FDA's First AI Warning Letter: What the Purolea Case Means for Your Quality Unit

Executive Summary

On 2 April 2026, the United States Food and Drug Administration (FDA) issued Warning Letter 320-26-58 to Purolea Cosmetics Lab, a drug manufacturer in Livonia, Michigan. It is the first FDA warning letter to name the inappropriate use of artificial intelligence (AI) as a cGMP deficiency. The firm used AI agents to write its drug specifications, procedures, and master production and control records, then released those AI-generated documents into manufacturing without human review. The FDA called this a violation of 21 CFR 211.22(c). When investigators noted that the company had skipped process validation, the firm replied that it was unaware of the requirement because its AI agent had never flagged it.

The lesson is not that AI is prohibited in a GMP environment. The lesson is that your Quality Unit (QU) remains fully accountable for everything AI produces. AI is an aid, not a decision-maker. Every AI output that touches a cGMP activity must be reviewed and cleared by an authorised human in your Quality Unit. This article breaks down what happened, the exact regulations involved, how the FDA position converges with the European Union's draft Annex 22, and a practical AI governance playbook your Quality Unit can put in place before your next inspection.

Introduction

For two years, the conversation about AI in pharmaceutical and life sciences manufacturing has been about promise. Faster document drafting, smarter trending, predictive maintenance, automated deviation triage. Regulators talked in principles. Industry talked in pilots. Then, on 2 April 2026, the conversation changed. The FDA stopped describing AI risk in the abstract and named it in an enforcement action.

The Purolea Cosmetics Lab warning letter is now the reference point every Quality Assurance Manager, QAP, and regulatory leader needs to understand. It is short on AI theory and long on consequences. It tells us precisely how the FDA frames AI under existing cGMP law, which regulation it reaches for, and what it expects a Quality Unit to do differently.

This is a defining moment because it removes the excuse that the rules for AI do not exist yet. The FDA's message is the opposite. The rules already exist. They are in 21 CFR Parts 210 and 211, and they apply to an AI-generated document exactly as they apply to a document written by a person. If your firm uses AI to support any cGMP activity, the Purolea case is your early warning, and your opportunity to get ahead of the inspection.

What Happened: The Purolea Warning Letter at a Glance

Purolea Cosmetics Lab manufactured homeopathic drug products, including products labelled to treat shingles and genital herpes. The FDA inspected the facility from 28 to 30 October 2025 and issued the warning letter on 2 April 2026 from the Center for Drug Evaluation and Research (CDER). The firm has since ceased drug production. Here is the case in brief.

Detail	What the record shows
Warning letter reference	320-26-58 (MARCS-CMS 722591)
Date issued	2 April 2026
Recipient	Purolea Cosmetics Lab, Livonia, Michigan
Issuing office	CDER, Office of Compliance
Inspection dates	28 to 30 October 2025
Products	Homeopathic drug products (shingles and genital herpes claims)
AI-related citation	21 CFR 211.22(c), inappropriate use of AI in document creation
Related failure	No process validation before distribution (21 CFR 211.100)
Other major findings	Insanitary conditions, microbiological and component testing gaps, Quality Unit oversight failures, unapproved new drugs
Current status	Firm has ceased drug production

The AI finding did not stand alone. It sat inside a broader pattern of quality system collapse. That context matters, because it shows how AI overreliance and weak quality fundamentals reinforce each other.

Why This Warning Letter Is a Regulatory First

What is significant here? This is the first time the FDA has cited the misuse of AI as a named cGMP deficiency in a warning letter. Earlier FDA commentary on AI lived in draft guidance and discussion papers. This is enforcement, applied to a real facility, under binding regulation.

Why does it matter? A warning letter is a public, citable statement of the FDA's interpretation of the law. Competitors and consultants can publish legal recaps, but the document itself now anchors how every inspector can frame AI use during a drug cGMP inspection. It converts a policy debate into an inspection expectation.

What should companies do? Treat AI tools used in GMP as systems that fall squarely within your existing quality system. That means documented intended use, validation appropriate to risk, human review of outputs, and a clear record of who approved what. If you cannot show an inspector the human decision behind an AI output, you are exposed.

