Most organizations deploying AI can answer one question: “Are we documented?” They have policies, framework mappings, and a governance binder. Far fewer can answer the question regulators and auditors actually ask: “Are we validated?”
Documentation describes intent. Validation proves performance. The gap between the two is where enforcement actions live, and closing it doesn’t require inventing a new discipline. It requires borrowing a proven one.
A methodology with a 30-year track record
Long before “AI governance” was a category, the FDA required medical-device software to be validated through a three-stage methodology: Installation Qualification, Operational Qualification, and Performance Qualification (IQ/OQ/PQ). It has governed safety-critical software for three decades. Applied to AI, it looks like this:
Installation Qualification (IQ)
Confirm the AI system is correctly configured, deployed, and integrated in its intended environment, with documented evidence of setup and data lineage. Before you can trust an output, you have to prove the thing producing it is the thing you think it is, running where you think it runs, on the data you think it uses.
Operational Qualification (OQ)
Test the system against defined specifications across expected operating conditions: accuracy, fairness, robustness, and boundary behavior. This is where you move from “it worked in the demo” to “it behaves within defined bounds across the conditions it will actually face.”
Performance Qualification (PQ)
Prove the system performs reliably in real-world use over time, with drift monitoring, escalation thresholds, and ongoing re-validation. Models degrade. PQ is the discipline that catches it before an auditor (or a patient) does.
Why this matters now
The regulatory window isn’t theoretical anymore. The deadlines have arrived:
- Texas TRAIGA, in effect January 1, 2026: introduces intent-based liability and disclosure requirements for AI use in clinical settings.
- FDA QMSR / SaMD, effective February 2026: requires documented validation of AI performance, data integrity, and ongoing monitoring for AI-enabled devices.
- The HIPAA Security Rule update, final rule expected late 2026: adds access-control, audit-logging, and transmission-security expectations for any AI touching protected health information.
- The Colorado AI Act (ADMT), effective January 1, 2027: adds impact assessments, bias audits, and multi-year recordkeeping.
One more thing worth knowing: NIST AI RMF compliance is the recognized safe harbor across most US state AI laws. Build one rigorous validation program and it maps to multiple jurisdictions, rather than chasing each statute separately.
Documented vs. validated
If your AI governance program can produce a policy but not a test result, you’re documented, not validated. When audits begin, that distinction is the whole game. The organizations positioned as compliance leaders in 2026 are the ones who can hand an auditor evidence, not intentions.
That’s the work we do: run the actual test cases, record the evidence, track the findings, and produce audit-ready reports across the frameworks that apply to you.