"AI is arriving, and no one can tell me how to validate something that learns." Governance is the answer, and it has to come before the first model goes live.
Traditional CSV assumes four things: a fixed expected result, a system that stays put, behaviour that is independent of data, and failure that is visible. AI breaks all four. Results are probabilistic, the model can change, behaviour depends on training data, and failure is often silent. The guidance is still catching up, the Annex 22 (AI) draft is in consultation, and you are being asked to approve deployments anyway.
Governance precedes validation. The AI Governance Stack builds from the bottom up: the regulatory spine (Annex 11, the draft Annex 22, 21 CFR Part 11, FDA CSA, the FDA-EMA principles), then a reference architecture covering data, model, workflow, record and audit trail, then four-tier risk classification, then a governance operating model with an AI Governance Board and clear decision rights, then a model-specific validation master plan, and at the top, monitoring for drift, performance and human oversight.
The most consequential hour in an AI system's life is its classification. Get the tier right and every downstream control follows. I bring that judgment from having sat on the regulator side of the draft.
Decision integrity is the new layer on top of data integrity. Classify first; monitoring is not optional, because AI does not stay put and failure can be silent.
EU GMP Annex 22 (AI) draft FDA CSA, final and updated Annex 11 21 CFR Part 11 ISPE AI Maturity Model
I build to where these rules are heading, so the governance you stand up now still holds when the drafts are finalised.
Yes. Under the draft EU GMP Annex 22, static or deterministic AI models that are locked and validated are acceptable even in critical GxP applications. Adaptive and generative models are restricted to non-critical uses with documented human oversight. The work is in classification, validation to the right risk tier, and monitoring.
EU GMP Annex 22 is the first dedicated GMP guideline for artificial intelligence, in draft consultation during 2026. It sets expectations for validating AI in manufacturing and quality: intended use, data and model lifecycle controls, human oversight, and ongoing monitoring.
Classify the use case first on impact and autonomy, then validate to that tier: training-data lineage, intended use, model-specific test evidence, human-in-the-loop review, and a monitoring plan for drift. Decision-integrity records, capturing input, output, reviewer and disposition, are what inspectors ask to see. Done this way, AI in live GxP quality has passed Health Authority inspection with zero observations.
Take the AI-in-GxP Readiness Index, or book a conversation.
Book a discussion Take the readiness index