant.
The companies that will win in this space are the ones that take the regulatory requirements seriously enough to design around them, rather than treating them as obstacles to be minimized. The technology is the differentiator. The compliance rigor is the table stake.
The Opportunity
I've been building in regulated industries for five years. The software is bad, the incumbents are slow to change, and the problems are real. Quality failures in pharmaceutical manufacturing have human consequences — patient safety, not just business outcomes.
There's a meaningful opportunity to build infrastructure that makes compliance less expensive, more reliable, and more transparent — without compromising the rigor that the regulatory framework requires. That's what we're doing at Cohera. It's hard, and it takes a long time to prove to a pharmaceutical manufacturer that you understand their world well enough to trust their compliance data to your software.
But it's the right problem to work on.
If you're building in this space, or thinking about it, I'm genuinely interested in comparing notes. The problems are large enough that there's room for multiple companies to do well.