ISO 14971 in the Age of AI: What ISO/TS 24971-2:2026 Adds

See Qualio in action.
Explore pricing for your team or book a 30-minute demo with our team.
ISO 14971 was written for devices whose behavior does not change after they ship. A machine learning model breaks that assumption by design. It can retrain on new data, shift its parameters, and behave differently a year after launch than it did on the day of clearance, and none of that is covered by a risk file built around a fixed design.
ISO/TS 24971-2:2026, "Medical devices, guidance on the application of ISO 14971, Part 2: Machine learning in artificial intelligence," is the standard that closes that gap. It does not replace ISO 14971:2019 or alter its requirements. It sits alongside it, and alongside the existing ISO/TR 24971 guidance, as a companion document that tells manufacturers how to apply the same risk management process to machine learning-enabled medical devices (MLMD).
What the new specification actually covers
ISO/TS 24971-2:2026 focuses on the risks that are specific to machine learning rather than to software in general. That includes:
- Data management and feature extraction, since a model is only as reliable as the training and test data behind it, and that data can be actual patient data or synthetic data built to simulate it.
- Unwanted bias, with a dedicated annex explaining how bias enters a model and how to identify it before it reaches a patient population.
- Information security, recognizing that a model's training pipeline is itself an attack surface.
- Training, evaluation, and retraining, including the reality that an ML model can learn continuously from patient data and modify its own parameters over time, a behavior the standard refers to as "continuous learning" (sometimes called "adaptive" elsewhere).
One boundary is worth flagging clearly: ISO/TS 24971-2:2026 explicitly does not cover devices built on large language models or generative AI. If your product includes an LLM-based function, this standard is not your risk management answer for that function, and treating it as one would be a gap in itself.
Why a companion standard, not a QMS update, is the real fix
A risk file that was signed off once, at launch, cannot tell you that a retrained model has drifted from the bias profile it was cleared against. That is not a limitation of the paperwork. It is a limitation of treating risk management as a point-in-time event instead of a continuously monitored one, which is exactly the failure mode ISO/TS 24971-2:2026 is designed to prevent.
This is where the difference between a static QMS and a system built for continuous execution actually shows up. A document repository can hold your ISO 14971 risk file. It cannot tell you, on its own, that your MLMD retraining cadence has outpaced your last risk assessment, or that a new companion standard has just changed what "complete" looks like for that assessment. Continuous gap analysis across all your standards is what closes that loop, mapping your existing ISO 14971 risk management file against ISO/TS 24971-2:2026 as it lands, rather than waiting for the next scheduled review to notice the standard changed under you.
What to check now
- Confirm whether your device qualifies as an MLMD under the new specification, and rule out LLM or generative AI components explicitly, since those sit outside its scope.
- Review your existing ISO 14971 risk file for continuous learning behavior. If your model retrains post-market, your risk file needs a mechanism for catching that, not just a note that it happens.
- Cross-check your bias evaluation approach against the annex guidance rather than treating "we tested for bias once" as sufficient.
Qualio's existing comprehensive guide to ISO 14971 is a solid foundation for teams building this out, and the ISO 14971 risk matrix guide is useful for teams standing up their first structured risk process. For the standard itself, see the ISO catalog listing for ISO/TS 24971-2, and for a practitioner-level walkthrough of what changed, this June 2026 standards roundup covers the specification alongside other recent medical device standard updates.
If your AI/ML risk documentation has not been checked against a live standard in the last quarter, that is worth fixing before your next audit does it for you. See how continuous gap analysis works across ISO standards.

Sumatha Kondabolu
Sumatha Kondabolu brings over 22 years of quality expertise across the pharmaceutical and medical device industries, specializing in quality system implementation and regulatory compliance for start-ups and scalable operations. She has helped organizations establish robust quality management systems aligned with global standards, enabling them to achieve seamless compliance and sustainable growth.
Sumatha has built and managed quality management systems meeting the requirements of FDA QSR, Canada’s Medical Devices Regulations, NIOSH, MDSAP, COFEPRIS, and the EU's MDR, IVDR, as well as pre-clinical and clinical frameworks. Her customers have successfully passed ISO and regulatory audits, achieving certification to the relevant ISO standards.
Sumatha holds a Bachelor of Pharmacy, a Master’s in Chemistry, and an advanced certificate in Quality Assurance Management. She is also a certified auditor for ISO 13485, ISO 27001, ISO 27701, ISO 42001, ISO 22716, ISO 17025, ISO 9001, and IATF 16949. Beyond certifications, she contributes to global standards development as an expert and committee member of the Standards Council of Canada (SCC)/ Canadian Standards Association (CSA) for:
- ISO/IEC JTC 1/SC 27 in Information Security, Cybersecurity, and Privacy Protection- Committee Member and Expert
- IEC TC 65/SC 65 as Technical Committee Member and Expert
- Chair for CSA Z289 and ISO/TC 210 - Quality management and related general aspects for products for health purposes, including medical devices.
See Qualio in action.
Explore pricing for your team or book a 30-minute demo with our team.