The Exact Violation: 21 CFR 211.22(c) and the Quality Unit

To understand the case, you need to understand the regulation the FDA used. 21 CFR 211.22 establishes the responsibilities of the Quality Control Unit, often called the Quality Unit. It is one of the foundational provisions of US drug cGMP.

Section 211.22(c) states that the Quality Unit shall have the responsibility for approving or rejecting all procedures or specifications that affect the identity, strength, quality, and purity of the drug product. In plain terms, the Quality Unit owns the specifications and procedures. The Quality Unit must approve them. The Quality Unit cannot delegate that judgment to a tool.

Purolea used AI to generate specifications, procedures, and master production and control records, and then used those documents without the Quality Unit verifying that they were accurate and actually compliant with cGMP. The FDA's reasoning is direct. If you use AI as an aid in document creation, you must review the AI-generated documents to confirm they are correct and compliant. The failure to do so is the 211.22(c) violation.

This is the heart of the case. The FDA did not invent a new AI rule. It applied a long-standing Quality Unit responsibility to a new tool. The same logic that prevents you from copying a competitor's SOP without review prevents you from accepting an AI draft without review.

The AI Never Told Us: The Process Validation Failure

The most quoted moment in the warning letter is also the most instructive. FDA investigators found that Purolea had not conducted process validation before distributing its drug products, a requirement under 21 CFR 211.100. When the FDA pointed this out, the firm replied that it was not aware of the legal requirement because the AI agent it used had never told it that validation was necessary.

This single exchange captures the core risk of AI overreliance. The company treated the AI as the authority on what the law required. The AI did not surface the obligation, so the obligation was never met. The firm outsourced not just the drafting of documents but the judgment about which documents and activities the law demands.

21 CFR 211.100 requires written procedures for production and process control designed to assure that drug products have the identity, strength, quality, and purity they purport to possess. Process validation is not optional, and it is not obscure. It is one of the most established expectations in drug manufacturing. An AI tool that does not know your regulatory obligations cannot be your compliance program. It can only be one input into a program that humans own.

The deeper lesson for Quality leaders is about the limits of large language models. Generative AI predicts plausible text. It does not carry a verified, current, jurisdiction-specific map of your regulatory obligations unless that map has been built, validated, and maintained. Treating a general purpose AI agent as a regulatory oracle is a data integrity and competence failure waiting to be cited.

The Full Pattern: Other cGMP Violations Cited

AI was the headline, but the warning letter documents a wider breakdown. Understanding the full picture helps Quality teams see how AI overreliance tends to travel with other weaknesses rather than appearing in isolation.

Area cited	Regulation	What went wrong
Insanitary conditions	Section 501(a)(2)(A) FD&C Act	Insects, filth, leaves, and clutter; a docking bay door exposed manufacturing to the outside
Microbiological testing	21 CFR 211.165(b)	Finished products released without testing for objectionable microorganisms
Component testing	21 CFR 211.84(d)	Components not tested for identity and quality; reliance on supplier certificates without verification
Quality Unit oversight	21 CFR 211.22	Procedures not established or followed; batch records not reviewed before release; inadequate controls
AI document creation	21 CFR 211.22(c)	AI-generated specifications, procedures, and records used without Quality Unit review
Process validation	21 CFR 211.100	No process validation before distribution
Unapproved new drugs	Sections 505(a), 301(d) FD&C Act	Disease-treatment claims with no approved application in effect

The FDA also recommended that, if the firm resumes operations, it engage a qualified consultant under 21 CFR 211.34 and complete a comprehensive six-system audit. That recommendation is a useful signal for any firm worried about AI governance. An independent, expert review of your quality systems is exactly the corrective the agency points to.

What the FDA Actually Expects: Human-in-the-Loop

Strip the case down and the expectation is simple. The FDA stated that, if Purolea resumes drug production and uses AI to help with cGMP activities such as developing procedures and specifications, any output or recommendation from an AI agent must be reviewed and cleared by an authorised human representative of the firm's Quality Unit, in line with section 501(a)(2)(B) of the FD&C Act.

