In December 2025, the Council for International Organizations of Medical Sciences published a report from Working Group XIV on artificial intelligence in pharmacovigilance, following a public consultation draft earlier that year. It sets out a set of principles for how AI should be used across drug safety work: signal detection, case processing, literature screening, and the tasks around them. Read against 21 CFR Part 11, several of those principles turn out to be requirements the FDA has regulated for decades, just described in newer language.
That overlap matters more than it might look like at first glance. Pharmacovigilance teams adopting AI for signal detection, case triage, or literature monitoring are often treating CIOMS XIV as a brand-new compliance problem, when a meaningful part of it is really a Part 11 attribution and audit trail problem wearing a different label. This guide maps the CIOMS framework onto the Part 11 controls that already apply, and covers what an audit trail actually needs to capture when an AI system assists a human reviewer's decision.
Key Takeaways
- CIOMS Working Group XIV's December 2025 report sets out seven guiding principles for AI in pharmacovigilance: a risk-based approach, human oversight, validity and robustness, transparency, data privacy, fairness and equity, and governance and accountability.
- Two of those seven principles map directly onto Part 11 controls. Governance and accountability is operationalized through attribution. Transparency is operationalized through the audit trail.
- The audit trail has to reach the model, not just the case records the model touches. An inspector asking which model version produced a given recommendation needs an answer that survives a model update six months later.
- An AI-assisted PV decision needs its own audit trail fields: model version, the specific output the model produced, the human reviewer's identity, the timestamp of review, and whether the reviewer accepted, modified, or overrode the AI output, with a reason captured for any override.
- None of this replaces the existing Part 11 signature requirements for case reports, safety narratives, or regulatory submissions. It adds a layer of attribution and logging around the AI step that precedes the human's signed decision.
What CIOMS Working Group XIV Actually Published
CIOMS convened Working Group XIV on AI in pharmacovigilance in 2022, drawing on regulators, industry safety scientists, and academics. The group circulated a draft for public consultation in May 2025 and published its final report in December 2025. The report doesn't prescribe specific AI technologies or mandate particular tools. Instead it sets out seven principles meant to guide how AI gets used responsibly across signal detection, case processing, literature screening, and other drug safety functions:
- A risk-based approach. The level of scrutiny an AI system receives should scale with how much it influences a decision and how bad the consequences are if it's wrong.
- Human oversight. A human stays accountable for what the system produces. CIOMS devotes a full chapter to this, and it is where the report draws its distinction between human-in-the-loop oversight, where the decision is the end result of a human-machine interaction, and human-on-the-loop oversight, where the machine decides autonomously and the human monitors.
- Validity and robustness. The model has to perform reliably on real-world data, not just on the data it was trained and tested against.
- Transparency. Enough visibility into how the system reached an output that a human reviewer, and later an inspector, can evaluate it.
- Data privacy. Patient data protections built into the system architecture, not added after the fact.
- Fairness and equity. The system shouldn't produce systematically worse outputs for some patient populations than others.
- Governance and accountability. Clear ownership of the system, its outputs, and the decisions made from those outputs.
The report has been widely received as the first consensus-based international guidance specifically on AI in pharmacovigilance, and it lands at a moment when a lot of PV organizations are already deploying AI for exactly the use cases the report addresses. That timing is why the framework is getting attention beyond the usual regulatory-affairs audience.
Two Principles That Are Already Part 11 Concepts
Of the seven CIOMS principles, two map directly onto controls Part 11 has required for electronic records and signatures for years.
Governance and accountability is an attribution requirement. When an AI system flags a safety signal, scores a case for seriousness, or recommends a coding decision, someone has to be identifiable as the human who reviewed that output and decided what to do with it. That's the same principle behind Part 11's requirement that every electronic signature be attributable to one specific, authenticated individual, never a shared login or a generic system action. CIOMS calls it governance and accountability. Part 11 has enforced it since 1997: Section 11.100(a) makes each electronic signature unique to one individual, never reused or reassigned. Attributable is also the first of the core ALCOA data integrity principles FDA's own guidance anchors to when evaluating any electronic record, AI-assisted or not.
Transparency is an audit trail requirement. The system has to log what the model produced, what the human reviewer did with that output, and when, in a form that survives an inspection years later. That's exactly the function of a Part 11 audit trail under Section 11.10(e): a secure, computer-generated, time-stamped record made independently of the people whose actions it documents. Our guide to Part 11 audit trail review covers what that logging discipline requires in more detail, and the same logic extends cleanly to an AI-assisted PV workflow.
The practical implication is that a PV organization rolling out AI-assisted signal detection under the CIOMS framework doesn't need to invent a new compliance architecture from scratch. It needs a Part 11-grade attribution and audit trail architecture applied to a new type of decision point, not a bolt-on logging feature added after the AI tool is already in production.
What the Audit Trail Needs to Capture for an AI-Assisted PV Decision
A signal detection or case triage record that involves an AI recommendation needs more fields than a purely manual record did. At minimum, the audit trail should capture:
- Model version. Which specific version of the model produced the output, since model behavior changes between versions and an inspector will ask which version was live at the time of a given decision.
- The AI output itself. What the model actually recommended or flagged, preserved exactly as generated, not paraphrased or summarized after the fact.
- Human reviewer identity. The specific, authenticated individual who reviewed the output, captured the same way Part 11 requires for any electronic signature.
