FDA Sends a Warning, Agentic AI Goes Enterprise, and the Capital Squeeze That Makes Both Harder

Novo Nordisk's pharmacovigilance failure, Verily's $300M raise, and new data showing AI training investments aren't working

March 24–30, 2026 · ~10 min read

---

Four threads dominated the final week of March 2026:

• $300M for Verily and IQVIA.ai goes enterprise — agentic AI transitions from experimental to commercially supported; new platform decisions carry real vendor selection and process redesign implications
• FDA warning letter to Novo Nordisk — systemic pharmacovigilance failures in contractor-managed systems; the letter is a direct audit template for your own safety infrastructure
• 41% cutting capital, 57% ranking AI as top priority — discipline in AI investment prioritization separates organizations that advance from those that stall
• 82% AI training, 59% skills gap — agentic platforms are arriving into workforces that don't yet have the applied capability to use them

The throughline: execution discipline is the differentiator. Vendor oversight, capital allocation, and workforce capability gaps are converging exactly when AI investment is peaking.

---

🤖 AI & Data

Verily Raises $300M and Charts a Path as an Independent Precision Health AI Company

On March 19, Verily closed a $300 million Series X led by Series X Capital — the largest single raise by a precision health AI platform this year. The round marks a structural shift: Alphabet remains a minority investor, but Verily is now an independent company, not a subsidiary.

What happened:

• Strategic investors UCHealth and the University of Colorado Anschutz joined as shareholders, signaling a deeper academic medical center partnership model
• Platform strategy centers on AI-native precision health: data harmonization, model deployment, and actionable intelligence integrated into research and care workflows
• Recent partnerships include Samsung Galaxy Watch for biomarker development and Salesforce Agentforce Health for enterprise AI integration

Why it matters to you:

• Verily offers a credible alternative to building precision health infrastructure in-house — with healthcare-specific data governance and established academic medical center relationships
• The independence transition introduces execution risk: new organizational structures can shift product roadmaps and support models in ways difficult to anticipate — and precision health platform decisions made now will define your architecture for several years

IQVIA.ai: Enterprise-Ready Agentic AI Purpose-Built for Life Sciences

On March 16, IQVIA Holdings unveiled IQVIA.ai, a unified agentic AI platform that marks a significant commercial milestone: domain-specific AI agents for clinical research and pharmacovigilance are now an enterprise product, not a prototype.

What happened:

• Platform combines IQVIA's domain expertise with NVIDIA's Nemotron language models, NeMo Agent Toolkit, and LangChain orchestration; initial deployment targets automated clinical trial site selection
• 19 of the top 20 pharmaceutical companies are already incorporating IQVIA agents; more than 150 intelligent agents deployed across internal and client environments
• Designed with healthcare-grade guardrails, privacy compliance, and regulatory alignment built in — not bolted on

Why it matters to you:

• Organizations can now acquire pre-built agentic systems for clinical research and commercial operations — reducing time-to-value compared to building agent frameworks from scratch
• Plug-and-play expectations will fail: organizations treating this as a vendor onboarding exercise rather than a process redesign opportunity will experience limited ROI — and a capable agent running on poor data produces confident wrong answers

NVIDIA GTC 2026: Open Models Lower the Foundation Model Entry Cost for Life Sciences

NVIDIA's GPU Technology Conference on March 16 delivered platform and model announcements that meaningfully change foundation model economics for drug discovery and structural biology — removing barriers that previously required significant in-house GPU infrastructure.

What happened:

• BioNeMo expanded with Proteina-Complexa for protein binder design; collaboration with Google DeepMind and EMBL added ~30 million new protein complex predictions to the AlphaFold database, including 1.7 million high-confidence predictions
• Early adopters including Novo Nordisk, Viva Biotech, and Manifold Bio are integrating these open models into active discovery pipelines
• Nemotron 3 omni-understanding models deliver a reported five-fold throughput improvement on Blackwell GPUs versus prior generation

Why it matters to you:

• Pre-computed AlphaFold predictions remove a significant barrier — organizations building internal AI capabilities now have higher-quality open starting points, reducing cost and timeline for custom model development
• The open model doesn't include the infrastructure to run it: enterprise deployment still requires mature data pipeline engineering, regulatory governance, and operational discipline

Capital Squeeze at the Peak of AI Demand: 57% Prioritizing AI, 41% Cutting Budgets

New survey data from Sage Growth Partners, released March 24, quantifies a tension most life sciences CIOs are already feeling — AI investment urgency is at an all-time high, and overall capital budgets are contracting simultaneously.