This is the human-in-the-loop principle, and it is the single most important takeaway. The phrase describes a control where a qualified person reviews, challenges, and approves an AI output before it has any effect. The human is not a formality. The human is the accountable decision-maker, and the record must show that the review happened and who performed it.

Human-in-the-loop is not satisfied by a person clicking accept. It requires that the reviewer has the competence to evaluate the output, the information needed to judge it, and the authority to reject it. For a Quality Unit, that means trained reviewers, defined acceptance criteria, and documentation that captures the review decision. If an inspector asks how an AI-drafted specification was verified, you should be able to point to a named reviewer, a dated approval, and the basis for the decision.

The Cross-Border Picture: EU Annex 22 and ICH Convergence

The Purolea case does not exist in a vacuum. Regulators on both sides of the Atlantic are converging on the same principle, which makes this a cross-border compliance issue for any firm that exports.

In the European Union, a draft Annex 22 to the EudraLex Volume 4 GMP guidelines addresses artificial intelligence in GMP manufacturing. The draft sets out a risk-based framework covering intended use, validation, lifecycle management, explainability, and human oversight. It distinguishes between critical and non-critical applications, and it limits generative AI and large language models to non-critical uses such as documentation support, with documented human oversight at each decision point. The direction of travel is identical to the FDA's position. AI is acceptable as a controlled, validated, human-supervised aid, and unacceptable as an unchecked decision-maker.

The same theme runs through the FDA's broader thinking on AI used to support regulatory decisions, and through the International Council for Harmonisation (ICH) move toward quality-by-design and risk-proportionate thinking in ICH E6(R3). It also connects to the data integrity and computerised system expectations in the EU GMP Annex 11 revision and the FDA's own 2026 distributed manufacturing and AI/ML quality agenda. A firm that builds AI governance to satisfy the FDA's Quality Unit expectation will be most of the way to satisfying the EU as well. Build once, defend everywhere.

Theme	FDA position (Purolea)	EU draft Annex 22
Core principle	AI is an aid; the Quality Unit approves outputs	Risk-based framework with human oversight
Human review	Required for all AI outputs in cGMP activities	Human-in-the-loop required, scaled to risk
Generative AI and LLMs	Outputs must be verified and approved by the Quality Unit	Limited to non-critical uses with documented oversight
Validation	AI tools fall within existing cGMP and CSV expectations	Explicit validation, lifecycle, and monitoring
Accountability	Named human in the Quality Unit	Defined human oversight at each decision point

An AI Governance Playbook for Your Quality Unit

The good news is that you do not need a new quality system for AI. You need to extend the one you already have. The following steps translate the Purolea lesson into action.

Build an AI inventory. List every place AI touches a GMP activity, from document drafting and deviation triage to trending, environmental monitoring analysis, and supplier screening. You cannot govern what you have not mapped.
Define intended use for each AI tool. Write down what the tool is meant to do, what it is not meant to do, and which cGMP records it can influence. Intended use is the anchor for validation and for human review.
Classify by risk. Separate critical applications, where an error could affect product quality or patient safety, from non-critical applications such as internal drafting. Reserve generative AI for lower-risk, fully supervised uses.
Validate the tool through computer system validation (CSV). Treat AI systems as computerised systems. Establish requirements, qualify the system against them, challenge it with representative data, and document the evidence. Revalidate when the model or its data change.
Mandate human-in-the-loop review. For every AI output that enters a cGMP record, require a qualified Quality Unit reviewer to verify, challenge, and approve it. Capture the reviewer, the date, and the basis for the decision.
Protect data integrity. Apply ALCOA+ to AI inputs and outputs. Records must be attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available. Maintain audit trails that show the human review.
Write the SOP. Create a governing SOP for AI use that covers intended use, risk classification, validation, review and approval, change control, and training. This is the document an inspector will ask to see first.
Train the Quality Unit. Reviewers must be competent to evaluate AI outputs, including knowing the failure modes of generative models such as fabricated content and missing obligations. Training records close the loop.

