In the healthcare and life sciences industries, speed saves lives, but meeting regulatory requirements and other administrative burdens often pumps the brakes for manufacturers of software as a medical device (SaMD). These devices include AI image analysis for cancer detection, diagnostic mobile apps for viewing MRIs, and software that can calculate insulin dosages.
Today, the medical device industry stands at an inflection point. We’re moving from reactive diagnostics to proactive, prognostic learning systems. Modern SaMD is a composite system where clinical functionality emerges from the interaction of embedded firmware, mobile apps, and cloud-resident services.
This shift requires a fundamental reimagining of how we demonstrate a state of control. More than just an alternative to on-premises servers, cloud infrastructure has become a superior foundation for regulated medical software.
The regulatory landscape of 2026: FDA QMSR and the EU AI Act
The regulatory environment in early 2026 is defined by a shift toward international harmonization and risk-based oversight. For organizations operating globally, two major milestones dominate the compliance roadmap.
The FDA QMSR Transition
The FDA aligned the Quality Management System Regulation (QMSR) 21 CFR Part 820 with ISO 13485:2016 earlier this year, reinforcing the value of cloud-native patterns that automate document control and change management.
Under the new Inspection of Medical Device Manufacturers Compliance Program, the FDA has moved away from the old Quality System Inspection Technique (QSIT) subsystems in favor of a risk-based strategy that prioritizes areas including change control and outsourcing. In this model, digital retention and automated audit trails are now recognized as primary objective evidence, reducing the industry’s reliance on manual paperwork.
The EU AI Act Applicability
As of August 2, the European Union AI Act enters the full applicability phase for high-risk obligations in AI systems. For SaMD manufacturers, these requirements introduce rigorous data governance, transparency, and human oversight for medical devices.
The shift to Compliance as Code
We believe that in a world of continuously updated device platforms, the manual administrative control model doesn’t scale. Instead, we should embrace Compliance as Code (CaC). Five years ago, CaC was a competitive advantage, but today it’s a regulatory necessity.
In this model, compliance is expressed programmatically and enforced declaratively in the system. Because controls are implemented as platform policies, change control can be enforced at the pipeline gate, and evidence is generated operationally as a continuous byproduct of how the system runs. Since the system can’t operate outside its defined controls, we’re able to produce a persistent, defensible record for regulators.
The technical blueprint: The three-plane model
To achieve this state of continuous audit readiness, we organize our architecture into three distinct planes. This separation clarifies the distinction between technical enforcement and regulatory accountability.
1. The data plane covers how clinical or device data moves through the system to deliver its medical purpose — whether that is physiological telemetry from a wearable or medical images for diagnostic analysis. In Google Cloud, this plane handles functional boundaries and ensures data integrity through encryption at rest and in transit. We use Customer Managed Encryption Keys (CMEK) and Key Access Justifications to ensure the manufacturer retains ultimate control over decryption events, a critical requirement for HIPAA and GDPR compliance.
2. The control plane is the governance layer. It defines identity, network boundaries, and configuration constraints. In the 2026 architecture, the control plane uses Zero Trust principles. Instead of relying on a network perimeter, access is granted through Identity Aware Proxy (IAP) after evaluating the user’s identity, device security posture, and context. We also use the Organization Policy Service to programmatically prevent non-compliant configurations, such as the accidental creation of public data buckets.
3. The evidence plane is where technical operations meet regulatory proof. It captures immutable audit trails, build attestations, and monitoring history. By using tools like Binary Authorization and Artifact Registry, we can mathematically prove that only code that has passed all security and validation gates is allowed into production. This plane generates the software bill of materials (SBOM) and provenance metadata required by the FDA.
Scaling for the agentic enterprise
As AI matures from answering questions to reasoning and taking action, AI agents can assist with autonomous compliance monitoring, replacing weeks of manual review with continuous oversight while providing human-in-the-loop triggers for final quality sign-off.
Google’s AI-optimized infrastructure provides the backbone for innovation, where nodes and pods start up faster and models load quicker, helping to ensure that SaMD agents are ready the moment a clinician or patient engages with the system. This responsiveness is essential for clinical scenarios where latency can affect patient outcomes.
Managing risk in the cloud
Adopting cloud infrastructure does not remove a manufacturer’s responsibility for safety and performance. However, it changes the implementation model from shared responsibility to shared fate — where the cloud provider provides the technical primitives (like Assured Workloads for data residency) while the manufacturer configures them to implement their specific quality system.
As we detail in our new whitepaper, Building Software as a Medical Device (SaMD) on Cloud Infrastructure, shared fate provides a superior model to address common SaMD risks:
-
Policy drift: Enforcing organizational policies to prevent disallowed regions or weak IAM settings.
-
Audit visibility: Implementing non-repudiable Data Access Logs and Key Access Justifications (KAJ) to ensure every interaction with sensitive clinical data is captured as immutable evidence for long-term retention.
-
Supply chain integrity: Using cryptographically signed attestations to prevent unverified artifacts from reaching production.
You can read the full report here.
