← Intrepid Scientific·Insights

One Pathway, Every Regulator

Why Cannabis Compliance Always Reduces to Two Moves

By Andrew Samann · Cofounder, Intrepid Scientific · 2026-06-19

Companion pieces: The Pharmaceutical Era (the strategic frame) · The 60-Day Federal Pathway (the DEA-registration baseline) · Build Once, Build to the Highest Bar (the integrated GMP stack). This piece sits above all three — it is the method they share.

0. Read-Me-First Summary

In a single eighteen-month stretch, a state-licensed cannabis operator can be hit with what look like four entirely separate compliance problems:

  • DEA Schedule III — federal registration under 21 CFR § 1301.13(k), and, as of June 2026, on-site DEA inspections that demand SOPs, security plans, training records, inventory histories, and process narratives.
  • A new state market — Virginia opens adult-use license applications July 1, 2026, with final Cannabis Control Authority regulations due by September 1 and sales as early as November 1. Producers must submit written security and diversion-prevention plans, pass mandatory product testing, and survive annual audits.
  • FDA / pharma pathway — Part 211, ICH Q7, clinical-trial-material supply.
  • EU and other export markets — EU-GMP, the Qualified Person function, GACP.

Each arrives with its own forms, its own vocabulary, its own inspector. The instinct is to treat each as a new project and start from zero.

That instinct is wrong, and it is expensive. Strip away the letterhead and every one of these regimes asks an operator to do the same two things, in the same order:

  1. Set specifications — write down, in measurable terms, what "compliant" looks like for your operation under the rules that apply to you.
  2. Perform a risk assessment — find where you fall short of those specifications, rank the gaps by how badly they can hurt you, and close them worst-first.

Everything else — the SOPs, the security hardware, the training matrix, the batch records, the audit — is just the output of those two moves. Get the method right and the regulator becomes an input you swap in, not a wall you rebuild against. This piece is about that method, why it holds across every cannabis regime, and why it is the only approach that works when the rules themselves are not final yet.

1. The Problem Isn't the Rules — It's That They Never Stop Moving

Cannabis operators in 2026 are not failing compliance because the rules are too hard. They are failing because the rules will not hold still long enough to chase.

Consider the calendar a vertically integrated operator is actually living through:

DateEventWhat it demands
April 28, 2026DEA Schedule III rule effective (§ 1301.13(k))Federal registration, federal recordkeeping
~June 27, 2026DEA 60-day expedited filing window closesClean public-interest file, twelve operational SOPs
June 2026DEA on-site inspections beginLive document production: training, security, inventory, narratives
July 1, 2026Virginia adult-use applications openSecurity + diversion-prevention plans, facility specs
Sept 1, 2026Virginia CCA final regulations dueFull operational rule set — not yet published
Nov 1, 2026Virginia retail sales may beginLab-tested, compliant product on shelves
2027 (est.)Possible broader federal reschedulingLarger eligible pool, intensified scrutiny

An operator who builds a bespoke compliance program against each of these, one at a time, is permanently behind. By the time the Virginia file is assembled, the DEA inspector is at the door. By the time the DEA SOPs are signed, the CCA has published rules that name three things the SOPs don't cover.

The operators who stay ahead share one trait: they stopped building against rules and started building against specifications, using a method that absorbs new rules as they land. The rule is data. The method is the asset.

2. The Insight: Every Regime Is the Same Two Moves

This is not a marketing simplification. It is the literal structure of modern quality regulation, and it is codified.

Set specifications. ICH Q6A — the international standard for specifications — defines a specification as "a list of tests, references to analytical procedures, and appropriate acceptance criteria." In working practice, an operation's specifications are its Critical Quality Attributes (CQAs) and Critical Safety Attributes (CSAs) — the measurable targets a product, substance, or process must hit, each tied to a test method and an acceptance range (e.g., 90–110% of labeled cannabinoid content; below the action limit for each required pesticide and residual-solvent analyte). DEA's registration form is a specification ("do you have an SOP for inventory? for destruction? for theft reporting?"). A state's required test panel is a specification — and, as discussed below, usually the one that drives everything else. Virginia's security mandate is a specification ("cameras covering these areas, retained this long, with these access controls"). A customer's EU-GMP audit is a specification. They differ only in their contents — never in their form.

