Mike Lombardo
Integrated Quality Management, Information Security, Data Privacy, GRC, AI Governance & GxP Compliance Executive Leader
A cohesive department, not six silos.
I'm a senior executive with 15+ years building integrated Quality Management, Information Security, Data Privacy, Product Solution Security, AI Governance, and Computer System Validation functions across regulated SaaS, pharmaceutical, biotech, and medical device organizations. I currently own the enterprise Governance, Risk & Compliance (GRC) program tying these six disciplines together, and oversee five integrated management systems (ISO 9001, ISO 13485, ISO 27001, ISO 42001, and ICH Q10).
What sets my work apart is integration. Most organizations run Quality, Information Security, Privacy, Product Security, and AI Governance as separate silos with overlapping controls, redundant audits, and competing priorities — frustrating operators and weakening every outcome. I treat them as one cohesive department, governed under a single enterprise GRC framework: shared risk taxonomy, harmonized policies, unified audit calendar, and a single voice to executive leadership, without sacrificing the depth each discipline requires. The result is faster certifications, fewer findings, lower operational burden on the business, and a team that knows how to move together.
Selected accomplishments include authoring an enterprise AI Governance Policy adopted at the parent-company level, establishing a greenfield ISO 27001:2022 program across 15 brands, orchestrating an FDA SaMD transition from 21 CFR Part 820 to ISO 13485, and leading FDA 483 / Warning Letter remediation across 10 global injectable manufacturing sites. I'm a Veeva Visionary Award recipient (2018) and an active builder — I personally develop AI-assisted production applications using modern development workflows, hosted on my own AWS infrastructure.
Six disciplines, one operating model.
Each discipline below operates with its own depth, but shares a single risk taxonomy, harmonized policy framework, unified audit calendar, and one voice to executive leadership.
Quality Management
- QMS Design, Implementation, Integration & Transformation
- Document & Record Management
- Deviations, CAPA, Root-Cause Analysis & Quality Events
- Change Control & Configuration Management
- GxP Training & Curriculum Development
- GxP Vendor & Supplier Qualification
- Internal & External GxP Auditing
- Product Complaints & Field Actions
- Risk Assessments & Risk Management (ICH Q9, ISO 31000)
- Batch Record Review & Document Approval
- Management Review & Quality KPIs
- FDA SaMD Transition (21 CFR 820 → ISO 13485)
- M&A Quality Integration & Site Closure
Information Security
- ISMS Design, Implementation, Maturity & Continuous Improvement
- ISMS Risk Management, Change Management & Gap Assessment
- ISO 27001 Lead Implementation & Internal Audit
- Security Operations Center (SOC) & Threat Detection
- Security Engineering & Detection Engineering
- SOC 2 Type II Compliance & Audit Support
- Cloud-Native Security Operations
- Vulnerability & Penetration Testing Programs
- Vendor & Third-Party Risk Management
- Customer Trust Centers & Customer Audit Response
- FedRAMP / TxRAMP Readiness
- CMMC Level 1 Self-Attestation
Data Privacy
- Enterprise Data Privacy Program Design & Operationalization
- GDPR — Lawful Basis, ROPA, DPIAs & Cross-Border Transfers
- HIPAA Privacy & Security Rule Compliance
- CCPA / CPRA & US State Privacy Law Compliance
- Data Subject Access Requests (DSAR) — Intake, Verification & Fulfillment
- Consent Management & Preference Centers
- Privacy-by-Design & Privacy Impact Assessments (PIA)
- Data Mapping, Inventory & Retention Schedules
- Breach Notification & Incident Response (HIPAA, GDPR, State)
- Data Processing Agreements (DPA) & Vendor Privacy Reviews
