Module 03 · Lesson 04

Decision Frameworks for Gray Zones — The Hard Judgment Calls

Reading time: 22 minutes Track: Governance & Compliance · REQUIRED before role specialization Prerequisites: Module 03 · Lessons 01-03

What this lesson does

The bright lines (Lesson 01) and the classification framework (Lesson 02) handle most situations. What's left is the genuinely hard middle: situations where reasonable, well-trained people could disagree about the right answer.

This lesson gives you frameworks for those situations. Frameworks, not answers — because the right answer depends on context that varies by company, by role, by specific facts. What you'll have at the end is a structured way to reason through hard cases that gets you to defensible decisions.

By the end of this lesson, you'll be able to:

1. Recognize when a situation is a gray zone rather than a bright-line case
2. Apply the four primary decision frameworks
3. Document your reasoning so a reviewer can follow it later
4. Know when to escalate rather than decide unilaterally

This lesson is the most "judgment-heavy" in Module 03. The frameworks help, but they don't replace experience and discussion with your colleagues.

01 · How to know you're in a gray zone

Three signals that you've left bright-line territory and entered a gray zone:

1. You're hesitating. If you have to think about whether something is OK, it's not obviously OK. The hesitation itself is information — pay attention to it.

2. You can construct plausible arguments on both sides. Bright-line cases don't have plausible counter-arguments. Gray zones do.

3. The answer depends on facts you'd have to find out. "It depends" is fine as a starting point; the question is on what.

If any of these are present, slow down. Don't default to "probably fine" or "probably not fine." Run the frameworks below.

02 · Framework 1 — The "front page" test

Old framework, still useful: would you be comfortable defending this decision if it appeared on the front page of a major industry publication tomorrow?

Variants:

• Would you be comfortable defending it to an FDA reviewer?
• Would you be comfortable defending it to your CCO or General Counsel?
• Would you be comfortable defending it to a journalist who's hostile and informed?
• Would you be comfortable defending it to your competitor's general counsel?

What this catches: Decisions that seem fine in isolation but feel uncomfortable when you imagine them being scrutinized. The discomfort is informative.

What this misses: Cases that are technically fine but feel uncomfortable for reasons unrelated to the actual risk. (Some unfamiliar things feel risky just because they're unfamiliar.)

When to use it: First-pass gut check. If something fails the front-page test, take it seriously.

03 · Framework 2 — The reasonable-person standard

Imagine someone in your role at a peer biotech, with the same training and resources. Would they make the same decision you're considering?

If yes: you have a reasonableness defense even if the decision turns out badly.

If no: think harder. You may be over-restricting (being more cautious than the industry norm) or under-restricting (cutting corners that peers wouldn't cut).

What this catches: Outlier decisions in either direction. You don't want to be the only one being aggressive; you also don't want to be the only one being so cautious you're missing value.

What this misses: Cases where the industry norm itself is wrong. (Sometimes the industry norm is "everyone does this and it's fine," but it's only fine until the first lawsuit.)

When to use it: When you want to calibrate against peers. Particularly useful for new use cases.

04 · Framework 3 — The risk/value/reversibility matrix

For any AI use case in a gray zone, assess three dimensions:

Risk: What's the worst-case outcome if this goes wrong? Scale 1-10. Value: What's the upside if this works well? Scale 1-10. Reversibility: If something goes wrong, how easily can it be undone? Scale 1-10 (10 = easily reversible).

What this catches: Cases where the upside is being overweighted relative to the downside, or vice versa. Forces explicit comparison.

What this misses: Cases where the asymmetry isn't obvious. "Low probability, catastrophic outcome" gets handled by the risk dimension, but you have to actually think about it.

When to use it: When you have to choose between proceeding and not, and the answer isn't obvious.

05 · Framework 4 — The chain of consequences

Trace the decision forward two or three steps. What happens after this AI use?

Step 1: You produce the output. What's the immediate use? Step 2: Who else sees the output? What do they do with it? Step 3: Where does the output ultimately end up? Internal file? Sent externally? In a regulatory filing? In a patient handout?

The risk of an AI-generated artifact often isn't at the point of generation — it's downstream, when the artifact gets used in a context the originator didn't anticipate.

Example: You use AI to draft an internal training slide. That seems low-risk. Step 2: a colleague picks up your slide for a customer-facing presentation. Step 3: the slide ends up in a sales kit. Now the AI-generated content is making promotional claims you never reviewed.

What this catches: Downstream-risk failures. The output looks safe in your context but creates risk when it travels.

