June 30, 2026 · Quality Assurance
Using AI in GMP Documentation Without Triggering a Compliance Failure
By Mussarat Fatima
In April 2026, the FDA did something it had never done before. It issued a warning letter that named artificial intelligence as part of the reason a drug manufacturer fell out of compliance. The company, Purolea Cosmetics Lab in Livonia, Michigan, had used AI agents to write its specifications, procedures and production records, then released those documents into use without a qualified person reviewing them. One of the requirements the AI missed was process validation, and the firm told inspectors it did not know the requirement existed because, in its words, the AI agent never told it.
That single sentence should concern every quality and regulatory leader who is now experimenting with AI. The lesson is not that AI is banned in a GMP environment. The lesson is that AI does not carry your accountability, and using it without controls turns a productivity tool into an inspection finding. This guide explains, step by step, how to use AI in GMP documentation safely, so you capture the efficiency without creating data integrity, computer system validation or process validation gaps.
Executive summary
The first FDA enforcement action to cite AI rests on the oldest principle in good manufacturing practice: the people responsible for quality must review and approve what goes into the quality system. AI changed the speed of document creation, not the rules of accountability. Regulators in the United States, Canada and Europe are converging on the same expectation, which is human oversight scaled to risk, validated tools and defensible records. Companies that build a simple AI governance framework now, covering review, validation, data integrity and a written procedure for AI use, will be able to adopt these tools with confidence. Companies that bolt AI onto an unprepared quality system risk repeating the Purolea outcome.
What actually happened at Purolea
The Purolea warning letter is short on AI theory and long on consequences. It is the clearest signal yet of how the FDA treats AI under existing law. Rather than write new AI rules, the agency reached for a foundational cGMP provision, 21 CFR 211.22(c), and applied it to AI-generated documents.
| Detail | What the record shows |
|---|---|
| Warning letter reference | 320-26-58 (MARCS-CMS 722591) |
| Date issued | 2 April 2026 |
| Recipient | Purolea Cosmetics Lab, Livonia, Michigan |
| Issuing office | CDER, Office of Compliance |
| Products | Homeopathic OTC drug products with disease-treatment claims |
| AI-related citation | 21 CFR 211.22(c), AI-generated documents used without Quality Unit review |
| Related failure | No process validation before distribution (21 CFR 211.100) |
| Current status | Firm has ceased drug production |
The detail that matters most for the rest of this article is the process validation gap. The firm relied on an AI agent to tell it what the regulations required. The AI did not flag process validation, so the company never performed it, and shipped product anyway. The FDA position is plain: where AI is used as an aid in creating documents, the manufacturer must review those outputs to confirm they are accurate and actually compliant, and failing to do so is a violation. For a full breakdown of the case and what it means for your Quality Unit, see our companion analysis, what the Purolea case means for your Quality Unit.
One nuance is worth noting for non-pharma readers. A company with cosmetics in its name was held to drug cGMP because its products made disease-treatment claims, which made them unapproved drugs. Product classification, not company branding, decides which rules apply. That is a direct warning to natural health product, cosmetics and cannabis operators who assume drug-grade expectations do not reach them.
Why this matters now, across every regulated sector
What is the issue? Teams across pharmaceuticals, natural health products, cosmetics and cannabis are adopting AI to draft SOPs, specifications, batch records, validation protocols, labels and regulatory submissions. The speed is real, and so is the risk when those outputs go unchecked.
Why does it matter? Regulators have signalled that AI-assisted records must be reviewed, validated and controlled like any other GxP system, and that quality accountability is not reduced when AI is involved. An unreviewed AI output is treated as your document, with your name on it.
What should companies do? Put a governance layer around AI before scaling its use, not after the inspector arrives. The rest of this guide sets out that layer.
The risk is cross-sector because the underlying obligations are cross-sector. Canadian licence holders sit under Health Canada Good Manufacturing Practices for drugs, the Natural Health Product GMP requirements in GUI-0158, Good Production Practices for cannabis, and preventive control plans for food. Each framework demands documented procedures, approved by a responsible person, supported by reliable records. AI does not change any of that.
