AI in the Lab

What Every Lab AI Policy Should Cover

Illustration for an IGOR blog post on lab AI policies, showing an AI policy SOP, implementation checklist, ELN documentation, training, and audit readiness.

This is Part 3 of our three-part series on AI use in research documentation.

In Part 1 of this series, we looked at what the FDA, EMA, MHRA, and ISPE have published on AI in drug development and regulated research. We also covered the April 2026 FDA warning letter to Purolea Cosmetics Lab - which, among a range of CGMP violations, included a finding that AI-generated documentation had been used without adequate human review. The FDA cited that as a quality-unit failure under 21 CFR 211.22(c).

Part 2 looked at how existing data integrity principles - specifically ALCOA+ - apply when AI is generating your lab records. Now the practical question: what should your lab actually do about it?

The answer isn't to stop using AI. Regulators aren't calling for that. Across the draft guidances, frameworks, and principles published since 2024, the consistent direction is the same: risk-based use, human oversight, documentation, and validation where the risks warrant it.

That said, some draft frameworks are worth understanding before you build your policy, because they shape what "acceptable use" looks like in practice.

The European Commission's draft GMP Annex 22 is a good example. It covers AI in pharmaceutical manufacturing, but deliberately limits its scope to static, deterministic AI models - the kind that produce the same output every time from the same input. Generative AI and LLMs work differently: they're probabilistic, meaning outputs vary, and that variability creates challenges for validation and reproducibility in regulated environments. For that reason, the draft places them outside its scope for critical GMP applications.

That doesn't mean LLMs are prohibited across the board. The draft does leave room for non-critical uses - situations where there's no direct impact on patient safety, product quality, or data integrity - as long as trained personnel are checking that outputs are fit for purpose.

For most labs using generative AI to help with documentation, the practical implication is this: there is no detailed regulatory rulebook yet for this specific use case. Which means risk assessment, documentation, and human review matter even more.

If you build that framework now, before specific requirements are finalized, you're ahead of the curve. If you wait, you may find yourself trying to explain or reconstruct AI use that was never documented.

Here are some practical tips for putting that framework together.

Important Disclaimer: This post is for informational purposes only and reflects our understanding of publicly available guidance as of the date of publication. It is not legal or regulatory advice. Requirements vary by jurisdiction, product type, and intended use. If you're making compliance decisions, talk to a qualified regulatory professional who knows your specific situation.

What should your lab AI policy cover?

Before getting into the details, a quick orientation. A useful lab AI policy addresses the following: which tools are approved and which aren't, which tasks AI can and can't be used for, what gets documented when AI is used, who reviews AI-generated content and what that actually means in practice, what data and information can't go into external AI tools, and how to handle it when tools change. The steps below work through each of those.

Step 1: Write the Policy

If your lab uses AI in documentation or analysis, a written policy is quickly becoming a practical necessity. It doesn't need to be a 50-page document. A concise, clear policy that people will actually read is worth ten times more than a comprehensive one that lives in a shared drive or ringbinder somewhere.

Approved tools

Which AI tools are authorized in your lab? Deciding this, writing it down, and communicating it to your team is more important than it might seem. Different tools have very different data handling practices, and if scientists are pasting proprietary compound structures or patient information into a public chatbot, that's a problem before you even get to the documentation questions. Your policy should specify which tools are approved, which are prohibited, and why - and the approval should be based on the vendor's data handling and terms of service, not just convenience.

Where you have control over it, also specify which version or model is approved. AI tools update frequently, sometimes without any announcement, and the behavior of one model version can differ meaningfully from the next. Knowing which version was in use when a particular output was generated matters for traceability.

One thing that often catches people off guard: free-tier AI tools, including the public version of ChatGPT, may use data entered into them to train future models. Most offer a setting to disable this, but it's not on by default, it's not always easy to find, and some tools don't offer it at all (especially not on the free tier). Before approving any tool for lab use, read the terms of service and understand what happens to data once it's entered. If there's any doubt, keep proprietary research data, unpublished results, personal data, and confidential information out of it entirely.

For labs using AI in regulated workflows, there's an additional layer: tools used in those contexts may need to be qualified or validated, depending on the risk and intended use. A free-tier chatbot is not the same as an AI feature built into a validated ELN. The policy should make that distinction clear.

