Media engineering logo
CONTACT US
CONTATTACI

AI Avatars for Pharma in Italy: 2026 Compliance Guide (Law 132 + EU AI Act)

How to Implement AI Avatars in Pharma While Staying Compliant with Law 132/2025 and the EU AI Act — Before It's Too Late

Compliance is not the problem. The absence of compliance is

Quando partiamo con un progetto AI in pharma, come abbiamo fatto con Linda, il nostro avatar AI per HCP engagement,la prima domanda non è quanto costerà? ma come lo mettiamo in norma?.

E qui iniziano le domande vere.

When we start an AI project in pharma, as we did with Linda, our AI avatar for HCP engagement, the first question is never how much will it cost? but how do we keep it compliant?

And that’s where the real questions begin.

The EU AI Act comes into force on 2 August 2026. But Italy has already moved. Law 132/2025 has already defined the boundaries for artificial intelligence in the Italian context, especially where compliance is not just a choice, it’s an obligation.

In the pharma sector, AI is not new. What is new is accountability: it’s no longer enough to say we use AI to answer HCP questions. Now you have to prove that the AI won’t cause harm, that data is secure, and that every response is traceable.

1) The Regulatory Context

Law 132/2025: Italy Acts First:

Law 132/2025, passed by the Italian parliament, was a strategic move: establishing an Italian regulatory framework before the EU AI Act became law. What does it require?

  • Transparency and declaration of use: Anyone using an AI system must communicate this clearly. In pharma: if an AI avatar answers a medical question, it must identify itself as an “AI system” and not as a “human expert.”
  • Traceability: Every interaction with an AI system must be logged, who asked the question, when, what response was received, and who approved that response (if a human gate was in place). Logs must be storable and auditable.
  • Human-in-the-loop: Not all AI systems require this. But in pharma, where responses touch on the health of HCPs, it is almost always mandatory. This means: a qualified human must validate critical responses before they are published.
  • Right to erasure and PII management: If a patient asks your AI avatar to delete the data they have shared, you must be able to do so. Personal data cannot circulate indefinitely within the system.
EU AI Act — The European Standard (2 August 2026)

The EU AI Act is broader, but has one central element: risk classification. Not all AI systems carry the same risk.

High risk (Annex III): systems that directly impact health, safety, and fundamental rights. An AI avatar in pharma? High risk. This means:

  • Complete technical documentation: You must document the system architecture, training data, accuracy tests, and known failures.
  • Periodic audits and testing: Not once a year, continuous. Monitor the system to detect anomalies, bias, and result drift.
  • Compliance with technical requirements: Robustness, cybersecurity, training data quality, and discrimination mitigation.
Pharma = Annex III = High Risk

Because the answers an AI avatar gives to HCPs (healthcare professionals) can influence medical decisions. If Linda makes a mistake and suggests a wrong dosage or a dangerous drug interaction, the damage is not a data loss, it is potentially a human life.

Law 132 vs EU AI Act: The Differences

If you are in Italy and also sell across the EU (as Media Engineering does), you must comply with both. But the good news is: if you are compliant with the EU AI Act, you are automatically compliant with Law 132.

2) AI Avatars for HCP Engagement

What is Linda?

Linda is an AI avatar developed by Media Engineering, specialised for HCP engagement in the pharma sector. She is not a text-based chatbot. She is a 3D avatar with a synthesised voice, capable of conversational memory, the system knows an HCP’s preferences if it has assisted them before.

Why Does It Work?

Healthcare professionals (doctors, nurses, pharmacists) respond better to a system that:

  • Has a face and a voice — building trust and personalisation
  • Remembers context — it doesn’t restart every conversation from scratch
  • Is available 24/7 — HCPs don’t work 9 to 5
  • Doesn’t judge — an HCP can ask “basic” questions without embarrassment

Result (Alfasigma case): +45% engagement on new treatments compared to printed materials.

Compliance Risks

But this is where the problems begin:

  • Hallucination: Linda could invent a contraindication that doesn’t exist. If an HCP believes it and changes a prescription, the damage is real.
  • Data breaches: If Linda stores the fact that “Dr. Rossi asked about breast cancer,” and that information leaks, it is a serious privacy issue.
  • Unauthorised autonomy: If Linda independently decides to email an HCP suggesting a treatment without human approval, it violates regulations.
  • Bias: If Linda was trained on data that favours certain HCPs or certain medical practices, she could discriminate unintentionally.

How Linda Mitigates the Risks

  • Restricted actions. Linda can answer FAQs, explain mechanisms of action, and suggest reading materials. She cannot prescribe, provide specific dosages, or contact HCPs autonomously.
  • Audit logs and traceability. Every response from Linda is logged with a timestamp, user, question text, response text, and the name of the approver.
  • Human approval gates. Responses to critical questions — dosages, interactions, contraindications — pass through a human gate before reaching the HCP.
  • Fact-checking layer. Every response is validated against a knowledge base of official clinical data. If Linda says something not found in the KB, it is flagged for human review.

3) Compliance Implementation

Phase 1: Risk Assessment

Before launching Linda, we classified the system according to the EU AI Act.

  • Input: What does Linda do? Who uses Linda? What is the risk if she gets it wrong?
  • Output: Linda = Annex III (high risk)

This determines everything else: had it been a marketing avatar (low risk), the requirements would have been different. But pharma = high.

