Aligning U.S. IRBs with Emerging EU AI Research Standards

Applying EU ERA and EDPB guidance to strengthen AI governance in U.S. IRB and HRPP review.

The E.U. just released two documents that deserve the attention of every research compliance professional working on artificial intelligence in human subjects research (AI HSR).

What’s New

In May 2026, the European Research Area (ERA) Forum, composed of European member states and research and innovation stakeholders), operating under the European Commission, released the third version of its Living Guidelines on the Responsible Use of Generative AI in Research. While the guidelines are non-binding, they carry significant weight across European research organizations, funding bodies, and universities.

One month earlier, the European Data Protection Board (EDPB) opened up public consultation on the Guidelines on Processing of Personal Data for Scientific Research Purposes, which would establish a legally grounded interpretation of how GDPR applies when personal data is processed in research contexts, including research that uses AI. That draft (pdf) can be found HERE.

While I’m sad the U.S. couldn’t lead in this space, I’m thrilled to see the first coordinated, research-specific governance documents to grapple with what the use of AI research actually requires, ethically, procedurally, and legally.

Why This Matters In The U.S.

If your U.S. institution conducts multi-site research with European partners, receives EU Horizon funding (kinda like NIH funding in the U.S.), collaborates with EU-based sponsors, or publishes in journals aligned with ERA expectations, these guidelines are something you may want to review.

Even for purely domestic U.S. research programs, these documents are worth studying because they reveal a governance framework that is more coherent than what currently exists in the United States and that framework will increasingly shape what international sponsors, collaborators, and funders expect from U.S. institutions.

The U.S. has produced strategy documents this spring from HHS, from the White House, and from FDA. To put it in the nicest way possible, this approach is fragmented, sector-specific, and less operationalized for research context. To put it bluntly, in the governance space, this approach has been more of a “move fast and break things” mentality and reminds me of the “I CAME IN LIKE A WRECKING BALL~~!!!” lyrics:

While the U.S. approach could be seen as a meaningful signal of AI governance, I’d argue they are the furthest thing from governance. If anything, it is the complete demolition of governance, and that doesn’t work well for international collaborations.

What the ERA Guidelines Say & Why IRBs Should Care

The ERA Living Guidelines organize their recommendations across three audiences: researchers, research organizations, and research funding bodies. Notably absent from that audience was ethics committees and IRBs.

I’m curious if this reflects a structural assumption? Does accountability for responsible AI use flow through researchers and institutions? What role does the ethics committee that receives and evaluates those applications have in terms of enforcement? Here’s some insight into EU vs US practices.

The guidelines do important work regardless. Key requirements that are directly relevant to IRB and HRPP professionals include:

• Transparency of AI use in research workflows: Researchers are expected to disclose when generative AI has been used “substantially” in their research processes (e.g., in their literature review, hypothesis development, data interpretation, and drafting). They explicitly distinguish between AI as basic editorial support (not requiring disclosure) and AI as a method or analytical tool (requiring disclosure). This belongs in your institution’s SOP language now especially because NIH requires it as well!

• Discouraging AI in peer review and proposal evaluation: Generative AI should NOT be used substantially in the evaluation of research proposals or peer review of manuscripts. The reasoning is:

  • AI limitations (hallucination, bias) risk unfair assessment, and

  • uploading unpublished work to external AI systems risks confidential exposure.

  NIH has implemented targeted restrictions on AI use in grant writing and peer review as well (see their latest guidance HERE). U.S. IRBs reviewing AI-assisted protocol submissions should be asking these same questions about their own internal processes.

• Hidden prompts are an emerging integrity threat: The guidelines warn research funding organizations that submitted applications and proposals may contain hidden prompts (invisible instructions embedded in documents intended to influence AI-assisted review tools toward more favorable assessments). IRBs using AI tools to assist in protocol screening need policies addressing this now.

• Third-party AI use awareness: Researchers and research institutions must remain mindful that third parties (e.g., vendors, meeting participants, note-takers, and collaborators, etc.) may be using AI tools in ways that create confidentiality, data protection, and IP exposure risks. This has direct implications for IRB interactions with research teams and sponsors.

The EDPB Guidelines Add Important Guidance For SBER and Clinical Research

The EDPB document is legally weightier and operationally more detailed than the ERA guidelines. It addresses how GDPR applies to personal data processing in scientific research, and several provisions have direct IRB relevance for institutions with European data subjects or collaborators.

The document introduces six key-indicative factors for determining whether an activity qualifies as scientific research under GDPR including:

i. methodical and systematic approach,
ii. adherence to ethical standards,
iii. verifiability,
iv. independence,
v. societal contribution, and
vi. potential to advance knowledge.

Critically, the second item (ii) adherence to ethical standards, explicitly references ethics committee review as a marker of legitimate scientific research. This is the closest either document comes to naming the review body as a governance actor. Ethics committee review is treated as an important indicator of legitimate scientific research, though not universally mandated under GDPR. This is similar in the U.S. where it is only required for federally funded research, most FDA-regulated research, and if the Sponsor or journal requires it.