AI use in a GMP setting	Primary risk	Required Quality Unit control
Drafting SOPs and specifications	Inaccurate or non-compliant content	Human review and 211.22(c) approval before use
Generating master production records	Errors propagate to every batch	Verification against process knowledge; QU approval
Identifying regulatory requirements	Missed obligations, as in Purolea	Human regulatory assessment; never rely on AI alone
Deviation or trend analysis	Misclassification, biased outputs	Qualified review of conclusions; documented rationale
Supplier or component screening	Unverified data accepted	Independent verification; supplier qualification

Computer System Validation for AI Tools

The Purolea case is, at its core, a validation failure dressed as an AI story. The firm deployed a system that influenced cGMP records without validating it and without controlling its outputs. Computer system validation (CSV) is the discipline that prevents this.

For an AI tool, CSV starts with a clear statement of intended use and a risk assessment. From there, you define user and functional requirements, qualify the system against them, and challenge it with data that represents real conditions, including edge cases where a model is likely to fail. Because many AI systems change as their models and training data evolve, your validation must include a lifecycle plan that defines when revalidation is triggered. A static validation of a system that quietly updates itself is not validation at all.

CSV for AI also has to address explainability and the audit trail. You should be able to show why a system produced a given output and demonstrate that a human reviewed it. Where a model cannot be fully explained, the compensating control is stronger human oversight, narrower intended use, and restriction to non-critical applications. This is exactly the line the FDA and the EU draft Annex 22 are drawing.

Data Integrity and AI

Every AI output that enters a GMP record is data, and the FDA holds data to the ALCOA+ standard. AI complicates data integrity in three ways. First, generative models can fabricate content that looks authoritative, which threatens accuracy. Second, AI outputs can be regenerated, which threatens the original and contemporaneous principles unless you capture and lock the approved version. Third, automated systems can act without a clear human fingerprint, which threatens attributability.

The control set is familiar to any data integrity program. Lock the approved output as the official record. Maintain an audit trail that captures generation and the subsequent human review. Record who approved the output and when. Prevent uncontrolled regeneration of records that have already been approved. If you already run a mature data integrity program, you are extending it to a new source. If you do not, the Purolea case is a strong argument for building one now.

AI in GMP Compliance Checklist

Use this checklist to test your readiness against the expectations the Purolea case makes explicit.

We maintain a current inventory of every AI tool that touches a GMP activity.
Each AI tool has a documented intended use and a risk classification.
Generative AI and large language models are restricted to non-critical, fully supervised uses.
Every AI output that enters a cGMP record is reviewed and approved by a qualified Quality Unit member.
AI tools that influence cGMP records are validated through computer system validation.
Our validation includes a lifecycle plan with defined revalidation triggers.
AI inputs and outputs meet ALCOA+ data integrity expectations, with audit trails.
A governing SOP defines AI intended use, validation, review, change control, and training.
Quality Unit reviewers are trained on AI failure modes, including fabricated content and missed obligations.
We never rely on an AI tool to tell us what the law requires.

Common Mistakes to Avoid

Treating AI as a decision-maker. The single error at the centre of Purolea. AI drafts and suggests. Humans in the Quality Unit decide and approve.
Assuming AI knows your regulatory obligations. A general purpose AI agent does not hold a validated map of your obligations. Relying on it to flag requirements such as process validation is how firms miss the basics.
Skipping validation because it is just a tool. A tool that shapes cGMP records is a computerised system. It needs validation proportionate to its risk.
Using generative AI for critical applications. Both the FDA position and the EU draft Annex 22 push generative AI toward non-critical, supervised uses. Critical quality decisions need stronger controls.
Leaving no audit trail. If you cannot show who reviewed an AI output and when, you cannot defend it. Document the human decision every time.
Waiting for AI-specific regulations. The Purolea case proves that existing cGMP already applies. Waiting is not a strategy; it is exposure.

Frequently Asked Questions

Is the FDA banning AI in pharmaceutical manufacturing?