Perform a risk assessment. ICH Q9(R1) — Quality Risk Management — is the discipline for the second move. It defines risk as the combination of the probability that something goes wrong and the severity of the harm if it does, and it runs a defined loop: identify the risks, analyze them (probability, severity, and how likely you are to detect the problem before it reaches a patient), evaluate each against an acceptance criterion, then control worst-first and review on a cycle. The method evaluates every step of the mapped production process against every gap between where you are and what the specification requires. The top of the ranking is what you fix first; the bottom is what you document and monitor. Many risks are retired upstream — a specification is verified before the process is allowed to proceed — so the process map itself shows where every check lives.

That's the whole engine. Specifications tell you the target. Risk assessment tells you the order of attack. Every controlled-substance regime, every state cannabis program, every GMP standard, every ISO accreditation is a different set of inputs to the same two-stroke machine.

Once leadership internalizes this, the panic of "another new regulator" subsides into a routine: get the new specification, run it through the risk assessment we already maintain, and extend the controls we already have.

3. The Universal Pathway

The two moves expand into a six-step operating loop. It is regulator-agnostic by design — only Step 1 changes when a new rule lands.

Step 1 — Scope and intended use (the only step that changes per regulator)

Define the entity, the products, the processes, and — critically — which regulators and markets are in play. A medical-only single-state dispensary has a narrow scope. A vertically integrated operator eyeing Virginia adult-use, DEA medical registration, and eventual EU export has a wide one. This step is where you list the rule sets you must satisfy. Everything downstream is driven by this list.

Step 2 — Set specifications (the requirements register)

Translate every applicable requirement — DEA, state, FDA, EU, customer, ISO — into one consolidated, measurable requirements register. One row per requirement: the source rule, the plain-language specification (the Critical Quality or Safety Attribute), the test method, the acceptance criterion, and the evidence that proves it. In practice the state's mandated test panel is the strongest driver of this register — the analytes a regulator forces you to test for (potency, microbials, heavy metals, pesticides, residual solvents, mycotoxins, water activity) dictate the CQAs and CSAs, which in turn dictate the controls. When two regulators demand the same thing at different strictness, the register records the highest common bar so you build it once. (This is the engine behind Build Once, Build to the Highest Bar.)

Step 3 — Gap assessment

Walk the register against reality. For each row: Do we meet this today — fully, partially, or not at all? The honest version of this step is uncomfortable, which is why most operators skip it and most inspections find it. The output is a defensible, current-state map.

Step 4 — Risk assessment (ICH Q9)

Score each gap and each process step on probability, severity, and detectability, then evaluate it against an acceptance criterion, per the ICH Q9(R1) Quality Risk Management framework. A missing theft-reporting SOP when DEA is conducting on-site inspections scores high — likely, consequential, and hard to catch after the fact; a not-yet-formalized periodic-review cadence for a low-risk record scores low. Use a real, documented tool — FMEA, a risk matrix, or equivalent — and write the rationale down, with a justification for each rating. The documented risk assessment is itself a deliverable inspectors and auditors increasingly ask to see.

Step 5 — Controls and remediation

Close the gaps worst-first. Controls are the familiar artifacts — SOPs, security and diversion-prevention plans, training records, batch records, access logs, signage — but here each one is traceable to a specific risk and a specific specification. Nothing is built because "everyone has one." Everything is built because the register demanded it and the risk assessment prioritized it. That traceability is what turns a binder of documents into a defensible system.

Step 6 — Verify and maintain (the lifecycle)

Validate that controls actually work, then keep them working: internal audit, CAPA, change control, and periodic review. This step is what absorbs the recurring obligations that trip up operators — DEA's biennial inventory, Virginia's annual audit, the "complete inventory to DEA every two years" requirement surfacing in first-wave inspections. A new rule doesn't restart the project; it enters at Step 1, flows through the register, and updates the controls. The loop never closes — it idles, ready for the next input.

The payoff in one sentence: build the loop once, and every future regulator is a Step-1 edit — not a new project.

4. Worked Example A — DEA Schedule III (Federal)

Run the federal regime through the pathway and watch it decompose cleanly.

  • Step 1 — Scope: state-medical cultivator seeking DEA registration under § 1301.13(k); federal medical scope only; adult-use segregated.
  • Step 2 — Specifications: the DEA registration form is the specification. It asks for SOPs (ordering, receiving, inventory, storage, security, dispensing, distribution, destruction, theft/loss, due diligence, recordkeeping), a security profile, a personnel access list, supplier DEA numbers, and process narratives. Each becomes a register row with an acceptance criterion.
  • Step 3 — Gap assessment: most operators discover their SOPs exist informally, their security is state-compliant but undocumented to federal expectations, and their public-interest file has unaddressed METRC discrepancies.
  • Step 4 — Risk assessment: with DEA now conducting six-hour on-site inspections (first wave reported in Mississippi, June 2026) and requesting full inventory lists, vendor lists, training documents, and security plans on demand, the gaps around live document production score highest.
  • Step 5 — Controls: the twelve SOPs, the public-interest defense memo, the buy/sell-back batch-record SOP, the § 825(c) label addition, the DEA Form 106 workflow.
  • Step 6 — Maintain: the biennial inventory, synchronized state/DEA renewal calendars, and inspection-readiness drills.