The core principle: AI does not reduce accountability
Before the framework, internalize the principle the FDA used. Under 21 CFR 211.22, the Quality Control Unit, often called the Quality Unit, holds the responsibility and authority to approve or reject all procedures and specifications that affect the identity, strength, quality and purity of a product. Subsection (c) makes the approval of procedures and specifications an explicit Quality Unit duty. A large language model is not a member of your Quality Unit. It cannot hold responsibility, cannot be inspected, and cannot sign with accountability.
A seven-step framework to use AI in GMP documentation safely
Here is a practical governance model you can adopt regardless of sector. It maps AI use onto controls your quality system already understands: computer system validation, human review, data integrity and process validation.
Step 1: Treat the AI tool as a GxP computerized system
The moment an AI tool helps create or manage a GMP record, it falls within the scope of computer system validation (CSV) and electronic records expectations. Do not treat a chatbot as an informal helper sitting outside your quality system. Bring it inside.
Apply a recognized framework. GAMP 5 Second Edition, published by ISPE in 2022, gives you a risk-based, critical-thinking approach to validating computerized systems and is referenced by regulators worldwide. Where the AI tool creates, modifies or stores electronic records that support GMP decisions, 21 CFR Part 11 controls for electronic records and signatures also come into play. Our deeper guidance on the EU Annex 11 revision and computerised systems covers the same expectations on the European side.
| CSV question for an AI tool | What to document |
|---|---|
| What is the intended use? | A defined, written scope for what the tool may and may not be used for |
| What is the risk to product and data? | A documented risk assessment proportionate to GMP impact |
| Is it fit for purpose? | Qualification or validation evidence for the intended use |
| Who can access and change it? | Access controls, user roles and configuration management |
| Are records trustworthy? | Audit trail, version control and electronic record controls |
| How is it kept in a validated state? | Change control, periodic review and ongoing monitoring |
Step 2: Define the context of use and assess the risk
Not every AI use carries the same weight. Drafting an internal meeting summary is low risk. Generating a master production record that drives every batch is high risk. Match your controls to the consequence.
The FDA's January 2025 draft guidance, Considerations for the Use of Artificial Intelligence to Support Regulatory Decision-Making for Drug and Biological Products, offers a useful mental model even though it addresses evidence for regulatory decisions rather than document drafting. It sets out a seven-step, risk-based credibility assessment: define the question of interest, define the context of use, assess the model risk, plan how to establish credibility, execute the plan, document the results and deviations, and determine whether the model is adequate for that context of use. Borrow that logic. Decide what you are asking the AI to do, how much it matters, and how you will prove the output can be trusted before you rely on it.
Step 3: Keep a qualified human in the loop, with review before use
This is the control Purolea skipped. Every AI output that enters a GMP document must be reviewed and approved by a competent person before it is used, and that review must be recorded. Human-in-the-loop is not a slogan, it is the difference between compliance and a citation.
Build the review into your workflow so it cannot be bypassed. The reviewer must have the subject-matter competence to catch an error the model cannot see, including a missing regulatory requirement. Never let an AI tool be the sole source for what the regulations require. A competent regulatory professional, not a model, confirms the obligations that apply to your product and market.
Step 4: Protect data integrity with ALCOA+
AI-generated records must meet the same data integrity standard as every other GMP record. Apply ALCOA+: records should be Attributable, Legible, Contemporaneous, Original and Accurate, plus Complete, Consistent, Enduring and Available. Data integrity remains one of the most cited problem areas in FDA enforcement, as our review of why so many warning letters still cite data integrity explains.
| ALCOA+ principle | How it applies to an AI-assisted record |
|---|---|
| Attributable | The human author and approver are identifiable; AI assistance is disclosed where relevant |
| Legible and permanent | The final record and its review history are readable and retained |
| Contemporaneous | Review and approval are recorded when they happen, not backdated |
| Original | The approved version is the controlled master; drafts are managed, not lost |
| Accurate | The content is verified against process knowledge and current regulation |
| Complete | Nothing is selectively deleted; the audit trail captures changes |
| Consistent | The record agrees with related documents and the actual process |
| Enduring and available | The record is retrievable for the full retention period |
Step 5: Validate the process, not just the document
The Purolea firm shipped product without process validation. No amount of polished AI paperwork substitutes for proving that your process consistently makes a quality product. Under 21 CFR 211.100, written production and process control procedures must be established, followed and approved by the Quality Unit. The FDA's process validation guidance frames this as a lifecycle in three stages: process design, process qualification, and continued process verification.
