EU GMP Annex 22: AI Governance in GxP Systems — What Pharma Needs to Know

EMA is developing EU GMP Annex 22 as a dedicated companion document to the revised Annex 11, focused entirely on AI and algorithmic systems used in GxP environments. While the 2025 Annex 11 draft already introduces AI attribution obligations in Clause 16, Annex 22 goes substantially further: it addresses the validation of AI models, training data governance, algorithmic accountability, and the specific audit trail fields that GxP systems using AI must capture. For pharmaceutical manufacturers, biotech companies, and clinical operations teams that have already adopted or are evaluating AI-assisted workflows, Annex 22 will create binding obligations before most organizations have had a chance to prepare.

What Is EU GMP Annex 22?

EU GMP Annex 22 is a new standalone guidance document being developed by EMA specifically to govern AI and algorithmic systems operating within GxP computerized environments. It is not part of the Annex 11 text itself. Rather, the two documents are designed to work together: Annex 11 governs the broader computerized systems framework (validation, access controls, audit trails, electronic signatures), and Annex 22 provides the dedicated regulatory layer for AI and machine learning components layered into those systems.

The rationale for a separate document is straightforward. The 2011 Annex 11 predates the widespread adoption of AI in pharmaceutical manufacturing and clinical research by more than a decade. Even the 2025 draft revision of Annex 11 addresses AI only at Clause 16, which is a relatively brief provision. Annex 22 is intended to provide the depth of guidance that a genuinely AI-specific regulatory framework requires: how to validate an AI model before deploying it in a GxP context, what training data documentation looks like, how to handle model updates without re-triggering full revalidation, and what the audit trail must capture when an AI system influences a regulated decision.

No firm publication date for Annex 22 is confirmed. The document is expected to publish in proximity to the finalized Annex 11, which EMA described as expected in mid-2026 as of the most recent communications. Given the interdependency, organizations should treat the two as a coordinated release.

Annex 11 Clause 16 and Annex 22: How They Work Together

The 2025 Annex 11 draft Clause 16 establishes the baseline AI attribution requirement. Any AI-generated or AI-recommended action that affects a regulated record must be attributable to both the algorithm (version, training dataset, validation status) and the human who reviewed and approved the outcome. The AI's role in producing the recommendation must be logged as a separate event from the human's approval signature. That separation is the core principle.

Annex 22 builds on Clause 16 by specifying what the validation of that AI component must look like, what documentation the algorithm's training data requires, how model updates are handled over time, and how organizations demonstrate that a human reviewer had sufficient information to exercise genuine oversight rather than rubber-stamping an algorithmic output. In short, Clause 16 tells you what to log; Annex 22 tells you how to build and govern the system that generates those logs.

For organizations already assessing their readiness for the Annex 11 revision, the Clause 16 analysis is the natural starting point. If you have AI-assisted workflows touching regulated records and you cannot currently separate the AI recommendation event from the human approval event in your audit trail, that is the first gap to close regardless of when Annex 22 is finalized. For the full Clause 16 context and the broader Annex 11 revision, see our EU GMP Annex 11 2025 draft guide.

What Annex 22 Will Require: Key Governance Obligations

Based on the Annex 22 draft framework and the Clause 16 baseline from the Annex 11 revision, the core governance obligations fall into four categories.

AI System Validation

An AI model deployed in a GxP context requires validation documentation analogous to what Annex 11 requires for traditional computerized systems, but adapted to AI-specific risk factors. This includes: a prospective risk assessment of what happens when the model produces an incorrect output; a defined acceptable performance threshold and the test set used to verify it; a documented validation protocol and report; and a change control procedure that covers model retraining and version updates. The standard IQ/OQ/PQ framework still applies to the system housing the AI, but the model itself requires a separate validation track. For more on how the underlying validation framework works, see our IQ/OQ/PQ validation guide.

Training Data Traceability

The data used to train or fine-tune a GxP AI model is a regulated record under Annex 22. The organization must be able to identify which training dataset was used for a given model version, when that dataset was collected, and whether the data came from the organization's own systems or an external source. For AI models trained on external or publicly available data, supplier qualification obligations under Annex 11 Clause 3 extend to the data source. This is one of the more operationally demanding aspects of Annex 22 for organizations that have adopted commercially built AI tools without full visibility into the training data provenance.

Human Oversight Documentation

Annex 22 requires that human oversight of AI outputs be demonstrable, not assumed. The audit trail must capture the AI's recommendation, the human reviewer's decision, and whether the human deviated from the AI recommendation. Deviation from the AI output must be documented with a reason. Acceptance of the AI output must also appear as an affirmative human decision, not a silent approval by inaction. The goal is to make clear from the audit record that a qualified person applied professional judgment, rather than the AI system making a binding decision autonomously.

