EU GMP Annex 22 is the first dedicated GMP guideline for artificial intelligence, in draft consultation during 2026, with an EMA expert workshop running mid-year. Most commentary treats it as a future problem. Read the draft carefully and you find something more immediate: a description of controls you could be inspected against in spirit today, because every expectation in it grows from rules that already bind you.
Nothing in Annex 22 is invented. The data expectations extend Annex 11 and data-integrity guidance. The lifecycle thinking comes from validation practice and ICH Q9(R1). The human-oversight stance mirrors what regulators have said about any system that influences a quality decision. What the draft does is assemble these into a coherent demand: if a model touches GMP, you must be able to show what it is for, what it was trained on, why its risk level is acceptable, and how you would notice it going wrong.
The draft's most consequential distinction is between static or deterministic models, locked after validation, and adaptive or self-learning models that change in use. Static, validated models are acceptable even in critical GxP applications. Adaptive models are restricted, and generative systems belong in non-critical roles under documented human oversight. The practical translation: lock the model, validate it like the system component it is, and control every retraining like a change. If your vendor cannot tell you whether its embedded AI is static or adaptive, that is your first finding, and you found it before the inspector did.
Strip the draft to its verbs and five demands remain. Intended use, written precisely enough that misuse is detectable. Data lineage, because the model's behaviour is its training data. Risk-proportionate validation, with the depth set by impact on product quality and patient safety. Human oversight, with the reviewer's role and accountability defined, since the person who signs an AI-assisted record owns it. And monitoring, because a model's failure mode is silence: confident answers that drift away from reality with nothing flagging the change.
That last one is the cultural shock. Validation in pharma has been an event with a certificate. Annex 22 makes assurance a state you maintain. Decision integrity joins data integrity: for every decision a model shapes, what went in, what came out, who reviewed it and what they decided must be reconstructable.
First, inventory every AI touchpoint in your GxP estate, including features inside vendor platforms; most organisations find two to three times what they expected. Second, classify each one by impact and autonomy, and write the tier down with a signature. Third, ask every quality-relevant vendor the static-or-adaptive question in writing. Fourth, design the decision-integrity record for your highest-tier use case. Fifth, put monitoring on whatever is already live, because pilots that influence GxP records are not pilots.
Organisations that did this work early have already taken AI through Health Authority inspection with zero observations. The draft is not a barrier to AI in GxP. It is the description of how the ones who succeed are already doing it.
Sachin Bhandari advises pharma, biotech, medical device and CDMO organisations on AI in GxP, CSV to CSA and digital validation. The frameworks behind this essay are on the frameworks page, free to download. If Annex 22 is live for you, start with AI in GxP governance and the AI Governance Stack.
A focused 30 minutes, no obligation. Bring your hardest problem.
Request a strategic conversation