SPEAKERS:
- Xingchu Liu, SVP and Chief Data and Analytics Officer, U.S. Pharma Commercial Operations, Genentech
- Chuck Sachs, Director, US Commercial Innovation, AstraZeneca
- Darshan Joshi, Head of Commercial Data Management and Analytics, DD&T, Takeda
- Nadia Tantsyura, Executive Director, Worldwide Omnichannel Excellence Insights & Measurement, Bristol Myers Squibb
- Moderator: J. Cris Salinas, MD, Head of Global Industry Strategy, Healthcare and Life Sciences, Adobe
KEY TAKEAWAYS:
· Governance maturity built for traditional AI does not transfer to agentic frameworks — organizations restart from zero
· Architecture decisions are now commercial strategy decisions, not IT infrastructure line items
· Most pharma organizations have AI review boards but lack pre-approval pilot guidance, a structural bottleneck with measurable costs
· Risk-tiering governance to actual threat level rather than AI category is the single fastest unlock for deployment speed
· The organizations advancing fastest run parallel governance tracks simultaneously, not a single model that matures linearly
At Reuters Events: Pharma USA, Dr. Salinas opened with a show of hands that said more than most slide decks. Nearly every hand in the room went up when he asked how many organizations had a CoE or review board required to evaluate new platform technology or AI. Then he asked a second question: how many organizations give teams the opportunity to run a pilot before entering that CoE process, with guidance already in place to operate from. Far fewer hands. The gap between those two responses is not a process deficiency. It is the structural signature of an industry that has learned to govern what it already understands but not what it hasn't yet tried.
That asymmetry set the terms for everything that followed. Dr. Salinas had framed the session's organizing question moments earlier: many organizations are investing in platforms before they align on data standards, compliance frameworks, or ownership models. What does a governance-first strategy actually look like in pharma, and how do you operationalize it before you even start? The panel, drawing on deployments at Genentech, AstraZeneca, Takeda, and BMS, converged on a finding that should unsettle any organization that believes its governance investment is complete. The maturity cycle resets with each technology generation.
Governance Was the Prize. Then Agentic AI Arrived.
The industry did not arrive at governance-as-accelerator easily. Years of redundant pilots, ballooning costs, and cross-functional collisions with legal and compliance produced something valuable: a shared understanding that governance is the structural prerequisite for AI scale, not its enemy. Genentech encoded that understanding in the language it uses internally.
"At Genentech, we’ve shifted the narrative by branding our governance as an ‘AI Accelerator’," said Xingchu Liu. "We help our teams understand that being ‘slow’ in the foundational stages—setting up proper standards and compliance—is exactly what allows us to be fast when it is time to scale."
The rebranding worked not because it changed the compliance process but because it changed the organizational story employees told themselves about why that process existed.
BMS offers the clearest proof that governance maturity, once achieved, produces real output. "If you're following BMS, you have heard about the Mosaic Content Hub that we rolled out," said Nadia Tantsyura. "What it does deploys content in a very compliant way. But we now have the ability to generate content at scale, at speed, and at much bigger efficiency than it had previously been — with guardrails about prompting, about how we are reviewing this content, about the approval process as well as the deployments." This is what governance maturity looks like when it reaches operating scale: compliance guardrails embedded in production architecture, not bolted on in review.
The warning sign is what happens when organizations skip that build. "Without governance, it's going to become an expensive chaos," said Darshan Joshi. "That's also what a lot of organizations are seeing." The organizations doing expensive retrofitting now are the ones that treated governance as a downstream concern during the first wave of AI deployment.
Then agentic AI arrived, and the assumption became universal.
"With agentic AI, again we are back to square one where we are putting together the centralized team — cross-functional legal, compliance — trying to really understand what can and cannot be done with this technology and how far we can push it," Tantsyura said. "You should be able to differentiate your traditional AI — a lot more streamlined, takes much less time to implement — versus all of these new things like agentic AI."