AI Governance & AI-Enabled Operations
- AI Management System (AIMS) Design — ISO/IEC 42001:2023
- NIST AI Risk Management Framework (RMF 1.0)
- EU AI Act Compliance Programs
- FDA Good Machine Learning Practice (GMLP) & IMDRF SaMD
- AI Risk Assessment, Inventory & Classification
- AI Lifecycle Controls & Post-Market Monitoring
- Enterprise AI Policy Authorship & Cross-Organizational Adoption
- AI Tool Governance & Approved-Tools Frameworks
- AI-Assisted Application Development for Production Use
- Personally Developed AI-Enabled Applications (HIPAA Compliance Assessment, Governance Navigators)
Computer System Validation (CSV / CSA)
- CSV / CSA Lifecycle Oversight & QA Review
- GAMP 5 (Second Edition) Risk-Based Validation
- 21 CFR Part 11 & EU Annex 11 Compliance
- Data Integrity (ALCOA+) & Audit Trail Review
- IT Change Control & QA Review of Change Records
- SDLC — Agile & Waterfall
- Validation Deliverables: URS, FS/DS, IQ/OQ/PQ, Traceability Matrices, Summary Reports
- Periodic Review & Retrospective Validation
- System Implementation, Migration, Go-Live & Decommissioning
Product Solution Security
- Secure Software Development Lifecycle (SDLC)
- Security-by-Design Architecture & Threat Modeling
- Application & API Security (SAST / DAST / SCA)
- Software Bill of Materials (SBOM) & Supply Chain Security
- Customer-Facing Security Features
- Trust Center Operations (SafeBase) & Customer Security Reviews
- Product Vulnerability Disclosure & Pen Testing
- VPAT / Section 508 / Accessibility Compliance
Management System Standards
- ISO 9001:2015 — Quality
- ISO 13485:2016 — Medical Devices
- ISO/IEC 27001:2022 — Information Security
- ISO/IEC 27002:2022 — Information Security Controls
- ISO/IEC 27017:2015 — Cloud Security
- ISO/IEC 27018:2019 — Cloud PII Protection
- ISO/IEC 27701:2019 — Privacy Information Management (PIMS)
- ISO/IEC 42001:2023 — AI Management
- ISO 31000:2018 — Enterprise Risk Management
- ISO 22301:2019 — Business Continuity
- ISO 37301:2021 — Compliance Management Systems
- ISO 90003:2018 — Software Quality
- ISO 19011:2018 — Auditing
- ICH Q7, Q9(R1), Q10 — Pharmaceutical Quality
- AICPA TSC — Trust Services Criteria (SOC 2)
- NIST Cybersecurity Framework (CSF) 2.0
Regulations & Frameworks
- FDA — 21 CFR Parts 11, 58, 210, 211, 314, 803, 820; CSA + CSV
- EU — Annex 11, MDR, GDPR, EU AI Act, EU Cyber Resilience Act (CRA), NIS2, DORA
- US State Privacy — CCPA / CPRA, VCDPA (VA), CPA (CO), CTDPA (CT), UCPA (UT)
- HIPAA — 45 CFR Parts 160 & 164 (Privacy, Security, Breach Notification)
- PIPEDA (Canada), LGPD (Brazil), DPDP Act (India), APPI (Japan)
- COPPA (US Children's Privacy)
- PMDA / ERES (Japan)
- NIST 800-53; NIST 800-171 (CUI); NIST AI RMF 1.0
- CMMC, FedRAMP, TxRAMP, HITRUST CSF
- PCI DSS 4.0
- SOX — IT General Controls (ITGC)
- VPAT / Section 508 / Accessibility
Technology Stack
Selected accomplishments.
A representative sample of recent work — policy authorship, certifications, transformations, and remediations.
Selected thought leadership.
-
Panel
Original Veeva blog has been removed; link is to the Internet Archive snapshot.
- Whitepaper
-
Publication
Original whitepaper adapted by Tessa Heffernan for publication.
Credentials & supporting documents.
Full CV, professional certifications, awards, and publications are maintained in a protected document library. Available to recruiters, executive search partners, and prospective engagement partners upon request.
QSV Management Services LLC
Founded in 2024 — a focused, fractional executive advisory practice for SaaS, biotech, pharmaceutical, and medical device companies that need senior judgment without a full-time hire. Built around the same integrated GRC approach: Quality, Security, Privacy, and Validation, working together rather than apart.