The FDA Just Issued Its First Warning Letter for AI Misuse in CGMP Documentation: Here’s What Happened

And What Pharmaceutical Manufacturers Must Do Right Now to Stay Compliant

The pharmaceutical industry has been watching artificial intelligence transform documentation workflows at a remarkable pace. AI tools are now being deployed to draft standard operating procedures, generate product specifications, and build master production records, all in the name of efficiency and regulatory readiness. But on April 2, 2026, the U.S. Food and Drug Administration drew a very clear line in the sand.

Also Read: GDP Compliance for Cold Chain Logistics: Updated Requirements and Audit Checklist

Key facts about this landmark enforcement action:

• The FDA issued a warning letter with a dedicated section titled “Inappropriate Use of Artificial Intelligence in Pharmaceutical Manufacturing,” treating AI misuse as its own stand-alone CGMP deficiency for the very first time.
• The warning letter was directed at Purolea Cosmetics Lab, a Michigan-based drug manufacturer
• The violations spanned AI-generated documentation, process validation failures, and insanitary manufacturing conditions
• This case has set a binding regulatory precedent that will shape how inspectors globally approach AI governance in GMP environments

This was not just another enforcement letter. It was a regulatory milestone that sent shockwaves through pharmaceutical manufacturing, CDMOs, and life sciences compliance teams worldwide. If your organisation is using AI in any part of your GMP documentation process, whether SOPs, batch records, product specifications, or validation protocols, this case demands your immediate attention.

What Happened: The Purolea Cosmetics Lab Case

Purolea Cosmetics Lab, LLC is a California-based private-label manufacturer of skincare and homeopathic products. During a routine inspection conducted October 28 to 30, 2025, by FDA’s Detroit District, the facility was producing over-the-counter homeopathic remedies marketed under labels such as “Dermveda Extra Strength Shingles Relief” and “Dermveda Extra Strength Ultra Genital Herpes Relief.”

What investigators found was far from routine:

• The company had deployed AI agents to create critical quality documents including drug product specifications, standard operating procedures, and master production and control records.
• The firm’s stated goal was to use AI to help achieve FDA compliance, an intention that backfired significantly
• AI-generated documents were being used directly in the quality system without any formal human review or validation
• When FDA investigators informed the company that they had not conducted required process validation before distributing drug products, company representatives responded that they were not aware of this legal requirement because the AI agent never told them it was required.

That single statement encapsulates the core problem and the core lesson for the entire pharmaceutical and life sciences sector. Delegating regulatory awareness to an algorithm is not a compliance strategy. It is a compliance failure.

The Specific Regulatory Violations Cited

The FDA cited two distinct failures. The first was a violation of 21 CFR 211.22(c) where the firm’s quality unit failed to review the AI-generated documents to ensure they were accurate and compliant with CGMP. The second was a violation of 21 CFR 211.100 where process validation had not been conducted before distribution.

Here is a full breakdown of every compliance failure identified:

• Quality Unit oversight failure (21 CFR 211.22(c)): AI-generated SOPs, specifications, and master production records were used without adequate review or formal sign-off by a qualified person. The QU’s responsibility to approve quality-affecting documents does not disappear because an algorithm produced them.
• Process validation failure (21 CFR 211.100): Drug products were distributed before process validation was completed, one of the most foundational requirements in the entire CGMP framework. The firm’s defence that the AI had not flagged this requirement was not accepted.
• Insanitary facility conditions: During the inspection, an investigator observed the presence of insects, dirt, leaves, and clutter in several areas throughout the facility, and the company did not have sufficient measures in place to prevent contamination from both internal and external sources.
• Unapproved drug products: Products intended to treat shingles and genital herpes were being sold without an approved New Drug Application, a serious regulatory breach compounding the AI-related failures.
• No accountability chain: There was no qualified person taking documented responsibility for the accuracy of any AI-generated compliance documentation within the quality system.
• Regulatory knowledge delegation: The firm demonstrated a pattern of relying on the AI tool not just for document drafting but for understanding which regulations applied and when, an entirely indefensible compliance position.