Phase 2: Technical Documentation

We created complete technical documentation:

  • System architecture: How Linda is built, and which components are used (LLM, retrieval, validation, logging)
  • Training data: What was Linda trained on? (Official clinical data, case studies, historical HCP Q&As)
  • Testing results: Accuracy on pharma FAQs? Hallucination rate? False positive rate for contraindications?
  • Known limitations: What can’t Linda do? In which cases might she fail?
  • Mitigation strategies: If Linda hallucinates, how do we detect it? What are the rollback procedures?

Phase 3: Data Governance

  • PII handling: If an HCP says “my patient has X,” Linda does not store the patient’s name — only the clinical context. No nominative medical data is held in memory.
  • Traceability: Every log contains: timestamp (UTC), user ID (not name), question hash, response hash, approving person.
  • Right to erasure: If an HCP requests “delete everything about me,” we have a process: we identify all logs with that user ID, anonymise them, and retain only aggregated statistics.

Phase 4: Human Oversight

  • Risk scoring: Every question receives a risk score (low/medium/high):
    • Low (standard FAQ): auto-approved response
    • Medium (technical question): human review within 5 minutes
    • High (dosage, contraindication): escalation to a pharmacologist MD
  • Approval dashboard: The pharmacology team accesses a dashboard, views the queue of pending responses, and approves/rejects/rewrites in under 30 seconds.
  • Escalation rules: If a question remains in the queue for more than 30 minutes, it is automatically escalated to the lead pharmacist.

Phase 5: Audit & Monitoring

  • Anomaly detection: Continuous monitoring to detect: rising hallucination rates, shifts in question types (which may indicate bias), and anomalous response times (which may indicate an attack).
  • Periodic audits: Every quarter, manual review of 100 random logs. Accuracy? Appropriateness of approvals? Regulatory compliance?
  • Drift monitoring: If Linda’s behaviour changes significantly, an automatic alert is triggered.

Case Study: Alfasigma — From Low Engagement to +45% in 3 Months

The Problem

Alfasigma is a Tier 1 Italian pharma company. They were launching a new treatment for a rare condition. The target: specialist physicians. The problem: extremely low engagement. Printed materials were inadequate given the complexity of the new drug. Specialists could not easily find the answers they needed. Pre-Linda result: 12% of target physicians had engaged with the launch materials after 6 weeks.

The Solution

We deployed Linda to answer questions on the mechanism of action, dosage, interactions, and contraindications of the new drug. Not as an autonomous agent — with a full human gate: every response from Linda passed through a pharmacologist MD before reaching the physician. Setup time: 6 weeks. Training data: 200+ Q&As created by Alfasigma experts. Risk assessment: compliant with Law 132 + EU AI Act.

Results

  1. Engagement: From 12% to 57% of physicians interacting with Linda within 3 months
  2. Compliance: Zero compliance violations over the 3 months
  3. Audit trail: 100% of responses approvable by humans, 0 significant hallucinations
  4. Adoption: Physicians were requesting more access to Linda, not less

Learnings

The first 2 weeks? Pure overhead — implementing governance, training the pharmacology team, testing on real cases. After that? Fast. Governance doesn’t slow things down — it provides structure. With well-designed human gates, the approval flow is smooth.

Conclusion

Pharma compliance is not an added cost to AI. It is the foundation without which AI could not even exist in the sector.

Law 132/2025 and the EU AI Act (from 2 August 2026) are not “rules to work around.” They are an opportunity: companies that build strong governance now will have a significant advantage when regulation becomes more stringent.

Linda was not designed first and made compliant after. She was designed compliant from day one. That is how she has been able to operate, scale, and generate real value.

If you are considering AI avatars for your pharma business — whether for HCP engagement, patient education, or regulatory affairs — the right question is not “what does it cost?” It’s “is it compliant?”

Result (Alfasigma case): +45% engagement on new treatments compared to printed materials.

For a deeper look at Digital Twins in healthcare and the A.N.N.A./Alfasigma case, read the article published by AboutPharma: Digital twin and healthcare training: from simulation to real competence — Helyx-AboutPharma, in collaboration with Media Engineering.

NEWS

Ti interessano queste tecnologie?

Scrivici per ricevere una consulenza

X

MEDIA ENGINEERING

TRA LE CANDIDATE AZIENDE VINCITRICI DEL “PREMIO ECCELLENZE ITALIANE NEL BUSINESS”

Il 24 Giugno 2022 si terrà la prima edizione del “PREMIO ECCELLENZE ITALIANE NEL BUSINESS”, un evento unico nel suo genere volto a premiare le eccellenze nel mondo del business.

Le aziende candidate sono state valutate sulla base di valori quali: l’ eccellenza, la prosperità, l’ etica professionale, il servizio, lo spirito d’ innovazione ma soprattutto la capacità di trasformare le difficoltà in opportunità.

Tra centinaia di aziende candidate, Media Engineering è stata selezionata tra le aziende vincitrici.

E’ stata per noi una sorpresa ma soprattutto una grossa soddisfazione ricevere questa candidatura in un anno così speciale: il festeggiamento dei nostri 20 anni di attività.

On this website we use first or third-party tools that store small files (cookie) on your device. Cookies are normally used to allow the site to run properly (technical cookies), to generate navigation usage reports (statistics cookies) and to suitable advertise our services/products (profiling cookies). We can directly use technical cookies, but you have the right to choose whether or not to enable statistical and profiling cookies. Enabling these cookies, you help us to offer you a better experience.