The full mechanics live in The 60-Day Federal Pathway. The point here is structural: nothing in that 45-page primer falls outside the six steps.

5. Worked Example B — Virginia Adult-Use Launch (State)

Now run a completely different regulator — a new state market, not a federal controlled-substance scheme — through the same pathway. Watch the steps hold.

  • Step 1 — Scope: prospective Virginia cultivator (Tier I–V) or microbusiness; adult-use; applications open July 1, 2026.
  • Step 2 — Specifications: the framework already names them — written security and diversion-prevention plans (camera coverage, retention, access controls, alarms), facility and canopy specifications, mandatory product lab testing, child-resistant/tamper-evident packaging, and seed-to-sale traceability. The final acceptance criteria arrive with the CCA regulations due September 1, 2026. The register is built now with the framework-level rows and finalized the day the regs publish.
  • Step 3 — Gap assessment: a greenfield applicant assesses against the framework; an operator converting from medical or hemp assesses what transfers.
  • Step 4 — Risk assessment: diversion exposure, testing-failure risk, and security-plan adequacy score highest because they gate the license itself and the annual audit that follows.
  • Step 5 — Controls: the security/diversion plan as a deliverable, traceability SOPs, testing-and-release procedures, packaging controls.
  • Step 6 — Maintain: Virginia's annual CCA audit is a Step-6 obligation — the same lifecycle slot DEA's biennial inventory occupies.

The critical lesson is in Step 2. Virginia's detailed rules do not exist in final form yet. An operator chasing rules has nothing to build against until September 1 — and then must scramble before a November 1 sales window. An operator running the pathway builds the register from the framework now, scores the risks now, stands up the obvious controls now, and slots the final acceptance criteria in the moment the CCA publishes. The method lets you start before the rulebook is finished. That is not a nicety — in a market opening this fast, it is the difference between launching on day one and launching a quarter late.

6. Why This Beats Chasing Rules

Three durable advantages fall out of running the pathway instead of reacting to each regulator:

It is rule-proof. When the broader federal rescheduling lands, when the CCA publishes, when a customer demands EU-GMP — none of it restarts your program. Each is a Step-1 scope edit that flows through a register and risk assessment you already maintain. Your competitors start a new project; you update a row.

It builds the highest bar once. Because the register records the strictest common requirement across all regulators in scope, you don't build a DEA security plan and then a Virginia security plan and then an EU one. You build one plan to the highest bar and map it to all three. Sequential, regulator-by-regulator builds run roughly 2.2× the cost of the integrated approach (see Build Once).

It survives the inspector you didn't expect. The DEA agents now walking dispensary floors are asking for training documents, vendor lists, and process narratives — the exact artifacts the pathway produces as a matter of course. An operator running the loop hands them over. An operator who built a binder for one purpose discovers it doesn't answer the question actually being asked.

7. Common Failure Modes

The pathway fails in predictable ways. Each maps to a skipped or shortcut step.

  • Skipping Step 1 (scope creep blindness). Building DEA-only controls, then discovering an export customer needs EU-GMP and the whole register was scoped too narrowly.
  • Specifications without acceptance criteria (Step 2). "We have a security SOP" is not a specification. "Cameras cover all controlled-substance areas and points of entry, 30-day retention, role-based access" is. Vague specs produce un-auditable controls.
  • Controls before risk assessment (skipping Step 4). Buying expensive controls for low-risk gaps while a high-severity gap sits open because nobody ranked them. Effort goes where anxiety is loudest, not where risk is highest.
  • Documents that don't trace (Step 5). A binder of SOPs nobody can connect to a requirement or a risk. It looks like compliance and collapses under a single "why do you do it this way?"
  • No lifecycle (skipping Step 6). Passing the initial application, then missing the biennial inventory or annual audit because maintenance was never built in. Compliance treated as an event, not a loop.

8. What This Piece Is and Is Not

This piece is the conceptual method that unifies Intrepid Scientific's cannabis-compliance work: set specifications, perform a risk assessment, control worst-first, verify on a lifecycle — applied identically across DEA Schedule III, new state markets like Virginia, FDA, and EU export.

