AI SaMD Playbook
    Talk to us →
    ← Back to crosswalk
    FDA
    United States · Food and Drug Administration

    The FDA's AI/ML SaMD playbook.

    The FDA has moved further than any other regulator on AI-enabled SaMD · publishing a public list of authorized devices, finalising the Predetermined Change Control Plan (PCCP) guidance, and setting expectations around Good Machine Learning Practice that the rest of the world is now adopting.

    Posture · Leading · statutory pathway, lifecycle-awareLast reviewed · April 2026
    Key facts
    Authorized AI/ML devices
    1,000+
    PCCP final guidance
    Aug 2025 (reissued)
    Primary submission
    510(k) · De Novo · PMA
    Cybersecurity guidance
    Feb 2026 (final)
    §01

    Predetermined Change Control Plans

    The PCCP lets a manufacturer pre-authorize a defined set of model modifications without a new marketing submission. It is not a blank check: the plan must specify exactly what may change, how the change will be implemented, and how its impact will be assessed.

    • Description of Modifications · what specifically can change (weights, thresholds, input modalities).
    • Modification Protocol · the methods, data, performance criteria, and verification used.
    • Impact Assessment · how the change affects safety, effectiveness, and the benefit-risk profile.
    • Anything outside the PCCP is an unauthorized change · and a recall risk.
    §02

    Good Machine Learning Practice (GMLP)

    Co-authored with Health Canada and the MHRA, the ten GMLP principles are now the default lens through which reviewers read AI/ML submissions. They are not regulation, but deficiency letters routinely cite them.

    • Multi-disciplinary expertise across the product lifecycle.
    • Good software engineering and security practices baked in.
    • Clinical study participants and data sets representative of the intended population.
    • Human-in-the-loop performance and monitoring of deployed models.
    §03

    Cybersecurity for AI-enabled devices

    The FDA's February 2026 cybersecurity guidance · which supersedes the 2023 and June 2025 versions · folds Quality Management System considerations directly into the premarket submission. For AI SaMD that means the QMS must demonstrably govern the model lifecycle: threat models include the model itself (poisoning, evasion, extraction, prompt injection), and the SBOM reflects the ML stack and third-party model dependencies.

    • QMS evidence · secure development, design controls, and supplier management explicitly tied to the ML pipeline.
    • SBOM coverage of ML frameworks, model artifacts, and tokenizer/weights provenance.
    • Vulnerability management plan with explicit handling of model-layer CVEs.
    • Secure update mechanism aligned with the PCCP's modification protocol.
    §04

    Transparency and labelling

    The October 2024 draft guidance on AI-enabled device software functions raises the bar on what manufacturers must communicate to users · intended use, model inputs and outputs, performance by subgroup, known limitations, and the clinician's role in interpreting results.

    ← Previous
    Health Canada
    Next →
    EU AI Act × MDR