Blog Summary

Summary

The April 2026 FDA warning letter didn’t invent an AI rule. It applied 21 CFR 211.22(c), a forty-year-old rule, to AI output. A contract manufacturer let AI agents generate specs and production records and released them without Quality Unit review. So the real subject is the review duty the Quality Unit can’t outsource.

The piece then turns to who actually carries the risk: virtual and asset-light sponsors. They hold the license and 100 percent of the liability while their CDMOs run the floor and send records back weeks late, in mixed formats.

The core idea readers take away is the line between AI-assisted (a reviewer checks the output against the source before signing, which is acceptable) and AI-generated (the same content reaches the cGMP record with no real review, which is what FDA cited). It closes by naming the work this creates: proving that distinction on every record, every lot.

When an FDA inspector asked a contract drug manufacturer why it had skipped process validation, the firm gave an answer that has since traveled across the industry: the AI agent never told them it was required. In April 2026, that exchange became the first FDA warning letter widely read as treating AI misuse as a standalone cGMP deficiency. 

Most of the reaction has been about the AI. That is the wrong place to look. The warning letter did not create a new rule for artificial intelligence. It applied an old one. And the lesson it carries lands hardest not on the firm that was cited, but on the sponsors watching from across the contract chain. 

What the April 2026 Warning Letter Actually Cited 

FDA cited a single regulation: 21 CFR 211.22(c). The firm had used AI agents to generate drug specifications, procedures, and master production and control records, then released those documents into use without review by an authorized representative of its Quality Unit. 

Under 21 CFR 211.22, the Quality Unit is the function given independent authority to approve or reject drug products, components, and the procedures and specifications that affect them. Subsection (c) is specific: authorized representatives must approve or reject all procedures and specifications bearing on a drug’s identity, strength, quality, and purity. Nothing in the regulation carves out an exception for output generated by software, a statistical model, or an AI agent. The warning letter applied the statute as written. 

That matters because the rule predates generative AI by four decades. Read alongside FDA’s 2023 discussion paper on AI in manufacturing and the January 2026 FDA-EMA guiding principles, the warning letter completes a sequence the agency has been signaling for years: education, then expectation, then enforcement. 

From signal to enforcement Three stages: 2023 FDA discussion paper (education), January 2026 FDA-EMA guiding principles (expectation), April 2026 first AI warning letter citing 21 CFR 211.22(c) (enforcement). From signal to enforcement The agency moved through education, then expectation, then enforcement. 1 2023 EDUCATION FDA discussion paper on AI in drug manufacturing. 2 JAN 2026 EXPECTATION FDA-EMA guiding principles on the use of AI. 3 APR 2026 ENFORCEMENT First warning letter citing 21 CFR 211.22(c). Each step raised the standard for AI output in a regulated record.
The FDA’s path on AI in drug manufacturing: education, expectation, then enforcement.

Enforcement is no longer subtle. Between July and early December 2025, FDA issued 327 warning letters, a 73 percent increase over the same period in 2024, by Reed Smith’s analysis of enforcement trends. The April letter sits at the leading edge of that pattern, not outside it. For two years the agency signaled that AI output would be held to the same standard as any other input to a regulated record. This is where the signaling became enforcement. 

Why the Lesson Is Not About AI 

FDA did not reject AI. It rejected blind reliance. The failure at the cited firm was not that it deployed an AI agent. It was that the firm treated the agent’s output as judgment and signed that output into the regulated record without the Quality Unit doing its job. 

Industry commentary has settled on a useful phrase for what happened: the firm inherited the gap the AI carried. When you use AI without governance, its knowledge limits and its confident-but-wrong regulatory awareness become your regulatory exposure. The cited firm inherited a gap and then signed the inheritance into a cGMP record. A Quality Unit that needs its tools to volunteer regulatory awareness has already stopped exercising its own. 