This piece is not an implementation guide, and it is not a substitute for the regulator-specific primers. The DEA registration mechanics are in The 60-Day Federal Pathway; the integrated GMP build is in Build Once, Build to the Highest Bar; the strategic frame is in The Pharmaceutical Era.

This piece is not legal advice, and it is not a statement that any specific Virginia regulation is final. Virginia's operational requirements are framework-level pending the Cannabis Control Authority's regulations due on or before September 1, 2026. Confirm current requirements with qualified counsel before acting.

Next Steps for Your Operation

Whether the regulator at your door is the DEA, a new state authority like Virginia, an FDA pre-approval team, or an EU customer's auditor, the first move is the same: build the requirements register and run the risk assessment. Everything downstream flows from those two artifacts — and they are reusable against every regulator that comes after.

Start now, for free. We built a fillable Risk Assessment Worksheet that walks this exact method — scope, specification register (CQAs/CSAs), the ICH Q9 risk register, remediation plan, and verification sign-off. Download it, fill it for one product or process line, and you have the first draft of your assessment in an afternoon.

Intrepid Scientific also offers two hands-on starting points:

1. Compliance Pathway Diagnostic — fixed fee. A scoped engagement that delivers your requirements register across the regulators in your scope (DEA, state, FDA, EU as applicable), an ICH Q9 risk assessment of your current-state gaps, and a prioritized, worst-first remediation roadmap. If a regulator's requirements aren't final yet — as with Virginia — we build the framework-level register now and structure it to absorb the final rules the day they publish.

2. Pathway Build Engagement — quote-based. Hands-on buildout of the controls the diagnostic prioritizes — SOPs, security and diversion-prevention plans, training systems, batch records, and the verification lifecycle — each traceable to a specification and a risk. Phased and decision-gated like all our engagements.

Talk to us about a diagnostic →

Read the strategic overview →

Get the 60-Day Federal Pathway primer →

Authorities and Source Standards

Federal / DEA

  • AG Order No. 6754-2026 / FR Doc. 2026-08176; 91 Fed. Reg. 22,714 (Apr. 28, 2026) — Schedule III final rule
  • 21 CFR § 1301.13(k) — expedited registration pathway for state-medical licensees
  • 21 CFR § 1308.13(g)(2)–(4) — Schedule III drug codes 7362 / 7353 / 7386
  • 21 U.S.C. §§ 823(e)–(g), 825(c), 827 — public-interest factors, statutory warning, recordkeeping/inventory

Virginia (framework-level; final regulations pending Sept 1, 2026)

  • Va. Code (HB 2312 / SB 1406, as amended by 2026 enabling legislation) — adult-use framework
  • Virginia Cannabis Control Authority — licensing, security and diversion-prevention plan requirements, product testing, annual audits (regulations due on or before September 1, 2026)

International / scientific method

  • ICH Q6A — Specifications: Test Procedures and Acceptance Criteria (CQA/CSA framework)
  • ICH Q9(R1) — Quality Risk Management (risk assessment, control, communication, and review)
  • ICH Q10 — Pharmaceutical Quality System

About the Author

Andrew Samann is a Cofounder of Intrepid Scientific. Recognized as a Processing Pro on The Cannabis Scientist's Power List for 2021 and 2022, Andrew has led over 100 GMP and quality-system engagements across North America, South America, and the European Union — including international compliance work against FDA, EU GMP, EMA, Australian TGO, and ICH guidelines. He led the ASTM D37.02 Quality Management Systems Subcommittee for Cannabis, has certified multiple Canadian cannabis Licensed Producers, and is also Founder & CEO of Orion GMP Solutions.

About Intrepid Scientific

Intrepid Scientific is an independent scientific consulting firm offering ISO/IEC 17025 lab accreditation readiness, GMP and cGMP compliance, analytical method development and validation, microbiology and environmental monitoring, expert witness, and Federal Pathway / Schedule III advisory across cannabis, hemp, food and beverage, pharmaceutical, and dietary-supplement industries. Senior scientists. Direct engagement.

Cofounders: Andrew Samann; Kate Evans, PhD; Tess Eidem, PhD; Julie Kowalski, PhD.

Learn more at intrepidscientific.com.

Free fillable tool

The Risk Assessment Worksheet

A fillable PDF that turns this method into a tool: scope, specification register (CQAs/CSAs), the ICH Q9 risk register, remediation plan, and verification sign-off.

Get the worksheet

Companion pieces

This is the method. The worked examples and the strategic frame are in The Pharmaceutical Era, The 60-Day Federal Pathway, and Build Once, Build to the Highest Bar.

Talk to us about a diagnostic