What this misses: Truly local uses where there's no downstream.

When to use it: Whenever the output you're producing could plausibly be reused by someone else. (Which is most outputs.)

06 · The seven gray-zone scenarios

Specific situations where these frameworks apply. Walk through these once and you'll recognize them when they show up in your own work.

Gray zone 1 — De-identified clinical data

You have a clinical dataset with direct identifiers removed. Can you use it with AI?

Lesson 02 default: Treat as Tier 4 (Restricted), not Tier 1 (Public), unless Expert Determination has been performed.

Reasoning: "De-identified" by removing some fields is incomplete. Re-identification is a real risk, especially in rare-disease populations. The Tier 4 default protects you.

When the default may be relaxed: If your company has formal Expert Determination certification for the specific dataset, and the use case is approved. Get the paperwork before proceeding.

Gray zone 2 — Published competitor information for internal analysis

You compile public information about a competitor (press releases, presentations, filings) into an internal strategic analysis. Can you use AI to help with the analysis?

Default: Yes, but the analysis itself is Tier 3 once written. Use enterprise environments. Be aware that detailed strategic interpretation in a prompt may leak more than the public inputs alone suggest.

Reasoning: Public inputs are Tier 1. Your interpretive output is Tier 3. The work happens at Tier 3.

Watch for: Asking the AI to "compare us to [competitor]" — you've now leaked specific information about your own position to draw the comparison. That's Tier 3.

Gray zone 3 — Anonymized adverse event narrative

You have an SAE narrative with patient identifiers removed. Can you use AI to help draft the standard format narrative?

Default: This is closer to a bright line than a gray zone. The narrative may contain identifying detail in flowing prose (dates, locations, sequence of events, demographic details) that re-identifies even with names removed.

Action: Either (a) use a specifically approved environment for safety data, or (b) work from structured fields and templates, not narratives. Don't paste narrative text into a general-purpose AI environment.

Gray zone 4 — Internal meeting transcript with AI summary

A meeting transcript is being processed by an AI tool that adds summaries. The meeting discussed strategic, financial, or sensitive content. What's the risk?

Default: The classification of the transcript is the classification of the meeting content. A strategy meeting transcript is Tier 3. A financial-projections meeting is Tier 3. A meeting that touched on personnel matters may be Tier 4.

Action: Verify which AI is processing the transcript and what environment it's in. Many meeting-AI tools don't meet Tier 3 standards. Don't let the convenience of automatic summarization override the classification.

Gray zone 5 — Drafting external communications

You're drafting an email or letter to an external party. The content of the message will become known to that party. Can you use AI to draft?

Default: The classification of the drafting work is the classification of the content. An external letter announcing a press release is Tier 1 (the content is about to be public). An external letter to a CDA partner about confidential matters is Tier 3 (the partner is bound by CDA, but the content is still your confidential strategic content).

Action: Match the AI environment to the content's tier. Don't be confused by "it's going external anyway, so confidentiality doesn't matter" — confidentiality controls who sees the content, not whether the content is internally sensitive.

Gray zone 6 — Using AI to learn about a topic

You're new to a topic and want to use AI to come up to speed. Can you ask general questions about, say, oncology biomarker strategy?

Default: Generic questions about generic topics are Tier 1. Specific questions about specific programs (even your own) become Tier 3 in practice.

Action: Keep learning queries abstract when possible. "What are typical pharmacokinetic considerations for oral PCSK9 inhibitors?" is Tier 1. "What are typical PK considerations for an oral PCSK9 inhibitor with [specific profile from our pipeline]?" is Tier 3.

Gray zone 7 — AI-generated content for regulatory documents

You're using AI to help draft a regulatory document. The document will go to FDA. Should you disclose AI use?

Default — case-by-case but trending toward yes:

• FDA has not (as of late 2025) mandated AI disclosure in submissions
• Several major sponsors have voluntarily disclosed AI-assisted drafting in submission cover letters
• Internal policies are increasingly requiring documentation even if not disclosure
• The trend is toward more transparency, not less

Action: Check your company's policy. If your company doesn't have a policy yet, that's the policy gap to flag. Document AI use internally regardless of whether you disclose externally.

07 · The escalation discipline

You don't have to decide alone. In fact, for many gray-zone cases, you shouldn't.