If AI helps you draft a validation protocol, that is fine, provided a qualified person reviews and approves it and the validation is actually performed. The document is not the deliverable. The validated, controlled process is.
Step 6: Write an SOP for AI use and train your people
Govern AI the way you govern any other significant activity, with a written procedure. A short, clear SOP turns good intentions into an auditable control. At a minimum it should define approved tools and uses, prohibited uses, the mandatory human review and approval step, how AI assistance is recorded, data and confidentiality rules, and how the tool is validated and change-controlled. Then train the staff who will use it. Our guidance on how to write SOPs that pass a Health Canada inspection applies directly here.
Step 7: Qualify the tool, manage change and monitor performance
AI models change. Versions update, behaviour shifts, and an output that was reliable last quarter may drift. Qualify your vendor and tool, capture the version or configuration you validated, and bring model updates under change control. Periodically review whether the tool still performs as intended for its context of use. This lifecycle mindset mirrors how Health Canada approaches machine learning in regulated products, as covered in our article on machine learning-enabled medical devices and predetermined change control plans, and how the FDA frames AI and machine learning in its 2026 pharmaceutical quality agenda.
Where AI documentation risk shows up, sector by sector
The control is the same everywhere, which is qualified human review before use. The setting changes.
| Sector | Common AI documentation use | Primary risk | Required control |
|---|---|---|---|
| Pharmaceuticals | SOPs, specifications, master production and batch records, validation protocols | Errors propagate to every batch; missed cGMP requirements | Quality Unit review and 211.22(c) approval before use |
| Natural health products | Site licence and GMP documentation, specifications, labels | Non-compliant claims or specs; gaps against GUI-0158 | Competent review against NHP GMP and labelling rules |
| Cosmetics | Product information files, safety documentation, label content | Drug-cosmetic line crossed by unapproved claims | Regulatory review of claims and classification |
| Cannabis | Good Production Practices SOPs, QA records, recall procedures | QA oversight gaps and recordkeeping findings | QAP review under Good Production Practices |
For cannabis operators specifically, the accountability point is sharpened by the role of the Quality Assurance Person. Our article on the risks of ignoring cannabis quality assurance shows how unreviewed records become findings fast.
AI in GMP documentation compliance checklist
Use this as a quick self-assessment before you let any AI output into a controlled document.
- We have a written SOP that defines approved AI tools, approved uses and prohibited uses.
- Every AI-assisted GMP record is reviewed and approved by a competent person before use, and that review is recorded.
- We never rely on AI alone to identify regulatory requirements.
- The AI tool is risk-assessed and validated for its intended use under a CSV framework such as GAMP 5.
- Electronic records meet 21 CFR Part 11 expectations and ALCOA+ data integrity principles.
- Process validation and other regulatory obligations are confirmed by qualified people, not assumed from AI output.
- Model versions and updates are under change control, with periodic performance review.
- Staff who use AI tools are trained on the SOP and understand they remain accountable for outputs.
Common mistakes to avoid
- Treating AI as outside the quality system. If it touches a GMP record, it is in scope for CSV and data integrity.
- Assuming review happened. Without a recorded, mandatory review step, an AI draft can slip into use unchecked, exactly as it did at Purolea.
- Letting AI define your obligations. A model can omit a requirement and state its answer with full confidence. Process validation was the casualty here.
- Skipping validation of the tool. An unqualified tool producing GMP content is an unvalidated computerized system.
- Ignoring data integrity. No audit trail, no version control and no attribution turns a helpful draft into an indefensible record.
- No written procedure. If AI use is not in an SOP, it is not controlled, and an inspector will treat it that way.
