Presentation - Operating Agents in GMP Quality
Regulatory Expectations for AI Agents in GMP
Scenario 1: The New "Game Changer" Agent
A QxAIOps Workshop Scenario
The production team has developed a new AI agent that automatically reviews batch manufacturing records to identify potential GMP deviations. They would like to deploy the agent within the next month and believe this will significantly improve productivity and reduce review backlog.
They claim the system will:
Reduce QA Review Time
By 70% through automated review of batch manufacturing records
Automatically Flag Issues
Missing entries, calculation errors, and out-of-range results
Provide Compliance Summary
A summary of potential compliance issues for QA review
What the Production Team Tells You
During the meeting they explain:
  • The agent was built using Microsoft Copilot Studio.
  • It reviews PDF exports of batch records.
  • It was tested on 10 historical records and "worked well".
  • The prompts include reference SOPs to help guide the AI.
  • QA will still make the final decision, so they believe validation is minimal.
They ask QA to approve rollout.

Your Challenge: As the Quality group reviewing this proposal — what questions do you ask before approving this agent for GxP use? Consider: Inputs · Governance · Validation / assurance · Human oversight · Documentation · Risk management
Mapping Scenario Issues to QxAIOps Principles
This scenario contains a number of subtle compliance traps designed to trigger the right discussions. Below are the first four issues mapped to their relevant QxAIOps principles.
Issue 1
Uncontrolled SOP Versions Provided to the Agent
Examples include: Draft SOP · Superseded SOP · Uncontrolled training document
Relevant Principle — Controlled Inputs: AI must only operate on controlled, approved documents. AI cannot determine document validity, and an incorrect SOP leads to incorrect reasoning.
Secondary Principle — Quality System Governance: Controlled document management must remain inside the QMS.
Issue 2
Batch Records Provided as PDF Exports
Examples include: Exported PDF instead of system-of-record · Potential loss of metadata
Relevant Principle — Controlled Inputs: Inputs must originate from a trusted system of record. QA should ask: Are PDFs complete? Is the export validated? Can records be altered?
Secondary Principle — Transparent Outputs and Traceability: Traceability requires knowing exactly what data was analysed.
Issue 3
Insufficient Testing ("We Tried It on 10 Records")
Examples include: Limited testing · No performance metrics
Relevant Principle — Quality System Governance: AI-assisted processes must be risk-assessed and justified. QA should ask: What was the evaluation method? Were known deviations included? What was the miss rate?
Issue 4
The Agent Summarises Compliance Issues
Examples include: Agent interprets GMP compliance · May infer regulatory conclusions
Relevant Principle — Contextual Reasoning Task Alignment: AI is suitable for pattern recognition, comparison, and anomaly detection. AI is not appropriate for making compliance decisions. This is where scope must be clearly defined.
Issues 5–8: Governance, Change Control & Human Oversight
The following four issues address the organisational and procedural gaps that arise when AI agents are deployed without adequate governance structures in place.
Issue 5
Production Built the Agent
Examples include: Developed by operations team · QA asked to approve after development
Relevant Principle — AI is a Worker to be Governed: Every agent must have an owner, defined responsibilities, and controlled deployment. QA governance must exist before operational use.
Issue 6
SOP Updates Could Break the Agent
Examples include: Prompt references SOP text · SOP changes without agent update
Relevant Principle — Quality System Governance: Prompt logic tied to SOPs must be subject to change control. QA must ask: What happens when the SOP changes?
Issue 7
Ambiguous Human Review
Example: "QA will still make the final decision" — this is a common but vague reassurance.
Relevant Principle — Human Verification is Mandatory: Verification must be explicit, documented, and meaningful. Humans must review the reasoning, not just the summary.
Issue 8
No Clear Definition of Agent Scope
Examples include: Is it checking calculations? Detecting missing data? Interpreting GMP compliance?
Relevant Principle — Define Intended Use and Scope: The agent must have clearly defined tasks, boundaries, and known limitations.
Workshop Effectiveness: What Makes This Scenario Work
This is a very good scenario starter. It creates the right psychological setup: excitement from the business vs caution from QA. What will make the workshop effective is giving participants just enough detail to analyse, without telling them the answer.
The scenario includes a number of subtle compliance traps mapped across eight issues and their corresponding QxAIOps principles:
01
Controlled Inputs
Uncontrolled SOP versions and PDF exports instead of system-of-record data
02
Quality System Governance
Insufficient testing on only 10 records, no performance metrics, and SOP change control gaps
03
Contextual Reasoning Task Alignment
Agent summarising compliance issues — a task beyond appropriate AI scope
04
AI is a Worker to be Governed
Production-built agent with no defined owner, responsibilities, or controlled deployment
05
Human Verification is Mandatory
Vague reassurance that "QA will still make the final decision" without explicit, documented, meaningful review
06
Define Intended Use and Scope
No clear definition of whether the agent checks calculations, detects missing data, or interprets GMP compliance

Key Takeaway: The right questions to ask before approving this agent for GxP use span inputs, governance, validation and assurance, human oversight, documentation, and risk management. The scenario is designed so that participants surface these issues themselves — not be told the answers.