Escalation triggers:

1. A bright-line situation that you think might be an exception
2. A gray-zone case where the risk is high enough that being wrong matters
3. A novel use case (first time your company is doing this)
4. A use case that, if it works, others would want to copy
5. A use case where you're being pressured to proceed faster than your judgment allows

Where to escalate:

• Your manager, for routine cases
• Compliance/Legal, for cases with regulatory or contractual exposure
• IT/Security, for cases with data-handling questions
• A formal AI governance committee, if your company has one

How to escalate well:

• State the use case clearly: what data, what tool, what output, what downstream use
• State your tentative recommendation: "I think this is OK because..." or "I think this is risky because..."
• State the alternatives you considered
• Ask the specific question you need answered

The cost of escalating one case is small. The cost of being the person who decided unilaterally and got it wrong is large. The math favors escalation for the cases that warrant it.

08 · The "set a precedent" question

A specific dimension of gray-zone reasoning that's worth its own treatment.

When you decide a case, you're not just deciding that case. You're setting a precedent that your future self and your colleagues will follow.

Before deciding a gray-zone case, ask:

Am I comfortable with this decision being applied broadly to similar future cases?

If yes: proceed.

If no: you're treating this case as a special exception. Be honest about that. Document why this case is different. Don't let one-time exceptions silently become the new default.

Examples of precedent setting:

• "Just this once" approvals that become routine
• "Special circumstances" that aren't actually special
• "Pilot" usage that scales without ever being formally re-approved

The discipline: when you set a precedent, set it deliberately. When you make an exception, mark it as an exception.

09 · Documentation for gray-zone decisions

For gray-zone decisions you do make, document them. Not as a CYA exercise — as a way to be honest about your reasoning.

Minimum documentation:

• What use case? (Data, tool, output, downstream)
• Why is this a gray zone? (What's ambiguous?)
• What framework(s) did you apply?
• What did you decide and why?
• What conditions or guardrails apply?
• Date and decision-maker

For routine cases, this can be a notes entry. For significant cases, formal documentation that lives somewhere a reviewer could find it later.

Why this matters: Gray-zone decisions get re-evaluated. Sometimes by you, six months later. Sometimes by your successor. Sometimes by an auditor. The documentation lets the re-evaluation be productive instead of reconstructive.

10 · The "default to caution" principle and its limits

A common posture in regulated industries: "when in doubt, don't."

This is correct as a starting orientation, but it has limits.

Where default-to-caution is right:

• Tier 4 / 5 situations
• Novel use cases
• High-irreversibility decisions
• Anytime the risk of getting it wrong is severe

Where default-to-caution can be a mistake:

• Routine work where caution becomes paralysis
• Cases where the cost of not using AI exceeds the cost of using it
• Situations where competitors are gaining advantage by being less paralyzed
• Cases where "caution" is actually status-quo bias

The balanced posture:

Default to caution when you're uncertain about safety. Default to action when you're certain about safety but uncertain about value. Don't conflate the two.

If you've classified the data correctly, selected an appropriate tool, applied reasonable guardrails, and verified the output — you've done the work. Proceeding is not "taking a risk." Not proceeding is taking a different risk: the risk of falling behind.

This is the most opinionated paragraph in Module 03. I'm including it because the over-cautious failure mode is as real in biotech as the under-cautious one. Both extremes hurt patients (the under-cautious by risking bad outputs; the over-cautious by slowing progress on things that could help). Be calibrated, not maximally restrictive.

11 · Knowledge check

Three questions to lock in this lesson.

Q1. Which of these is the strongest signal that you've entered a gray zone?

a) You're working with sensitive data b) The output will be reviewed by your manager c) You're hesitating, can construct plausible arguments on both sides, and the right answer depends on facts you'd have to find out d) You're using a new AI tool

Q2. When you make a gray-zone decision that you're unsure about, what's the most important thing to document?

a) Your name and the date b) The use case, why it's a gray zone, the framework(s) applied, the decision, the reasoning, and any conditions — so a later reviewer can follow the logic c) The AI vendor and model d) The cost savings achieved

Q3. "Default to caution" is a useful starting orientation in regulated work. What's the most accurate description of its limits?

a) It always applies; never proceed when uncertain b) Caution can become paralysis or status-quo bias; the balanced posture is to default to caution when uncertain about safety, but proceed when safety is established and only the upside is uncertain c) Caution doesn't apply to AI work, only to other regulated work d) Caution only matters for Tier 5 prohibited data

Answers: Q1: c · Q2: b · Q3: b

12 · What's next

One more lesson in Module 03:

• Lesson 05 · Audit Trails and Documentation — what to record, how to record it, and why it matters

After Module 03 you'll be cleared to begin your role-specific path module.

End of Lesson 04.