What the FDA Actually Said

The language in the warning letter is instructive for every quality professional, regulatory affairs manager, and compliance officer in the life sciences sector.

• The FDA stated that if AI is used as an aid in document creation, the firm must review the AI-generated documents to ensure they are accurate and actually compliant with CGMP, and that failure to do so is a violation of 21 CFR 211.22(c).
• Any output or recommendations from an AI agent must be reviewed and cleared by an authorised human representative of the firm’s Quality Unit in accordance with section 501(a)(2)(B) of the FD&C Act.
• The FDA views AI as an aid rather than a replacement for human judgement, and treating AI as the final authority on documentation within manufacturing operations can lead to gaps in regulatory compliance and product safety.
• Reliance on AI is not a defence against regulatory violations, and this warning letter sends an unambiguous message that firms cannot hide regulatory lapses behind automation.
• The Quality Unit’s accountability is non-delegable. No tool, algorithm, or automated agent can absorb that professional and legal responsibility.

This Did Not Come Out of Nowhere: The Regulatory Build-Up

This enforcement action is the logical culmination of years of regulatory signalling that many manufacturers failed to act upon. The FDA has been building toward this through CDER’s March 2023 discussion paper on AI in drug manufacturing, the January 2025 draft guidance introducing a seven-step credibility assessment framework for AI used in regulatory decision-making, a February 2025 warning letter to Exer Labs for marketing an AI-based device without the proper regulatory pathway, and January 2026’s Guiding Principles of Good AI Practice in Drug Development.

Internationally, the regulatory landscape has been moving in parallel:

• The FDA and the European Medicines Agency issued joint Good AI Practice principles, signalling cross-jurisdictional alignment on AI governance expectations for drug development and manufacturing.
• The International Society for Pharmaceutical Engineering released the GAMP Guide for AI in GxP-Regulated Systems in July 2025, extending the established GAMP framework to AI use specifically.
• The draft EU Annex 22 went through public consultation in 2025 and if finalised will become the EU’s first GMP-specific AI annex, with generative AI and large language models treated more restrictively than narrow deterministic AI systems.
• MHRA, EMA, and other major regulators are actively monitoring how AI governance is being codified globally, using FDA enforcement actions as reference points for their own inspection frameworks.

The direction of travel is consistent across every major regulatory authority: AI is a tool to support human decision-making, never a substitute for qualified professional judgement.

Why This Matters Beyond the USA

While this warning letter was issued under U.S. 21 CFR Parts 210 and 211, its implications extend far beyond American shores.

• Although this warning letter was in a drug manufacturing context, the logic applies to any regulated activity where AI is used, including clinical trials, labelling, pharmacovigilance, and regulatory submissions.
• UK-based manufacturers operating under MHRA GMP guidelines should treat this as a direct signal of how AI-related inspection findings will be assessed domestically.
• Organisations pursuing EU GMP certification or Marketing Authorisation in Europe need to align their AI governance practices with the emerging EU Annex 22 framework now, not after finalisation.
• CDMOs and contract testing laboratories face compounded risk because their documentation failures can affect multiple client programmes simultaneously.
• Pharmacovigilance teams using AI to assist in signal detection, periodic safety reporting, or EU QPPV activities must ensure every AI-generated output is subject to formal qualified person review before regulatory submission or action.
• Life sciences organisations operating across the UK, EU, UAE, and USA face multi-jurisdictional exposure if AI governance gaps go unaddressed before the next inspection cycle.

What Pharmaceutical Manufacturers Must Do Now

The Purolea case provides a clear and actionable framework for any organisation currently using or planning to integrate AI into CGMP-related activities. Organisations that treat this as a compliance upgrade opportunity rather than a reactive crisis will be significantly better positioned in their next inspection cycle.

