Is Your Organization Ready for AI Inspection?


young scientists working in laboratory

Inspecting AI is not new to regulators. The expectations are already well-established. The key question is whether your organization can reliably demonstrate them.

Written by Tracy Hibbs and Tony Sacchetti, Waters Corporation

Exploring artificial intelligence (AI) and machine learning (ML) in regulated laboratories governed by Current Good Manufacturing Practices (CGMP) may be new for your organization. Inspecting AI is not new to regulators. If we look at FDA, for example, use of AI/ML-enabled medical device authorizations have grown sharply since 2018, as shown in the chart below.1,2

blog 2 fig 1
blog 2 fig 2

Regulatory expectations: The fundamentals remain

As an industry, we have discussed AI regulation for years, while regulators have moved quickly to address rapid technological change. The fundamentals remain unchanged: data integrity, data governance, and risk management continue to underpin AI oversight, and inspectors are placing even greater scrutiny on these core principles.

The foundational guidance used daily and incorporated into your Pharmaceutical Quality System (PQS) remains unchanged. ICH Q9(R1) Quality Risk Management3 and PIC/S Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments4 continue to anchor responsible use. Newer papers and draft guidance extend that foundation specifically to AI, including EMA Annex 225 and the FDA and EMA jointly issued Guiding Principles of Good AI Practice in Drug Development.6

Between them, there is more than enough guidance to inform a responsible AI adoption strategy. For a wider view of the regulatory landscape, read our blog, “AI in GMP: Navigating Evolving Expectations for Regulated Labs.”


Enforcement is not theoretical

Inspections and authorizations to date have leveraged existing regulations and finalized guidance. Regulatory actions have leveraged the same. The FDA published multiple warning letters referencing AI from 2023 to 2026, and an April 2026 CGMP warning letter was the first to cite inappropriate use of AI as a stand-alone CGMP deficiency.7


Citing 21 CFR 211.22(c) 8 and the responsibilities of the quality control unit, the warning letter message is direct: if AI is used to support CGMP activities, recommendations and outputs from AI agents must be reviewed and cleared by an authorized human representative of your quality unit (QU).


Quality unit responsibility is not reduced when AI is involved

Accountability remains unchanged. Leveraging AI assistance does not reduce the obligation of your qualified personnel. It is critical that your QU knows where AI is leveraged across your organization. If this visibility does not exist today, building it should be an immediate priority.

Your supply chain partners are also in scope. Contract development and manufacturing organizations (CDMOs) and contract testing labs operate as extensions of the manufacturer, and inspectors continue to treat them that way. If a contract organization uses AI to draft batch records, specifications, or SOPs without governance, the risk transfers to the sponsor. Quality agreements and supplier audits now need to address AI use explicitly: permitted applications, human oversight requirements, audit rights, and evidence expectations.


Your AI is rated whether you have formally rated it or not

The draft FDA9 framework provides a practical way to assess regulatory burden. The complexity of the AI system and its impact on product quality define the category, the intersection signals the oversight required. This principle is consistent across guidance: oversight must be commensurate with risk to product quality and patient safety.

Looking at risk categories, expectations vary:

CategoryExpectation
MinimalDocumentation only, basic oversight.
LowBasic validation, routine monitoring.
MediumEnhanced validation and continuous monitoring.
HighComprehensive validation and regulatory oversight.
CriticalFull regulatory pre-approval.

An unclassified AI system is not an unregulated one. Inspectors will assign a category whether your organization has or not, and they will expect controls and evidence to match.


There are expectations in your inspections

If an inspector were to audit you tomorrow, could you answer each of these five questions with confidence and documented evidence?

  1. Where is AI used in your CGMP/GxP workflows today, and at what risk tier?
  2. Who reviews and approves AI-generated outputs, and what is the documented evidence?
  3. How is your training data separated from your validation and test data?
  4. How do you detect data drift and model performance degradation in production?
  5. What is your AI literacy plan and your agentic AI governance for staff?

Where does a state of control break down?

Demonstrating a state of control is essential in regulated labs. With AI in use, the demonstration could potentially falter in several predictable ways. Each of the patterns below maps to one of the five inspector questions above:

bloog 2 fig 3

The time to be ready is now

Now is the moment to assess your readiness for AI adoption under evolving global regulations. Whether you are exploring AI for the first time or scaling existing capabilities, alignment with regulatory expectations unlocks AI’s full potential, without compromising product quality or patient safety.

Connect with one of our experts to help assess your readiness for AI and for AI inspections.


References

  1. Innolitics 510(k) Year-in-Review (2025)
  2. Imaging Wire · FDA AI/ML Device list (December 2025)
  3. ICH Q9(R1) Quality Risk Management
  4. PIC/S PI 041-1, Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments
  5. EMA Annex 22 (Draft 2025)
  6. FDA and EMA Guiding Principles of Good AI Practice in Drug Development (January 2026)
  7. FDA Warning Letter 722591 (April 2026)
  8. United States Code of Federal Regulations 21 CFR 211.22
  9. FDA Considerations for the Use of Artificial Intelligence To Support Regulatory Decision-Making for Drug and Biological Products, AI/ML Risk Classification Framework (Draft January 2025)

Additional Resources