Algorithm Versioning and Change Control

Every AI-influenced regulatory decision must be traceable to the specific version of the algorithm that produced it. Model updates (retraining, hyperparameter adjustment, architecture changes) must go through change control before deployment in a GxP environment. Post-deployment, the audit trail must link each AI-assisted decision to the version that was active at the time. For models that are updated frequently, this creates a versioning discipline similar to software validation change control under the existing CSA framework — but with the added complexity that model performance can drift over time even with no code change.

AI Attribution in Audit Trails: The Core Requirement

The audit trail requirement that flows from Clause 16 and Annex 22 is the most directly actionable obligation for organizations assessing their current systems. For any AI-assisted action on a regulated record, the audit trail must capture at minimum:

• Algorithm identifier and version — which model made the recommendation
• Training dataset reference — which version of the training data was used
• Validation status at time of use — whether the model was deployed as validated
• The AI output — what the algorithm actually recommended
• Human reviewer identity — who reviewed the AI output
• Human decision — accepted, modified, or rejected
• Reason for deviation — if the human deviated from the AI recommendation
• Timestamp — when the AI action and human decision each occurred

Most current GxP audit trail implementations capture only the human decision. The AI attribution fields are net-new requirements that will need to be built or configured before Annex 22 takes effect. Organizations should assess their current audit trail architecture against this field list now, because retrofitting it after finalization is more disruptive than designing for it in advance. The broader audit trail obligations that Annex 11 introduces are covered in our audit trail requirements guide.

How This Compares to FDA's Approach to AI

FDA has been developing its AI in regulated industries framework in parallel with the EMA Annex 22 work. The 2025 FDA-EMA joint guidance on AI in pharmaceutical manufacturing established areas of intended alignment between the two regulators, which means the practical gap between FDA and EU compliance on AI is narrower than historical regulatory divergence might suggest.

The core FDA requirements for AI in GxP contexts — human oversight, algorithm transparency, change control for model updates, and attribution of AI-assisted decisions in the audit trail — align closely with what Annex 22 is codifying for EU purposes. The main divergence is in the specificity and enforceability of the EU framework. EMA is adopting explicit regulatory text; FDA is currently operating through guidance documents with more principles-based language. That makes the EU framework the higher bar in practical terms, but organizations building for Annex 22 compliance will find themselves well-positioned for FDA expectations simultaneously.

For a detailed comparison of the two frameworks, see our Part 11 vs Annex 11 comparison guide.

Who Annex 22 Affects and When

Annex 22 applies to any organization using AI in a GxP computerized system under EU GMP jurisdiction. The highest-priority use cases include:

• AI-assisted batch release — models that flag anomalies or recommend accept/reject decisions for manufactured lots
• Computerized quality risk management — algorithms that score supplier quality signals or assess process risks
• Algorithmic deviation detection — systems that identify out-of-specification events in manufacturing data
• Clinical data management — AI tools used in EU clinical trials under CTR 536/2014 that flag query-worthy data patterns
• Process analytical technology (PAT) — AI-driven real-time release testing models

Organizations that are currently using any of these tools and cannot satisfy the Annex 22 AI attribution requirements for those systems should treat this as a gap that needs a remediation plan, not a future consideration. The transition period after Annex 22 publication will likely mirror the Annex 11 window (12 to 18 months), which means organizations that start assessments now will have time to remediate before enforcement begins.

Practical Preparation for Annex 22

While the final text is still pending, the Clause 16 obligations from the Annex 11 2025 draft and the emerging Annex 22 framework are clear enough to begin preparation. The practical steps:

• Inventory every AI tool in use across GxP workflows and confirm whether each one touches regulated records.
• For each tool, assess whether the current audit trail captures the AI attribution fields listed above. Most will not.
• Confirm with each AI vendor whether their system supports the audit trail fields Annex 22 will require. Evaluate contract terms for audit access rights and validation documentation availability.
• Begin building the validation documentation for AI components now, starting with the highest-risk use cases (batch release decisions, deviation detection).
• Review your ALCOA+ data integrity framework for AI-generated data: is the AI-generated output attributable to a specific algorithm version and timestamped independently from the human decision? For the ALCOA+ context, see our ALCOA+ data integrity guide.
• Track EMA's Annex 22 publication schedule alongside the Annex 11 finalization. The two documents may be released together.

Klyverity captures electronic signature audit trails that are field-extensible for AI attribution logging, enforces MFA at signing as Annex 11 Clause 12.1 will require, and is tracking both Annex 11 and Annex 22 finalization. If you're assessing platform readiness for the combined Annex 11 and Annex 22 framework, visit the compliance page to see how Klyverity maps to each.