What happened:

• 57% of 101 health system C-suite leaders rank AI-based clinical solutions as their top technology initiative for 2026–2027 (up from 19% in 2023); 41% anticipate capital budgets will be reduced
• 77% now rate anticipated ROI as the most critical purchasing factor — up from 50% in 2023; 39% demand a 2x–3x financial return
• 29% rank AI-based administrative solutions in their top five initiatives, up from 6% in 2023 — AI adoption pressure is no longer limited to clinical functions

Why it matters to you:

• Peak AI demand plus contracting capital forces a direct choice — without resources adequate for both, AI advancement and legacy maintenance compete for the same line
• The 77% ROI focus means CIOs must articulate measurable returns, not just strategic intent — organizations resolving this tension are concentrating AI investment on high-impact, ROI-demonstrable use cases

---

⚖️ Regulatory & Policy

FDA Warning Letter to Novo Nordisk: Contractors, Business Rules, and the Audit Trail Problem

On March 5, FDA issued a warning letter to Novo Nordisk Inc. documenting systemic failures in postmarketing adverse drug experience reporting. The letter is more than an enforcement action — it is a detailed map of exactly what FDA inspectors look for in pharmacovigilance IT systems.

What happened:

• Systemic failures documented across surveillance, receipt, evaluation, and reporting — including in contractor-managed systems — for multiple Novo Nordisk products including semaglutide and liraglutide
• Written procedures allowed adverse events to be rejected if the internal reporter considered them unrelated — directly violating FDA regulations requiring reporting of all serious and unexpected events regardless of causality
• FDA's conclusion: the corrective action response lacked "sufficient details to determine whether your actions will effectively prevent similar violations" — a tactical system fix is not sufficient

Why it matters to you:

• Pharmacovigilance and adverse event reporting systems are now an active IT audit target — business rule configuration, audit trails, and contractor oversight are all in scope
• Contractor-managed case processing requires end-to-end procedural visibility — a signed agreement is not the same as governance, and FDA expects root-cause analysis and validated preventive controls, not workflow patches

42 CFR Part 2 Alignment with HIPAA: The Compliance Deadline Has Passed

The February 16, 2026 compliance deadline for the revised 42 CFR Part 2 final rule is now past. Organizations managing substance use disorder treatment records should already be in compliance — and CIOs who haven't formally confirmed this have an active gap.

What happened:

• Final rule aligns SUD record protections with HIPAA privacy and security rules and HITECH breach notification requirements; breach notification and civil/criminal enforcement now mirror HIPAA standards
• Allows a single consent for all future treatment, payment, and healthcare operations uses — eliminating the requirement for separate Part 2 consents
• Patient rights now include ability to request accounting of disclosures and restrictions on certain disclosures — consistent with HIPAA provisions

Why it matters to you:

• SUD treatment records now carry HIPAA-equivalent enforcement risk — BAAs not updated prior to February 16 represent an active compliance gap
• The practical question: has your HIPAA information governance framework been formally updated to explicitly cover Part 2 records, and has this been documented?

CMS Claims Attachment Standards: Two-Year Runway, Starting Now

CMS adopted final rules for healthcare claims attachment transactions on March 24, with a May 26, 2028 compliance deadline. For life sciences organizations with health system and CDMO partnerships, the platform readiness assessment needs to start now.

What happened:

• Rule effective May 26, 2026; compliance required by May 26, 2028. Establishes HIPAA-compliant standards for electronic exchange of clinical documentation supporting claims: medical records, imaging, clinical notes, and lab results
• Eliminates reliance on fax and direct mail for claims attachment workflows — affecting how clinical documentation moves between partners
• Also establishes electronic signature requirements to authenticate claims attachment transactions

Why it matters to you:

• Clinical data platforms and EDC systems must support standardized electronic claims attachment formats by 2028 — healthcare integration projects routinely run 18+ months
• Organizations that begin readiness assessment now will have adequate time; those that start in 2027 likely will not

---

🔒 Cybersecurity & Risk

Third-Party Vendor Risk: The Numbers Are Getting Harder to Ignore

No single breach defined the cybersecurity picture this week. The story is structural — new data on the scale of third-party risk, combined with a nine-month vendor breach discovery lag at Ericsson, describes an environment where the most significant threats are arriving through vendor relationships, not direct attacks.