Approved use cases

Not all AI applications are the same risk. A tiered approach lets you match the level of oversight to the level of risk.

Tier 1 - standard review: grammar and language editing, style formatting, presentation materials, email drafting, literature search and summarization for non-regulatory background reading or internal orientation, drafting non-controlled background text or generic method descriptions that are verified before use. The common thread across Tier 1 is that the AI output doesn't directly feed into a regulated record or decision. The moment it does (e.g a literature summary informing a safety assessment, for example, or a method description copied into a controlled document) it moves into Tier 2 or higher.

Tier 2 - documented AI use, review appropriate to risk: experiment-specific notebook entry drafts, protocol and SOP drafts, experimental result summaries, analysis code, regulatory document drafts. These need documented AI use and review appropriate to the risk, which may include formal sign-off by the author and a qualified reviewer,  depending on the workflow,  to provide proof of human oversight. 

Tier 3 - formal risk assessment required: quantitative data analysis, safety or efficacy interpretation, statistical analysis, quality control decisions, any output directly supporting a regulatory submission. These need a formal risk assessment and documented fitness-for-purpose evidence. Depending on the use, that may include validation, qualification, independent testing, change control, and for high-impact submissions, regulatory engagement.

Tier 4 - not permitted: using AI as the sole source of experimental data, replacing human scientific judgment on critical decisions, entering patient data or personally identifiable information into non-validated tools, accepting AI outputs without any human review. The Purolea failure mode sits here: AI-generated compliance documentation accepted without adequate human verification.

Documentation requirements

When AI is used, what needs to be recorded? At minimum: which tool, what the task was, that the output was reviewed and verified by a qualified person (specify who), and what changes were made. For higher-risk applications, also capture the specific prompt, the raw output, and the final edited version.

Review and approval

Who reviews AI-generated content, and what does that actually mean? For routine Tier 1 use, the scientist who ran the query and reviewed the result may be enough. For Tier 2 and above, a second reviewer or supervisor sign-off is appropriate. The depth of review should scale with the risk tier. And "review" means checking the content against primary data - not just confirming it looks well-formatted and sounds professional.

Data privacy and confidentiality

What cannot go into external AI tools? Proprietary compound structures, patient data, unpublished results, trade secrets - none of this should be pasted into an external AI service unless that service has been thoroughly vetted. Scientists moving fast don't always stop to think about what's in the text they're copying. The policy should be explicit.

AI policy checklist

Before finalizing your policy, check that it covers:

  • Which AI tools are approved for lab use
  • Which AI tools are prohibited
  • How approved tools and their use are categorized by risk tier (Tier 1–4 or equivalent)
  • What information may not be entered into external AI tools
  • What must be documented each time AI is used
  • Who reviews AI-generated content and what that review involves
  • Which SOPs are affected and need updating
  • Training requirements and frequency
  • How AI model and tool versions are tracked
  • How to handle vendor updates to tools used in regulated workflows
  • Where audit evidence is stored and how to retrieve it quickly

Step 2: Train Your Team - and Keep Training Them

A policy on paper is just paper. The team needs to understand not just what the policy says, but why it is important to follow it. 

Without training, scientists make predictable mistakes. They accept AI-generated summaries without checking them against source data. They share confidential information with public tools without thinking about data privacy. They miss hallucinated content - because the fabricated version reads just as confidently as the accurate one. It's what happens when people use a powerful, impressive tool without understanding how it fails.

Training should cover ALCOA+ data integrity in the context of AI: what it means when AI generates content, why human review matters regardless of whether the content ends up in a controlled record, and what non-compliance actually looks like. Worth walking your team through the Purolea warning letter as a concrete example. The firm's owner believed she was using AI to achieve compliance. The FDA disagreed - her failure to review AI-generated outputs was cited as a quality unit violation under 21 CFR 211.22(c). The lesson isn't that she was reckless. It's that AI, however powerful, requires human oversight and a clear understanding of what it can and can't do.

Training should also cover practical skills. How to write prompts that produce useful lab documentation. How to review AI output critically - not skim it. How to document AI use in your lab data management system.

The single most important habit to build: treat every AI output as unverified until you've checked it against primary data. A scientist should always be able to point back to the source record that supports an AI-generated statement. If they can't, the statement shouldn't be in the final record.