This is not an edge case. In an analysis of FDA warning letters from 2018 through 2022, 21 CFR 211.22(d) was the second most-cited regulation, with 525 citations, according to The FDA Group. When FDA finds a regulated firm in trouble, the Quality Unit’s procedures are usually near the center of the finding. Adding ungoverned AI to that picture does not change the pattern. It accelerates it. 

Where the Sponsor Sits in the Contract Chain 

Where the sponsor sits The sponsor, a virtual or asset-light pharma company, holds the IP and the regulatory license and carries 100 percent of regulatory liability. Production is contracted to a network of CDMOs. Batch records and certificates of analysis return days to weeks later in mixed formats. Liability stays with the license. Where the sponsor sits Distance from the floor concentrates the risk. THE SPONSOR Virtual or asset-light pharma company. Holds the IP and the regulatory license. 100% regulatory liability Production contracted out Records return days to weeks later, formats differ CONTRACT MANUFACTURING NETWORK CDMO A Paper & scanned PDFs CDMO B Free-text deviations CDMO C Inconsistent CoA layouts Quality agreements assign responsibilities. Liability stays with the license.
Responsibilities can be contracted out. The regulatory liability stays where the license sits.

“We’re responsible for the product. We just don’t see it until weeks after it was made.” That is how one sponsor-side QA leader described the operating model most of modern biotech now runs on, and it is exactly the condition the warning letter penalizes. 

A virtual or asset-light pharmaceutical company owns the intellectual property and holds the regulatory license, but it does not run the manufacturing floor. Production is contracted to one or more CDMOs, and 100 percent of the regulatory liability for what those contractors do still rests with the sponsor. Quality agreements assign responsibilities; they do not transfer liability. Final accountability sits where the license sits. 

Day to day, that means batch records arrive as scanned PDFs or paper, days or weeks after execution, in formats that differ by partner. Certificates of analysis come in inconsistent layouts. Deviation narratives arrive as free text. Each partner formats its records differently, which turns even basic reconciliation into manual work. Practitioners call the experience flying blind, and they do not mean it as a complaint. By the time a sponsor’s reviewer sees the data, the run is long over. 

Now add AI. When a CDMO uses generative AI to draft a batch record or summarize a deviation, it quietly adds an authorship layer to a document the sponsor’s Quality Unit is legally obligated to review. If the quality agreement is silent on AI, the sponsor inherits that gap wholesale, and most quality agreements signed even two years ago never asked the question. Because of that, a sponsor often cannot say, on demand, whether AI touched a given record at all. Distance from the activity does not dilute the obligation. It concentrates the risk. 

AI-Assisted vs. AI-Generated: The Line a Quality Unit Cannot Blur 

A line runs through the warning letter that it never quite names, and learning to see it is the most useful thing a Quality Unit can take from the case. AI-assisted activity is AI drafting content that an authorized Quality Unit representative then evaluates for substance, against the source data and the applicable requirement, before signing. This is AI as a complement to the Quality Unit. AI-generated activity is that same content reaching the cGMP record without the review. This is AI as a substitute for it. The first is acceptable under 21 CFR 211.22(c). The second is the failure mode FDA cited. 

What decides the classification is not where the technology sits. It is where the human judgment sits. A tool marketed as a “copilot” still produces AI-generated artifacts if the reviewer signs without checking substance, and a tool marketed as “autonomous” can produce AI-assisted ones if the protocol forces a substantive check first. A reviewer who signs because the document looks complete has performed a decorative review; a reviewer who checks the substance against the source has performed a real one. The label does not control the classification. The protocol around the tool does. And the line crosses the contract boundary unchanged: an AI-drafted deviation report flowing from a CDMO into the sponsor’s eQMS without sponsor-side review is an AI-generated artifact in the sponsor’s quality system. 