What happened:

• Healthcare IT security analysis: 41.2% of all cybersecurity incidents in 2024 originated from third-party vendors; double extortion now appears in 96% of healthcare ransomware incidents
• Ericsson U.S. subsidiary: unnamed third-party provider compromised April 2025, not discovered until April 28, impact not determined until February 23, 2026 — a nine-month discovery lag that spanned a full annual assessment cycle
• Vendor risk survey: 72% of organizations admit only partial awareness of which vendors use AI; no organization surveyed feels "extremely confident" managing third-party AI risk

Why it matters to you:

• Annual vendor assessments cannot detect the extended exposure window the Ericsson incident demonstrates — nine months of invisible exposure is a benchmark for what annual cadences miss
• Double extortion means backup recovery is no longer a sufficient ransomware response — data exposure and public disclosure are the primary risk regardless of encryption recovery capability
• As AI platforms proliferate, the AI governance gap (72% partial awareness) creates a new category of third-party risk that most existing vendor assessment frameworks don't address

Trump Cyber Strategy 2026: Healthcare Is Named as Critical Infrastructure

The White House released its Cyber Strategy for America in March 2026 — the administration's first formal cybersecurity posture document. Healthcare organizations are named explicitly as critical infrastructure requiring stronger defenses.

What happened:

• Strategy explicitly names hospitals and healthcare organizations as critical infrastructure sectors requiring stronger defenses, more secure supply chains, and faster incident recovery
• Priority modernization tracks: cloud transition, zero-trust architecture, and post-quantum cryptography; also emphasizes offensive posture — disrupting adversaries and dismantling criminal infrastructure
• Does not introduce new regulations for U.S. organizations — focuses on streamlining existing requirements and increasing private sector accountability

Why it matters to you:

• Healthcare's designation as critical infrastructure elevates cybersecurity from an IT operational issue to a board accountability issue — federal visibility typically precedes audit expectations and spending pressure within 12–24 months
• For organizations where cybersecurity is competing against AI for constrained capital, this strategy is the board-level argument for resolving that competition — and zero-trust and post-quantum cryptography signal where compliance obligations are likely to land

---

🏢 Leadership & Operating Model

Biopharma Hiring Recovers — With AI Talent at the Center

BioSpace's early 2026 workforce survey confirms that the hiring recovery is real — but the talent landscape is nuanced, with AI recruiting emerging as a distinct priority and a large pool of recently displaced domain experts available now.

What happened:

• 64% of biopharma organizations actively recruiting (up from 59% in 2024); top priorities: R&D (50%), clinical (48%), manufacturing (38%), regulatory (37%)
• AI recruiting is emerging as a distinct priority — demand for foundational data science skills plus AI tool expertise; candidates won't have more than one year of experience with the latest tools
• ~42,700 biopharma employees were cut in 2025 (a 47% increase from 2024), creating a pool of experienced, recently displaced domain talent available now — a window that will close as the market tightens

Why it matters to you:

• Competition for AI and data science talent is intensifying across life sciences — the recently displaced talent pool is a window that will close; act before the market tightens
• Traditional recruitment based on specific tool expertise is inadequate given rapid tooling change; recruit for foundational skills and learning agility, then invest in structured development

The CIO Role Is Diverging by Organizational Scale

Forrester's 2026 analysis finds that the CIO role changes fundamentally depending on organizational scale, and the misalignment between operating model and organizational context is a common and underappreciated failure mode.