• Conduct an AI inventory audit: Map every point in your quality system where AI tools are generating or influencing GMP-critical content, including SOPs, batch records, deviation investigations, change controls, validation protocols, and product specifications.
• Establish a formal human-in-the-loop mandate: Every AI-generated document or recommendation that enters the quality system must be reviewed, verified, and formally signed off by a qualified person. This process must itself be procedurally documented and auditable.
• Train your Quality Unit on AI governance: QU personnel need to understand both what AI tools can produce and where they characteristically fail, particularly around regulatory knowledge gaps and jurisdiction-specific requirements.
• Validate AI tools used in GxP environments: Treat AI tools as computerised systems subject to validation requirements under 21 CFR Part 11 and GAMP 5 guidelines. General-purpose consumer AI models are not pre-validated for pharmaceutical use.
• Maintain full and auditable AI trails: Document which AI tool was used, when, by whom, what input was provided, and what human review was formally applied to each output. This documentation will be requested during inspections.
• Never delegate regulatory awareness to AI: Process validation requirements, NDA obligations, pharmacovigilance reporting timelines, and other statutory duties must be understood and managed by qualified personnel, not assumed to be flagged automatically by software.
• Review CDMO and vendor contracts: If AI tools are being used by third-party organisations supporting your supply chain, ensure responsibility for output review and regulatory accuracy is explicitly assigned and cannot be transferred to the technology provider.
• Update your Quality Management System: Your QMS documentation should now explicitly address how AI tools are governed, approved for use, validated, and monitored within all CGMP activities.

The Broader Principle: AI as an Aid, Not an Authority

AI can be a drafting aid, but CGMP still treats the controlled output as the firm’s responsibility. A misdrafted SOP is still a misdrafted SOP whether a human drafted it from scratch or accepted it from an AI agent without review. The Quality Unit’s responsibility is identical in both cases.

This principle will only become more entrenched as regulators globally shift from issuing guidance to conducting enforcement actions. The Purolea case is the opening chapter of a much longer story about how AI governance in pharmaceutical manufacturing will be scrutinised during regulatory inspections. Key principles to carry forward:

• AI tools in GMP settings are regulated like any other computerised system and require validation, change control, and documented oversight.
• The Quality Unit cannot outsource its accountability to any technology regardless of how sophisticated that technology is.
• Inspection readiness now explicitly includes AI readiness, and investigators will ask which tools are in use, how outputs are reviewed, and what validation evidence exists.
• Regulatory ignorance enabled by AI reliance is not a mitigating factor. It is itself a compliance failure.
• The same accountability expectations apply whether AI is used in manufacturing, pharmacovigilance, clinical documentation, or regulatory submissions.

How Quality Vigilance Ltd Can Help

Navigating AI governance in regulated pharmaceutical environments requires specialists who understand the specific intersection of GMP frameworks, pharmacovigilance obligations, and rapidly evolving regulatory expectations. Quality Vigilance Ltd supports organisations across the full compliance lifecycle:

• AI-in-GMP gap assessments to identify where AI tools are operating outside adequate oversight frameworks within your quality system
• Quality Unit oversight framework development to ensure AI-generated documentation meets standards required under 21 CFR 211.22, EU GMP Annex 11, and MHRA expectations
• Pharmacovigilance system review for organisations using AI in signal detection, ICSR processing, or PSUR preparation
• Inspection readiness support for MHRA, EMA, and FDA inspections, including AI governance documentation and mock inspection preparation
• SOP and QMS development tailored to GxP-compliant AI use, covering validation, change control, and vendor qualification

In a compliance environment where the FDA has formally treated AI misuse as a named CGMP deficiency, the question is no longer whether your organisation needs a structured AI governance framework. The question is whether you have one that will survive regulatory scrutiny. Quality Vigilance Ltd ensures that it will.