- Timestamp of review. A system-generated timestamp, not a field a reviewer can backdate, showing exactly when the review happened relative to when the AI output was generated.
- Disposition: accept, modify, or override. Whether the reviewer accepted the AI output as-is, changed it, or overrode it entirely.
- Reason for override. When a reviewer overrides an AI recommendation, the reason has to be captured as its own attributable entry, not left implicit. A pattern of unexplained overrides is exactly the kind of thing a data integrity review is designed to surface, and it is the natural first question about any workflow where a human can silently discard what the system found.
None of this replaces the signature requirements that already apply to the underlying pharmacovigilance records, the individual case safety report, the periodic safety update, the signal evaluation memo. Those still need Part 11-compliant electronic signatures with captured signature meaning. What this adds is a layer of attribution and logging around the AI step that happens before that signature, so the full decision chain, from model output to human judgment to signed record, is reconstructable during an inspection.
Human-in-the-Loop Versus Human-on-the-Loop: Why the Distinction Changes Your Signature Design
Within its human oversight principle, CIOMS draws a real distinction between two oversight models, and it should change how a PV organization designs its signing and attribution workflow. In human-in-the-loop oversight, the decision is the end result of a human-machine interaction, which is the higher-touch pattern for high-stakes decisions like serious adverse event classification. In human-on-the-loop oversight, the machine makes the decision autonomously and a person monitors the system's performance and intervenes when something looks wrong, which fits lower-risk, high-volume tasks like initial literature screening.
Human-in-the-loop workflows need per-decision attribution: an audit trail entry and, where a predicate rule requires it, a signature tied to each individual reviewed output. Human- on-the-loop workflows need a different kind of record: periodic review logs showing that someone with the right qualifications checked the system's aggregate behavior on a defined schedule, plus an escalation record for any time that oversight caught a problem and intervened. Building the same rigid per-record signature requirement into a human-on-the- loop process creates unnecessary friction without adding real assurance. Applying a loose periodic-review model to a human-in-the-loop process leaves exactly the attribution gap CIOMS is trying to close.
Where This Connects to EU Requirements
GVP Module IX, the EU's signal management guidance, already requires a tracking system that keeps an audit trail of signal management activities, with traceability of the analyses, decisions, and rationale behind every step. That obligation exists today and applies whether or not AI is involved. Running alongside it, the draft EU GMP Annex 22 on artificial intelligence, released for consultation in July 2025 and not yet final, shows where EU regulators are heading on AI validation more broadly: it confines critical applications to static, deterministic models and keeps generative AI out of them entirely. Annex 22 is written for manufacturing rather than pharmacovigilance, so it is not a PV obligation, but the validation posture it describes is the one a PV organization should expect to be held to. CIOMS XIV does not replace the GVP requirements. It sits alongside them, describing the same underlying discipline (validated systems, attributable decisions, durable audit trails) in language aimed at AI specifically. See our EU GMP Annex 22 guide for what the draft asks of a GxP AI system and where it is likely to land.
What to Do Now if You're Deploying AI in a PV Workflow
A few practical steps translate the CIOMS material into something a PV or QA team can actually act on:
- Classify each AI-assisted PV function as human-in-the-loop or human-on-the-loop before deployment, and design the attribution requirement to match.
- Confirm your audit trail captures model version, the raw AI output, reviewer identity, timestamp, disposition, and override reason as separate, attributable fields.
- Extend your existing Part 11 signature architecture to the human decision that follows the AI output, rather than building a separate logging system just for the AI layer.
- Document the validation and qualification steps for the model itself, including its version history and the training data behind each version, alongside your existing computer system validation records.
- Review your periodic audit trail review SOP to include AI-assisted decisions specifically, since a generic review procedure written before AI adoption may not account for override patterns as a distinct thing to check.
Klyverity's audit trail architecture was built around individually attributable, computer-generated logging for regulated life sciences records. That's the same underlying control an AI-assisted pharmacovigilance decision needs: an identifiable reviewer, a tamper-evident timestamp, and a captured record of what happened at each step. If your organization is building out AI-assisted signal detection or case triage and needs the attribution and audit trail layer to hold up under an FDA or EMA inspection, request a demo to see how it's structured.
FAQ
What is CIOMS Working Group XIV?
CIOMS Working Group XIV is a group convened by the Council for International Organizations of Medical Sciences in 2022 to develop guidance on artificial intelligence in pharmacovigilance. It circulated a public consultation draft in May 2025 and published its final report in December 2025, setting out seven guiding principles: a risk-based approach, human oversight, validity and robustness, transparency, data privacy, fairness and equity, and governance and accountability.
Does the CIOMS XIV framework replace 21 CFR Part 11 requirements for pharmacovigilance records?
No. CIOMS XIV addresses how AI should be used responsibly in pharmacovigilance work. It doesn't replace the existing Part 11 requirements for electronic records and signatures on case reports, safety narratives, or regulatory submissions. Two of its principles, governance and accountability, and transparency, map onto Part 11's existing attribution and audit trail requirements, but the underlying signature obligations for PV records are unchanged.
What should an audit trail capture when AI assists a pharmacovigilance decision?
At minimum: the model version that produced the output, the AI output itself preserved exactly as generated, the identity of the human reviewer, a system-generated timestamp for the review, whether the reviewer accepted, modified, or overrode the output, and a captured reason for any override. These fields sit alongside, not instead of, the existing Part 11 signature requirements for the underlying safety record.