BMS is now running centralized exploratory governance for agentic AI alongside the federated governance it built for traditional AI. Both tracks are live simultaneously. Neither is optional.
This is the paradox the session exposed. Governance is supposed to enable speed at scale. Each new technology generation resets the governance maturity clock to zero while requiring organizations to maintain the infrastructure they built for the generation before. The prize for mastering governance is discovering it must be mastered again — at greater organizational complexity, because now two models run in parallel instead of one.
Architecture Is the Moat. HCPs Already Know It.
While the governance paradox is primarily an internal organizational challenge, the competitive consequence plays out at the point of HCP engagement. The framing shift starts with how the problem is categorized.
"Omnichannel is no longer a channel problem, it's an architecture problem," said Joshi. "Data becomes a moat, your architecture becomes a moat. You have to really start thinking about architecture much, much ahead — and the types of platform which are going to orchestrate this along with the AI — because it changes the way you think about the business processes within the organization."
Organizations still treating architecture as an IT infrastructure decision are misclassifying it. Architecture choices made today are commercial strategy decisions with multi-year competitive consequences.
The urgency of that reframe is visible in HCP behavior that is already shifting. "HCPs are more and more interested in engaging with channels such as Open Evidence," Tantsyura said. "They no longer have time to go to multiple platforms trying to consume and synthesize the information. We as pharma also need to understand that shift — from generating maybe the same content over and over again and sending it to HCPs through different platforms — toward hyper-personalized content: what is really this HCP interested in, what are the barriers that this HCP has to address." Open Evidence is not a theoretical future-state platform. It is a named, actively used tool reshaping how physicians consume clinical information today, and the content-volume model is already losing relevance at the point of care.
That creates a specific constraint on omnichannel enthusiasm that Chuck Sachs put plainly. "We have more data than we've ever had before and we have the ability to link the strategy to that data through the omnichannel engine. But you're only going to get so many shots on goal with the HCP. And while the next best message that we want to give the HCP is a very educated guess, there's still some guesswork involved. We're all in the relationship business at the end of the day." More data sophistication does not eliminate relational risk. It can increase the penalty for miscalibration, because a hyper-personalized message that misses becomes more conspicuously wrong than a generic one.
The harder question sits underneath both of those challenges. "All of those guardrails that we've put in place to protect patients from practicing medicine on their own by asking medical questions and going off and doing something ill-informed — they're all gone," Sachs said. "Security through control of information is not a solution. What happens when the information gets out and you can't wall it off anymore?" AI platforms are collapsing the channel segmentation between HCP-facing and patient-facing content faster than regulatory frameworks can adapt. The architecture that enables hyper-personalized HCP engagement must simultaneously maintain compliant audience segmentation in an environment where those walls are structurally weakening. No panelist claimed to have a complete answer. That absence is itself diagnostic.
Risk-Tiering Breaks the Governance Logjam
The most actionable intervention for organizations experiencing governance bottlenecks costs nothing to implement and requires no new technology: calibrate scrutiny to actual risk rather than to category. The current default — treating all AI with the same review intensity because it is AI — generates internal frustration that progressively undermines governance buy-in. Sachs named this directly.
"There's risky traditional AI, there's risky agentic AI, there's lower-risk traditional AI and lower-risk agentic AI," he said.
"Making sure that you tailor your governance to the appropriate risk level — just like every other business decision or tech investment you would make — is critical to ensuring that you don't get caught up in a morass of doing the same process for something that's super risky as for something that everyone would understand is not as risky."
A rep copilot surfacing pre-call planning information inside an existing Veeva workflow is not the same governance problem as an AI system synthesizing clinical trial data into brand strategy recommendations. Treating them identically wastes compliance resources and builds organizational resistance to the governance function itself.
