Former FDA CIO Vid Desai Talks AI Opportunity And The End Of The Monolith

The healthcare sector is in the middle of a significant deregulation push. For most industries, that would signal lighter compliance requirements, and simpler operations. In healthcare, however, it signals the opposite: as formal regulatory oversight pulls back, the responsibility for safety surveillance shifts directly to private sector organizations, and most enterprise IT environments were never built to carry that weight. If regulators mandate automated, point-of-care AI surveillance, reporting rates could skyrocket. That turns compliance from a periodic submission exercise into a continuous operational function, one that demands connected systems, automated workflows, and the ability to respond in real time.

Vid Desai is the longest-serving Chief Information Officer in the history of the U.S. Food and Drug Administration. Before joining the agency in 2019, he spent over 30 years as a technology executive in pharmaceuticals, clinical research, and medical devices. At the FDA, he founded the Office of Digital Transformation, became the first CIO to report directly to the Commissioner, and oversaw a $1 billion IT portfolio. Now retired, he said the accelerating push to strip back oversight would not reduce the burden on technology leaders, but shift where that burden lands.

"As you reduce regulations, you increase risk. To balance that risk, you better have a very good safety surveillance system in place, which we currently do not have in healthcare," said Desai. He estimated that only 3 to 5 percent of adverse events in healthcare are reported at all. Physicians are busy, the follow-up burden is real, and unless a reaction is severe, there is little incentive to file a report. On top of that, reporting invites scrutiny from the regulatory agency, which means more questions at a time when clinicians have fewer hours to spare. That surveillance gap is exactly what deregulation is about to make every enterprise technology leader responsible for detecting, investigating, and resolving without the regulatory backstop they once relied on.

• Swiping for safety: Desai anticipates that regulators will eventually mandate EHR systems like Epic and Cerner to deploy AI agents at the point of care, automatically flagging and reporting anomalies in real time. He believes the shift could arrive within five years. He compared it to credit card fraud detection: when a consumer makes an unusual purchase, the system sends a verification prompt. "Credit cards already do this at scale," Desai said. "Technically it's feasible. That's the kind of system that is going to be required to deal with the deregulation that is going on."

• Outpacing the regulator: "I would argue that a company's internal safety surveillance system had better be more tuned than the regulatory authorities'," Desai said. When a regulator flags an anomaly, the company needs to already have an answer ready. The goal is to respond immediately with evidence that it is a false positive before the inquiry escalates into something harder to contain. That kind of response requires systems that connect data, teams, and workflows fast enough to act before the window closes.

That surge in real-time reporting is crashing into another massive transition: scientific advancement. Much of drug development is moving from traditional chemical treatments serving millions to personalized genetic therapies targeting patient groups as small as 5,000 or 10,000. That means more products reaching the market, each generating its own stream of safety data, while the submissions themselves have become enormously more complex.

• Trading trucks for terabytes: "It used to be that two or three large U-Haul trucks full of printed documents had to be submitted for a new drug application," Desai said. "We are now seeing terabyte-sized genetic databases sent to us at the agency. The complexity of data that's given to us is orders of magnitude greater." Large language models can at least help reviewers pinpoint where to look, but the volume of what they are being asked to process keeps growing.

• Volume versus velocity: And AI is feeding both sides of the equation. It accelerates drug discovery, which drives up submissions, while automated surveillance increases the reporting volume for every product already on the market. "More and more drugs are going to come out. More and more adverse events are going to get reported. The volume is just going to exponentially increase," Desai said. The FDA processed twice as many submissions in the past 20 years as it did in the 20 years before that, and he predicted the pace will double again within five years. For the organizations on the receiving end, the data flows do not stop at the submission. They continue through every inquiry, response, and follow-up that automated surveillance generates.

Meanwhile, regulators are managing this rising volume while bleeding talent. The FDA has lost roughly 25 to 30 percent of its workforce, pushing the agency to lean on internal, agency-wide AI tools like ELSA to absorb the work that staff reductions left behind. Desai estimated that deploying large language models as co-pilots or co-reviewers yields roughly a 15 to 20 percent efficiency gain. But the FDA has already lost 30 percent of its people, meaning AI is not creating a faster agency. It is keeping a smaller one from falling further behind. And the tools themselves raise the bar. "It's going to catch more things than a human was able to catch," Desai said, which means the regulatory scrutiny facing sponsors is not decreasing. It is being applied more precisely. Organizations running compliance on disconnected systems and manual handoffs are not built to absorb that.

• Simple beats slick: Desai pointed to a practical example. One of the first things a reviewer does with a submission is look for places where the data contradicts itself. AI tools that perform exactly this kind of cross-referencing are already commercially available. "These are the types of tools sponsors need to use before submitting," he said. "A lot of people are trying to do really fancy things with AI, and they're missing doing these simple things." Sponsors who run those checks before filing arrive better prepared for exactly the scrutiny the FDA's own AI systems are designed to apply.

The tactical preparation matters. So does the strategic posture behind it. Desai framed the challenge as separating the durable from the disposable. Executive orders generate headlines and scramble priorities, but they're easy to reverse. Legislation is harder to undo. Science doesn't change with the administration. "Just as easy as it is for the President to issue an executive order, the next administration can reverse that," Desai said. "Legislation passed by Congress is sticky. Look at the change around you and bet on things that are likely to stick around. Science and data are things that you can bet on."

None of that will matter if the underlying infrastructure can't keep up. Compliance is no longer a periodic exercise. It is becoming a live operational demand, and the systems that support it need to connect data, automate responses, and adapt as the regulatory environment keeps shifting. Legacy systems built for batch processing and periodic reporting are not suited to sustained real-time surveillance and terabyte-sized submissions. "If you're creating big monolithic systems that take you years to upgrade or change, that's not going to work for you in this environment," Desai said. "You have to have very fast, agile systems that can pivot very quickly as change happens. Agility should be your number one goal in anything you build right now." In practice, that means replacing the brittle, point-in-time architectures that most compliance functions still run on with connected, automated systems that can move as fast as that environment keeps changing.