Consider running scenario exercises. Give your team an AI-generated experiment summary with two or three subtle errors - a wrong concentration, a literature citation that doesn’t exist, a result that doesn't match the data - and have them find the problems. "Spot the unsupported claim" builds better instincts than a compliance slideshow.

One approach that works well: designate one or two AI champions in the lab. People who know the approved tools well, can answer questions in real time, and run periodic refreshers. It's the same model as ELN champions at high-adoption sites, and it works for the same reason - people adopt things faster when there's a knowledgeable colleague to ask.

Training should be documented and recurring. Annual refreshers are a reasonable starting point for many labs, with ad-hoc updates when guidance changes or new tools come in.

Step 3: Update Your SOPs

If AI is being used in documentation, data review, or other regulated workflows, your SOPs should address it. This doesn't mean rewriting everything - in most cases you're adding a few paragraphs to existing documents.

Documentation SOPs should specify when and how AI assistance can be used for notebook entries, reports, or controlled documents - which tools are approved, what gets recorded, and what the review process looks like. Data review SOPs should specify that reviewers are responsible for verifying AI-generated content against primary data, not just confirming that the document looks complete. It's also worth addressing what happens when a vendor updates a tool used in your workflows - either in your change control SOP or as a standalone procedure. A model update to a Tier 1 tool probably doesn't trigger a formal change assessment. A model update to a Tier 3 analytical application likely does. Your documentation should make that distinction. Your documentation should make that distinction - and when questions come up about what procedure was in place at a given point in time, having version-controlled, digitally signed SOPs with a full approval history makes that straightforward to answer. That's exactly what IGOR's SOP management tools are designed to support.

Step 4: Configure Your ELN and Quality System

Policy and SOPs set the rules. Your systems need to support them.

If your ELN supports custom metadata fields - like IGOR's experiment databases do - add an AI documentation field to your standard entry templates. A checkbox ("AI assistance used: yes/no") plus a text field for the tool and a brief description creates a lightweight but auditable record. When someone asks "how are AI-generated records identified and controlled in your system?", you'll have a consistent, documented answer.

Review and sign-off workflows help enforce human oversight in research documentation, which becomes even more important when AI is used. IGOR's digital signature workflow, for example, requires an author signature followed by witness review and sign-off, after which the entry locks for data integrity. When a reviewer signs a notebook entry in IGOR, they certify that they've reviewed the information and that, to the best of their knowledge, it is true and accurate. In the context of AI-assisted records, that attestation adds a meaningful layer of accountability. The audit trail captures who signed, when, and any comments left by witnesses.

Keep an AI model inventory. A running document of which AI tools and model versions are in use across the lab, what they're used for, and who's responsible for them. When a vendor pushes a model update - and they do this regularly, often without prominent announcements - you need a process to assess whether that change affects anything in your workflows. It's change control applied to AI. 

Step 5: Prepare for Questions

The FDA has shown through the Purolea warning letter  that AI use can become part of an inspection finding - not just in the future, but already under existing quality system regulations. It's reasonable to expect AI-related questions to become more common in inspections and quality audits going forward. Here are some examples of what to be ready for.

"Does your lab use AI tools in any regulated workflows?" You need to know the honest answer - and that means actually surveying what your team is using and what for, not just what's officially sanctioned. The gap between policy and practice is exactly where problems surface.

"How are AI-generated records identified and controlled?" This is where your policy, SOPs, and ELN configuration come together. You should be able to show your AI use policy, demonstrate how AI involvement is documented in the ELN, and walk through the review workflow. A live example from a recent notebook entry is worth more than describing what the process is supposed to be.

"Has the AI tool been validated for its intended use?" This one depends heavily on context. For AI features embedded in a validated system like your ELN or LIMS, the answer may be more straightforward - if the AI functionality was included in the validated scope and is being used as intended. If it wasn't, or if the intended use has expanded since validation, a separate risk or qualification assessment may be needed. For standalone AI tools used in higher-risk workflows, some form of fitness-for-purpose assessment, with documentation proportionate to the risk, is likely to be expected.

"How do you ensure AI-generated content is accurate?" Walk through your review process. Scientists check AI outputs against primary data, verify completeness, and sign off to confirm review. Showing examples of records where corrections were made to AI content demonstrates the review is genuine rather than a formality.