Joshi formalized this into a three-tier framework at Takeda. Tier one covers low-risk, high-return tools — rep copilots, omnichannel copilots, market research assistants — where experimentation within existing ecosystems carries limited regulatory exposure. Tier two covers marketing automation and MLR processes, where legal and regulatory involvement becomes necessary. Tier three is the category every pharma company is racing toward: an AI system capable of synthesizing clinical trial data, conference presentations, market research, and transactional records into disease area strategy. "This is the most high, high risk area," Joshi said. "We don't have a real answer over there." The framework is useful precisely because it makes that uncertainty explicit rather than treating all three tiers as equivalent unknowns.
BMS has operationalized the time dimension of this calibration. "Gone are the days when you had unlimited funding to run pilots you wanted to run," Tantsyura said. "We condensed the timelines — before it used to be unlimited time; now you have to show the results within the three-month time period.
Leadership now is expecting that before we even start working on anything, we have very clearly defined value — not just slides, but demos — showing every two weeks what progress has been made." A hard pilot window with biweekly accountability replaces open-ended exploration. The three-month constraint is not primarily a cost control mechanism. It is a forcing function that surfaces adoption problems and compliance friction early enough to address them without sunk-cost pressure.
One governance actor most technology conversations still overlook is procurement. "Procurement is also having a seat at the table," Joshi said. "Procurement along with legal has been really driving conversation much earlier on in the journey of AI, so that you don't have to do expensive retrofitting of all this from a regulatory standpoint. That has been the big learning." Procurement's earlier entry into AI investment decisions is preventing downstream regulatory costs — but it also introduces a new friction point at the front of the pipeline that organizations haven't fully mapped into their governance timelines.
The Capability No One Named But Everyone Described
Dr. Salinas posed the question that crystallizes the regulatory specificity of the pharma context: pharma operates in a very different space, with strict regulatory oversight — how are organizations responsibly deploying AI while ensuring compliance and maintaining audit visibility? The session produced multiple frameworks in response. What it did not produce — because no panelist named it explicitly — is the capability that connects all of them.
The measurement dimension points toward it. "It's no longer about Gen AI insights," Liu said. "We need to measure also the activities that are taken upon those insights and then what's the outcome of that. That's the next level we're trying to get into." The people dimension confirms it. "Do we have the leadership alignment? Do we have the team operationally scalable? This is about your deployment, driving the change management and thinking through the end-to-end pull-through," Liu said. Both observations describe organizations that must hold multiple operational modes simultaneously, not transition from one to the next.
The capability is governance ambidexterity: the organizational capacity to run parallel governance tracks at different speeds and scrutiny levels for different risk tiers, without collapsing them into a single process. Tantsyura confirmed BMS is already doing this — federated governance for traditional AI, centralized cross-functional review for agentic AI, both live at the same time. Joshi described the "ambidextrous organization" in terms of operations versus experimentation. The evidence suggests the same structural demand applies to governance itself.
Liu's measurement evolution — tracking not just AI outputs but actions taken and outcomes produced — requires governance infrastructure that spans from content generation through field execution through business impact, across multiple compliance regimes simultaneously. That is a different organizational design problem than the one pharma solved when it first built centralized AI review boards.
The organizations advancing fastest are not the ones with the most mature governance model. They are the ones that can operate multiple governance models in parallel — applying proportionate scrutiny through risk-tiering, maintaining federated guardrails for known-risk categories, and restarting centralized review for emerging ones — without treating each new technology generation as a crisis that suspends everything else. The diagnostic question for any leadership team is not whether your governance is mature. It is whether your governance architecture can absorb the next generation before this one has finished scaling — and whether you have already started building the answer.
To get you highlights of Pharma USA 2026 faster, we are using generative AI technology to summarise the transcripts of the sessions. If you have any feedback about the summary, please contact lucy.fisher@thomsonreuters.com.
Discover more on this topic at Pharma Customer Engagement USA 2026 (October 27-28, Philadelphia) - where commercial, marketing, medical, data and AI pioneers converge. Explore the agenda here.