Annex 22: Making AI work in a Good Practice (GxP) environment

1 From AI ambition to compliance

Over the last few years, AI in pharma has moved beyond proof-of-concept. AI-enabled systems are already used for tasks such as automated visual inspection, advanced analytics for process optimisation, deviation detection, and maintenance decisions, particularly in environments with good level of data availability and automation potential.

Regulation is now catching up. The EU AI Act provides obligations for AI across sectors, using a risk classification framework to identify many pharma manufacturing applications as “high-risk” because they can affect product quality and patient safety. It also enforces data governance, transparency, and human oversight obligations. However, the AI Act is intentionally technology-and sector-agnostic. It does not explain how these principles should be applied within an existing GMP framework that was written with more traditional computerised systems in mind.

This is where the EudraLex Volume 4 - Annex 22 comes in. It is developed to stay current and keep up with the rapid technological evolution, providing a framework and guidance for AI in Good Manufacturing Practice (GMP) space. It sets clear boundaries for how AI may be used in GMP by effectively limiting which models and use cases are acceptable today. In doing so, it translates high-level AI obligations into concrete expectations that quality, IT, and operations teams can implement within their GxP environment.

For pharmaceutical leaders, the question is no longer whether AI will be regulated, but how to turn those regulatory developments into practical operating model that protects patients, satisfies inspectors, and still allows AI to deliver business value.

Figure 1 – Key milestones for the EU AI Act and Annex 22/11, and what they mean for pharma

Following consultation in 2025, the final guidelines of Annex 22 and Annex 11 are anticipated around mid-2026. In parallel, the EU AI Act is progressively being enforced, with obligations for high-risk and limited-risk AI systems applying as of August 2026. For pharma drug developers, the period between now and the full application of high-risk AI obligations is the window to map AI use across the organisation, assess exposure under the AI Act, and embed Annex 22-aligned controls into their GxP and quality systems.

2 What Annex 22 is (and isn’t) trying to do

The new Annex 22 focusses on the use of AI and machine learning models in the manufacturing of active substances and medicinal products. It targets models that support or automate GxP relevant decisions and activities, and that are integrated into the computerised system landscape governed by Annex 11. Annex 22 does not create a separate “AI compliance universe”. Instead, it clarifies how well known GMP principles – documented intended use, validation, change control, and ongoing monitoring – apply when part of the decision logic is implemented as an AI model that behaves deterministically and does not change autonomously once deployed. It allows deterministic, static models for GMP critical applications and excludes generative AI and models with probabilistic output. Within these boundaries, Annex 22 expects companies to demonstrate control over how models are selected, trained, validated, deployed, and monitored throughout their operational life, with retraining treated as a significant change that can trigger revalidation.

Figure 2: The EU AI Act defines horizontal obligations for all high-risk AI systems across sectors.

In pharma, Annex 11 provides the foundational GMP expectations for all GxP computerised systems. The new Annex 22 sits at their intersection. It explains how AI specific principles, such as intended use, data governance, validation, and ongoing monitoring, should be applied to AI and machine learning models in a GxP environment.

3 Practical implications: what pharma leaders should focus on now

Most pharma organisations already have a mix of AI pilots and production deployments in place. Annex 22 acts as a lens that reveals how mature the supporting processes really are.

We see four near-term priorities:

3.1 Establish a clear view of where AI already touches GxP

Many companies lack a consolidated inventory of AI models used in or around manufacturing and quality. A basic but rigorous mapping of use cases, their intended use, data sources, and criticality is a prerequisite for any Annex 22 readiness effort.

3.2 Extend existing CSV and quality frameworks to cover AI-specific elements

Current Annex 11 computerised systems validation (CSV) procedures typically do not address model training data, sample-space definitions, explainability artefacts, or confidence thresholds. Instead of reinventing everything, organisations can integrate these elements into existing SOPs, templates, and review processes.

3.3 Strengthen collaboration between data science, QA, IT, and operations

Annex 22 implicitly requires joint ownership. Data scientists alone can’t define intended use or acceptance criteria; quality assurance (QA) can’t validate models without understanding their behaviour; IT can’t operate systems without clear visibility of model dependencies. Roles, responsibilities, and governance need to reflect that.

3.4 Build operational monitoring capabilities, not just validation packages

Many AI initiatives focus heavily on initial testing and documentation but have limited monitoring once models are live. Annex 22 expects structured, evidence-based monitoring – including clear triggers for human overview or retraining when conditions change.

These are not just compliance activities. Done well, they reduce operational risk, increase transparency, and make scaling AI easier.

Figure 3: Core model level controls under Annex 22.

Annex 22 translates AI principles into concrete expectations for individual models in a GxP setting. It requires clearly defined intended use and boundaries between AI recommendations and human judgement, robust validation on representative datasets, and sufficient explainability for users to understand why a given case or sample was prioritised or classified. It also embeds mandatory human oversight at critical decision points, continuous lifecycle management through monitoring and retraining triggers, and explicit restrictions on certain AI approaches (e.g. fully autonomous or continuously self-learning models) in high impact use cases.

4 How PwC can help you operationalise Annex 22 – and go beyond minimal compliance

PwC helps pharma and biotech companies turn Annex 22 into a practical way of working rather than a one-off compliance exercise.

We start with an Annex 22 readiness assessment, mapping AI use cases, checking how they align with Annex 22 and the EU AI Act, and identifying the most critical processes, documentation, and governance gaps. Based on this, we work with organisations to adapt their existing quality system and CSV framework so that AI-specific elements – such as intended use for models, data dependencies, explainability, and monitoring – are embedded in current Standard Operating Procedures (SOPs), templates, and review processes, instead of being handled in parallel.

For AI that is already in use, PwC helps regularise existing models by reconstructing intended use and validation evidence, performing targeted gap analyses, and designing pragmatic remediation steps that minimise disruption. Finally, we support clients in building sustainable capabilities – from governance structures to targeted training for QA, IT, and data science – so that future AI initiatives start Annex 22-ready rather than needing to be retrofitted later.

5 Conclusion: using Annex 22 to future-proof AI in GMP

Annex 22 gives pharma, for the first time, a concrete framework for using AI in GMP environment. It shapes how AI is designed, validated, and operated in GxP environments by focusing on deterministic, static models to ensure traceability and inspection readiness. Companies that work with this framework now can reduce regulatory uncertainty, protect existing AI investments, and scale compliant use cases in a controlled way.

PwC supports clients to translate Annex 22 and the EU AI Act into practical operating models, controls, and governance. If you would like to discuss where you stand today and what an Annex 22-ready AI landscape could look like in your organisation, contact our team.