How AI governance lines up with FDA, Health Canada and EU expectations
The reassuring news is that you are not chasing four different rulebooks. Regulators are converging. The FDA applies existing cGMP and a risk-based credibility mindset. Health Canada, with the FDA and the UK MHRA, has backed Good Machine Learning Practice principles and frames AI use as augmentation with a capable human in the loop, not replacement. The European Union is developing Annex 22 and related AI rules around risk-based human oversight and validation. Build one governance framework on human accountability, validation and data integrity, and you will satisfy all three.
Frequently asked questions
Does the FDA prohibit using AI in GMP documentation?
No. The FDA has not banned AI. The Purolea warning letter cited the use of AI-generated documents without Quality Unit review under 21 CFR 211.22(c). AI may assist with document creation, provided a qualified person reviews and approves the output and the record meets cGMP and data integrity expectations.
What was the actual violation in the Purolea case?
The firm used AI agents to create specifications, procedures and production records and used them without further review, which the FDA cited under 21 CFR 211.22(c). A related failure was the absence of process validation before distribution under 21 CFR 211.100, which the company attributed to the AI not flagging the requirement.
Do I need to validate an AI tool used only to draft documents?
If the tool creates, modifies or manages records that support GMP decisions, it falls within computer system validation and electronic record expectations. Apply a risk-based approach such as GAMP 5, scale the validation effort to the GMP impact, and keep the tool under change control.
Does this apply to natural health products, cosmetics and cannabis, or only pharmaceuticals?
It applies broadly. Each sector requires documented, approved procedures and reliable records. Purolea is a reminder that product classification, such as a disease-treatment claim, can pull a company into stricter drug requirements regardless of how it brands itself.
Who is accountable if an AI tool makes an error in a GMP record?
The company and the qualified people responsible for the record. Accountability cannot be delegated to an AI system. The reviewer and approver own the content regardless of how it was drafted.
How do I start governing AI without slowing my team down?
Begin with a short SOP that defines approved uses and a mandatory recorded review step, risk-assess your current AI uses, and validate the highest-impact tools first. A focused governance layer lets you keep the speed while removing the compliance risk.
How MFLRC can help
MFLRC helps regulated companies in pharmaceuticals, natural health products, cosmetics, food and cannabis adopt AI without losing control of their quality systems. Our work in this area includes:
- AI governance and policy development, including a fit-for-purpose SOP for AI use in GMP documentation
- Computer system validation (CSV) and 21 CFR Part 11 and Annex 11 readiness for AI and software tools
- Data integrity assessments against ALCOA+ and audit trail expectations
- Process validation strategy and protocol review, so requirements are never assumed
- Gap assessments and inspection readiness reviews ahead of Health Canada and FDA inspections
- Quality Unit and QAP support, SOP development, and CAPA and root cause analysis coaching
We translate emerging AI expectations into practical, defensible controls that fit how your team actually works.
Conclusion
The first FDA AI warning letter was never really about AI. It was about a company that let a tool stand in for the judgement and accountability that good manufacturing practice has always required. The firms that will use AI well are the ones that treat it as a powerful assistant inside a controlled quality system, with a qualified human approving every output, validated tools, and records that hold up under scrutiny. Do that, and AI becomes a genuine advantage. Skip it, and you inherit the Purolea outcome. The choice, and the accountability, remains yours.
Sources and references
- FDA, Warning Letter to Purolea Cosmetics Lab, 320-26-58 (722591), 2 April 2026
- FDA, Considerations for the Use of Artificial Intelligence to Support Regulatory Decision-Making for Drug and Biological Products, draft guidance, January 2025
- 21 CFR 211.22, Responsibilities of quality control unit (eCFR)
- 21 CFR 211.100, Written procedures; deviations (eCFR)
- 21 CFR Part 11, Electronic records and electronic signatures (eCFR)
- FDA, Process Validation: General Principles and Practices, 2011
- ISPE, GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems, Second Edition, 2022
- Health Canada, FDA and MHRA, Good Machine Learning Practice for Medical Device Development: Guiding Principles
Share with others
Tags