AI-assisted or AI-generated AI drafts a record. If the Quality Unit checks substance against the source, the output is AI-assisted and acceptable under 21 CFR 211.22(c). If it reaches the cGMP record without that review, it is AI-generated, the failure mode the FDA cited. AI-assisted or AI-generated The same content, divided by one act of review. AI drafts a spec, batch record, or deviation report Does the Quality Unit check substance against the source? Yes — substantive review No — review skipped AI-ASSISTED An authorized reviewer evaluates the output against the source data and the requirement before signing. Acceptable under 21 CFR 211.22(c) ! AI-GENERATED The same content reaches the cGMP record without a substantive review. The failure mode FDA cited Where the human judgment sits decides the classification.
One act of substantive review separates an acceptable record from the failure mode the FDA cited.

Hallucination in a cGMP record 

A hallucination is fluent, confident output that is factually wrong. In a regulated record it takes a specific shape: a complete-looking specification or deviation narrative that quietly omits a requirement the document was meant to satisfy. Stanford’s RegLab found that leading models hallucinated on specific legal queries at rates between 69 and 88 percent, even with retrieval augmentation. Legal and cGMP queries share a dependence on citing the right authority, which is why QA managers describe the problem the same way: it writes a beautiful SOP, it just doesn’t know what it doesn’t know. 

Automation bias 

Automation bias is the documented tendency to defer to a system that looks competent, even when it is wrong. The more polished the output, the less scrutiny it draws. A substantive review protocol exists to interrupt that reflex before it reaches a signed record. Control belongs in the protocol, not in the reviewer’s good intentions. 

The Obligation Is Yours 

Knowing the difference between AI-assisted and AI-generated is one thing. Proving it across every specification, batch record, deviation, and certificate of analysis your CDMOs send you, on every lot, is another. That is the actual work the warning letter created for sponsors.

WHITEPAPER The AI Never Told Us mareana

WHITEPAPER

The full decision rule, every artifact

You’ve seen the principle in this piece. The whitepaper carries it through every record a Quality Unit reviews: specifications, master batch records, deviations, CAPAs, OOS investigations, and certificates of analysis from your contract partners.

Read the whitepaper →
FAQ

Frequently Asked Questions

The April 2026 FDA warning letter was significant because it demonstrated that existing GMP regulations already apply to AI-generated content. Rather than creating a new AI-specific rule, FDA enforced 21 CFR 211.22(c), citing a firm’s failure to have Quality Unit representatives review and approve AI-generated specifications, procedures, and production records before use.
Yes, FDA does not prohibit the use of AI in pharmaceutical manufacturing. However, AI-generated outputs that become part of a regulated GMP record must be reviewed and approved by the Quality Unit. The agency’s concern is not the use of AI itself but the absence of appropriate human oversight and governance.
21 CFR 211.22(c) requires authorized Quality Unit personnel to review and approve procedures, specifications, and records that affect a drug’s identity, strength, quality, or purity. This requirement applies regardless of whether the content was created by a human, software application, or AI system.
AI-assisted content is reviewed substantively by a qualified human reviewer before being approved and added to a GMP record. AI-generated content, by contrast, enters the regulated record without meaningful human review. FDA’s enforcement focus is on preventing AI from replacing Quality Unit judgment rather than supporting it.
Virtual and asset-light sponsors retain regulatory responsibility even when manufacturing activities are outsourced to CDMOs. Because batch records, deviations, and quality documents are often received after production is complete, sponsors may have limited visibility into whether AI was used during document creation. This creates governance challenges and increases compliance risk.
Sponsors should establish AI disclosure requirements within quality agreements, conduct supplier audits, and implement governance processes that identify AI-assisted content in GMP records. Effective oversight requires both contractual controls and operational mechanisms to detect AI use across the contract manufacturing network.
Quality Unit review ensures that AI-generated content is verified against source data, regulatory requirements, and approved procedures before it becomes part of the official record. Without this review, organizations risk introducing inaccurate, incomplete, or non-compliant information into GMP documentation, potentially leading to regulatory findings.
Companies should maintain a documented inventory of AI use cases, establish clear review and approval workflows, validate AI-related processes where appropriate, and retain audit trails showing how AI-assisted records were reviewed. Inspectors are increasingly focused on governance, accountability, and evidence of human oversight rather than simply whether AI was used.