The EDPB document’s treatment of Broad Consent for secondary-use research is the most operationally developed section in either document. It specifies that broad consent requires adoption of additional safeguards including independent oversight bodies that may review proposed new research projects and give opinions on data processing. In the U.S. this is functionally analogous to IRB oversight, though the document never uses that term. For IRBs in the U.S. that are adopting Broad Consent, comparing your practices with the EDPB framework could be enlightening…

For institutions conducting AI-enabled clinical trials or diagnostic research, the EDPB document’s guidance on special categories of personal data (health, genetic, and biometric data) and the requirement for Data Protection Impact Assessments (DPIAs) under Article 35 creates a parallel review obligation that must be coordinated with IRB review. U.S. institutions engaged in cross-border clinical AI research will need a process for aligning DPIA findings with IRB protocol review. Many institutions do not yet have a formalized process.

The Governance Gap - Operationalization

These long-awaited documents are game changers in their own rights. They tell researchers and institutions what responsible AI use requires. However, neither tells a review body how to evaluate whether a proposed AI research activity meets those requirements. Coming from the field directly, I can attest the significant capacity and AI literacy gap we have in our current governance bodies (IRB/HRPP, research compliance, etc.)

It’s one thing to tell a reviewer what the rules are, but what happens when they don’t know what to do with that rule or how to even apply it in their role?

This is an operationalization gap that BOTH the EU and the U.S. IRBs and HRPPs are currently struggling with, not because they are non-compliant, but because they lack a structured framework for conducting the kind of AI-specific protocol review that these global standards are beginning to demand.

The Three-Stage AI HSR Review Framework (Eto, Lifson & Vidal, 2025) and its recent revision to include SBER (Eto, Miller, Lifson & Vidal, 2026) was developed specifically to address this gap. The framework organizes IRB review of AI research across three stages:

• Stage 1 (Discovery/Development/Training): Where AI identifies patterns in human data,

• Stage 2 (Performance and Clinical Validation): Where AI outputs are tested against human outcomes without influencing human decisions), and

• Stage 3 (Deployment/Real-World Use): Where AI operates in live clinical or research environments affecting human subjects.

Each stage carries distinct human subjects risk profiles, consent requirements, and oversight obligations.

Mapping the ERA and EDPB provisions onto this framework makes the operationalization path clearer. For example:

1. The ERA’s transparency and disclosure requirements attach primarily at Stage 1 and Stage 2, where AI is functioning as a research instrument generating findings that feed into the research claims.

2. The EDPB’s DPIA requirements and special category data protections are most impactful at Stage 2 and Stage 3, where AI outputs have the most potential influence individual data subjects lives directly.

3. The ERA’s prohibition on AI in peer review is a multi-stage integrity control that applies to how research findings from any stage enter the scientific community.

An IRB reviewer equipped with this framework can look at an AI research protocol and ask: which stage is this, what risks attach to this stage, and what review criteria apply now and which review criteria will apply later? And how do we ensure that these controls come in at the right time? Without it, the reviewer is applying general human subjects principles to a technology that doesn’t map cleanly onto those principles and missing the AI-specific risks that both EU documents are trying to address.

Practical Tips for U.S. IRBs/HRPPs

For now and the foreseeable future, the U.S. will likely not have any meaningful, sustainable, or actionable AI regulations in the research space. But there are still some things that we need to do just to keep pace with the research protections world that is moving forward without us:

1. Review the EU documents and update your SOP language on AI disclosure: Use the ERA’s “substantial use” principle as a starting point for defining when AI use in research workflows requires disclosure to the IRB. This is defensible, internationally recognized, and more precise than what most U.S. institutions currently have. The TechInHSR AI HSR Desktop Procedures Guidance can support this SOP development.

2. Develop a hidden prompt policy: If your IRB is using or considering AI tools to assist in protocol screening or administrative processing, establish explicit policy language discouraging manipulation of AI-assisted review through embedded instructions. This is a new integrity threat that existing conflict-of-interest and research integrity policies do not cover.

3. Coordinate DPIA and IRB review for cross-border AI research: For any protocol involving EU data subjects, EU sponsors, or EU Horizon funding where AI is processing personal data, establish a coordination process between DPIA obligations and IRB review. These are parallel requirements that must inform each other.

4. Brief leadership on ERA alignment for international collaborations: Research compliance leadership at institutions with active EU partnerships needs to understand that ERA guidelines and ensure they align with new and existing contracts.

A Note on the EU Operationalization Gap

The ERA and EDPB guidelines articulate create clear expectations for researchers and institutions but they do not provide guidance on how review bodies operationalize these efforts.

The Three-Stage Framework was developed in a U.S. regulatory context, but its underlying logic that AI research carries stage-specific risks requiring stage-specific review criteria is globally applicable. For multi-site international research, a shared review model grounded in this framework may be the most practical, streamlined path to coherent, defensible oversight on both sides.

That conversation is worth starting now, before pilot frameworks on both sides of the Atlantic grow into incompatible standards.

Interesting Resources:

• The evolution of the EU’s AI Research Ethics: https://journals.sagepub.com/doi/10.1177/17470161231220946

• Responses in the U.S. to the EU AI Act and its impact on research: https://www.advarra.com/blog/understanding-the-impact-of-the-new-eu-artificial-intelligence-act-on-clinical-research/

• Hospitals and universities in the same Member State can differ in how conservative they are, especially around early‑phase AI, secondary use of data, and what they consider “minimal risk,” similar to U.S. IRBs: https://journals.sagepub.com/doi/10.1177/17470161231220946

• Some Member States layer stricter ethics rules on top of EU law (e.g., on secondary use, genetic data, or AI in health), so a “typical research hospital” in one country may routinely require more robust safeguards than in another. Similar to the U.S.: https://globalpi.org/research/ai-regulation-across-the-atlantic-eu-ai-act-vs-u-s-ai-governance/