No. The FDA did not prohibit AI. It confirmed that AI outputs used in cGMP activities must be reviewed and approved by an authorised human in the Quality Unit. AI is permitted as a controlled, validated, supervised aid.

What regulation did the FDA cite for the AI violation?

The FDA cited 21 CFR 211.22(c), the Quality Unit's responsibility to approve or reject procedures and specifications that affect drug product quality. It also referenced 21 CFR 211.100 for the related process validation failure and section 501(a)(2)(B) of the FD&C Act.

What does human-in-the-loop mean in a GMP context?

It means a qualified person reviews, challenges, and approves an AI output before it has any effect on a cGMP record. The reviewer must be competent, informed, and authorised to reject the output, and the review must be documented.

Do we need to validate AI tools used only for drafting documents?

If the drafted documents become or influence cGMP records, yes. The level of validation should be proportionate to risk, but the tool falls within computer system validation expectations and its outputs require Quality Unit review.

How does the EU draft Annex 22 relate to the FDA position?

Both require human oversight of AI and treat generative AI as suitable mainly for non-critical, supervised uses. Building governance to meet the FDA's Quality Unit expectation positions you well for the EU framework, which supports cross-border market access.

Can we use a large language model to write SOPs?

You can use it as a drafting aid, provided the output is verified for accuracy and cGMP compliance and approved by the Quality Unit under 211.22(c). You cannot treat the model's output as ready to use without that human review.

What is the first thing an inspector will ask about our AI use?

Expect questions about your governing SOP, your inventory of AI tools, the intended use and validation of each tool, and the records showing human review and approval of AI outputs. Be ready to name the reviewer behind any AI-influenced document.

We are a Canadian or international firm. Does this affect us?

Yes, if you sell into the United States or the European Union, or aspire to. The FDA inspects foreign establishments, and the EU draft Annex 22 sets parallel expectations. AI governance is now part of market access, not a domestic-only concern.

How MFLRC Can Help

MFLRC helps regulated manufacturers put the Purolea lesson into practice before it becomes an inspection finding. Our work is grounded in more than twenty years of Quality Assurance, Quality Control, and Regulatory Affairs experience across pharmaceuticals, natural health products, cannabis, food, and medical devices.

We support clients with computer system validation and pharmaceutical validation services for AI and computerised systems, including validation master planning, requirements definition, and lifecycle revalidation strategy. Our quality assurance services cover AI governance and SOP development, Quality Unit training, and data integrity gap assessments that map your AI use against ALCOA+ and 21 CFR 211.22. Through our audit services, we run mock FDA inspections, supplier qualification reviews, and gap analyses that test your AI controls the way an inspector would. Our regulatory affairs and licensing support keeps your interpretation of FDA, EU, and ICH expectations accurate and defensible across borders.

Book an AI-Governance and CSV Readiness Assessment

Conclusion

The Purolea warning letter is a small case with a large message. A modest homeopathic manufacturer used AI to run its compliance, skipped the human judgment that cGMP requires, and became the example the whole industry will now study. The FDA did not need a new AI regulation to act. It reached for 21 CFR 211.22(c), the same Quality Unit responsibility that has governed drug manufacturing for decades, and applied it to a new tool.

The takeaway for every CEO, Quality Assurance Manager, and QAP is steady and clear. Use AI to work faster, but never let it decide. Keep your Quality Unit accountable for every output. Validate your tools, document your reviews, and protect your data integrity. Do that, and AI becomes a genuine advantage rather than a citation waiting to happen. The firms that govern AI well will not only pass inspection. They will earn the trust that lets them scale.

Sources and References

FDA Warning Letter 320-26-58, Purolea Cosmetics Lab, 2 April 2026: fda.gov
21 CFR 211.22, Responsibilities of the quality control unit: ecfr.gov
21 CFR 211.100, Written procedures; deviations: ecfr.gov
FDA, Quality Systems Approach to Pharmaceutical CGMP Regulations: fda.gov
FDA, Microbiological Quality Considerations in Non-sterile Drug Manufacturing: fda.gov
European Commission, EudraLex Volume 4 GMP guidelines (draft Annex 22 on AI): health.ec.europa.eu