What happened:

• Large enterprise CIOs evaluated primarily on governance, enterprise architecture, and board-level risk narrative; mid-market CIOs face a more operationally intensive role judged by near-term ROI on cycle time and margin improvement
• "Two-in-a-box" model — business leader and technology leader jointly accountable for platforms spanning multiple functions — emerging as the primary mechanism making co-ownership operational
• Cross-size emerging patterns: platform operating models co-owned by business and technology leaders; talent rebalancing toward data science, AI engineering, and platform engineering

Why it matters to you:

• Enterprise CIO practices in a mid-market context produce governance without execution; mid-market practices in an enterprise context produce execution without control — the mismatch is a structural risk that surfaces under AI transformation pressure
• Platform co-ownership requires explicit governance infrastructure — joint accountability, shared KPIs, and escalation mechanisms — not just stated intention; talent rebalancing mechanisms also differ by scale

The AI Training Gap: Availability Is Not the Same as Capability

A DataCamp survey of enterprise leaders in 2026 puts a precise number on a problem most CIOs already sense: 82% of organizations provide AI training, yet 59% still have an AI skills gap. The structural failures driving that gap are identifiable — and fixable.

What happened:

• 82% of organizations provide some form of AI training; 59% still report an AI skills gap; only 35% have a mature, organization-wide upskilling program
• Structural failures: 23% of leaders say learning paths aren't tailored to specific roles; 24% cite lack of hands-on projects; 23% find video-based courses don't help employees apply skills in practice
• In March 2026, lawmakers and industry leaders convened to examine employer-led training models — signaling that federal workforce training incentives may become available

Why it matters to you:

• Organizations are purchasing agentic AI platforms into workforces that can't yet configure or govern them — capital is moving into the tools while operating model investment lags
• The 59% gap despite 82% participation is a structural training design problem: effective programs require hands-on applied practice, role-specific mapping, structured progression, and skill-based measurement — not completion rates

---

💡 Editor's Perspective

• The FDA's Novo Nordisk warning letter and the cybersecurity third-party risk data describe the same failure from two directions. Pharmacovigilance failures in contractor systems and 41.2% of incidents from third-party vendors share a root cause: insufficient visibility into what outsourced partners are doing inside systems that bear your regulatory accountability. Annual questionnaires don't close that gap.
• IQVIA.ai's enterprise launch and Verily's $300M raise mark the moment agentic AI transitions from experimental to commercially supported in life sciences. The counterweight: 82% training availability still leaves a 59% skills gap. Capital is moving into the tools; the operating model investment required to use them is lagging.
• Three regulatory timelines are converging in 2026: 42 CFR Part 2 alignment (deadline passed), CMS claims attachment standards (effective May 26), and an 18-month integration clock that started ticking in March. CIOs running constrained budgets need these non-discretionary requirements funded separately, or compliance emergencies will interrupt the AI roadmap.
• The Trump Cyber Strategy's identification of healthcare as critical infrastructure, combined with 41% of CIOs cutting capital, creates a tension with no clean resolution. HIPAA, HITECH, and CIRCIA all followed the same pattern: federal attention, then audit criteria, then spending pressure. Surface that conversation with boards now.

---

🔗 Top 5 Must-Read Links

1. FDA Warning Letter to Novo Nordisk Inc. (Mar 5, 2026) — Primary source; essential reading for any CIO responsible for pharmacovigilance or contractor-managed case processing.
2. IQVIA Unveils IQVIA.ai, a Unified Agentic AI Platform (Mar 16, 2026) — IQVIA's own announcement; clearest account of platform architecture, initial use cases, and NVIDIA partnership.
3. Verily Secures $300M to Advance Precision Health AI Strategy (Mar 19, 2026) — Covers the round structure, strategic partnerships, and platform direction for CIOs evaluating precision health platforms.
4. Sage Growth Partners: Health IT Purchasing Forecast 2026–2027 — Best summary of the 57%-rank-AI / 41%-cutting-capital findings; useful for board conversations on AI investment prioritization.
5. Forrester: One Title, Many Realities — How the CIO Role Changes by Organization Size — Practical analysis of how CIO mandate and operating model vary by organizational scale.

---

An FDA enforcement action on outsourced compliance, agentic AI going enterprise, and 41% of CIOs cutting the budgets they need to do both — these aren't isolated events. They're markers of a quarter where execution discipline separates the organizations that advance from those that fall behind. If your team is working through these tradeoffs — hit reply.

Ready to move beyond the digest? The LS CIO Community is where these conversations continue.

Join the LS CIO Community →

---

This digest is an interpretive summary of publicly available information and does not constitute legal, regulatory, cybersecurity, or investment advice.

Until next week,

Joe Miller

Founder, Leadership Inklings