AI in regulated workflows

Artificial intelligence can draft a procedure in seconds, but in a Food and Drug Administration-regulated workflow it still has to pass the same checks as any human-written record. The agency’s April 2026 warning-letter language tied AI-generated quality documents back to existing current good manufacturing practice duties, not a new AI carveout. (fda.gov) In drug manufacturing, the rule is older than the chatbot boom: the quality control unit must approve or reject procedures and specifications that affect product identity, strength, quality, and purity, and those responsibilities must be written down. That duty sits in 21 CFR 211.22(c) and (d), the same regulation FDA cites in routine manufacturing cases. (ecfr.gov) Electronic records follow a second set of rules. Under 21 CFR Part 11, FDA treats digital records and signatures as equivalent to paper only if the systems and controls make them trustworthy, reliable, and hard to repudiate. (ecfr.gov) That is the practical issue with large language models in regulated work: they generate text fluently, but they do not automatically show which source was used, which version produced the answer, or whether a reviewer checked every line. FDA’s 2018 data-integrity guidance says firms should expect all data to be reliable and accurate and should manage integrity risks with controls matched to the process. (fda.gov) FDA has also moved beyond general data integrity language into explicit AI guidance. Its guidance on using artificial intelligence to support regulatory decision-making for drugs and biologics says sponsors using AI-generated information for safety, effectiveness, or quality decisions should address model credibility, data quality, and documentation. (fda.gov) The recordkeeping burden does not stop at the United States border. The European Health Data Space regulation was published in the Official Journal on March 5, 2025 and entered into force on March 26, 2025, starting a phased rollout for cross-border health-data use and electronic health record interoperability in the European Union. (health.ec.europa.eu) The European Medicines Agency updated its records-management and archives policy effective April 15, 2025. The policy says records created or received by the agency must be managed through their full lifecycle regardless of format, location, or hosting system, which is the same direction many life-sciences companies are now being pushed to follow internally. (ema.europa.eu) Cybersecurity rules are tightening at the same time. The European Union’s NIS2 directive requires cybersecurity risk-management measures and incident-reporting obligations for covered entities in critical sectors, adding another layer of controls around systems that store or move regulated health data. (eur-lex.europa.eu) For companies building AI into quality, manufacturing, or clinical operations, the compliance question is now less “Can we use AI?” than “Can we prove what it did, who reviewed it, and which record was final?” FDA’s April 2026 enforcement language landed in a system where validation, audit trails, signatures, retention, and security rules were already on the books. (fda.gov)