"What training have your staff received?" Show your training records. If your training documentation covers AI use and you have completion records, you're in good shape.

While it's impossible to predict exactly what auditors will focus on as AI use becomes more common in labs, questions around how your quality system was built - and specifically how your team determined what each regulation or guideline actually requires - seem like a natural area of scrutiny. 

The Purolea incident has demonstrated that AI should supplement regulatory and scientific knowledge, not substitute for it. The firm's owner was unaware of a fundamental process validation requirement - not because the regulation didn't exist, but because the AI agent she used never flagged it. Your quality team's understanding of what regulations require should come from training, experience, and qualified expertise - not from whatever an AI agent happened to include in a document it drafted.

Where This Is All Heading

The regulatory picture is getting clearer, even if many of the details are still being worked out.

The FDA's January 2025 draft guidance focuses on risk-based credibility assessment for AI used to support regulatory decision-making in drug development. It's still a draft and nonbinding in that form. The European Commission's draft GMP Annex 22 is explicitly cautious: generative AI and LLMs sit outside its current scope for critical GMP applications, which is a useful signal about where the regulatory comfort level is right now. The joint principles published by the FDA and EMA in January 2026 lay out a shared framework - ten principles covering the full drug development lifecycle - that shows both agencies heading in the same direction. And the MHRA's National Commission completed its call for evidence in February 2026 and is expected to publish recommendations in 2026 that will inform UK expectations for AI in healthcare and medical devices.

None of this is a complete rulebook for routine generative AI use in lab documentation. But the direction is consistent across all of them: define what you're using the AI for, assess the risk, document the process, keep a human accountable for the output, and make sure your records can withstand scrutiny.

Putting It Together

A clear policy, a few SOP updates, some ELN configuration, basic training, and a genuine commitment to transparency get you most of the way there.

The direction from regulators is consistent: AI may have a place in regulated life sciences work, but it needs to operate within the same quality, data integrity, and oversight expectations as everything else.

Labs that internalize this now - treating AI as a useful tool within an existing quality framework, not a shortcut that bypasses it - will be the ones that get the most out of what AI has to offer. Start with the policy. Update the SOPs. Train the team. Configure the ELN. When the questions come - and they will - you'll have the answers ready.

If you want to explore how IGOR's audit trail, digital signatures, and customizable metadata can support your lab's documentation workflows, book a demo and we can walk through how IGOR can support this kind of setup.

Frequently Asked Questions

Does the FDA ban AI use in regulated labs? No. The FDA's published guidance and the joint FDA–EMA principles support risk-based, appropriately documented AI use under human oversight, rather than a blanket prohibition. Some draft frameworks draw hard limits around specific applications - the European Commission's draft GMP Annex 22 explicitly places generative AI and LLMs outside its scope for critical GMP applications - but that's different from a ban on AI altogether.

Can scientists use AI to draft lab notebook entries? No regulatory guidance specifically addresses this scenario yet. What does exist - ALCOA+ data integrity principles, quality unit obligations under CGMP, and the Purolea warning letter - makes one thing clear: any AI-generated content incorporated into a regulated record must be reviewed and verified by a qualified human before it becomes part of that record. Whether a particular tool is permitted and whether its output has been adequately reviewed are two separate questions. Both are important.

Does AI-generated documentation need human review? In any regulated context, yes. The Purolea warning letter makes this explicit: failure to review AI-generated specifications and procedures was cited as a quality unit violation under 21 CFR 211.22(c). "The AI produced it" is not a substitute for qualified human review.

What should be documented when AI is used in a lab workflow? Start with the basics: which tool you used and which model version, what you asked it to do, and confirmation that a qualified person reviewed and verified the output. Note any changes made before the content was finalized. For higher-risk workflows, go further - capture the specific prompt, the raw output before any editing, and the final version that ended up in the record.

Do AI tools used in regulated workflows need to be validated? It depends on the context. In GMP environments, the European Commission's draft GMP Annex 22 takes a firm position: AI systems used in regulated GMP applications need to be validated. For AI features already embedded in a validated system, they may be covered - but only if the AI functionality was included in the original validated scope and is being used as intended. For standalone AI tools introduced into GMP workflows, validation is expected. In other regulated contexts such as GLP, higher-risk regulated workflows are likely to need some form of risk or fitness-for-purpose assessment. The depth of that assessment should be proportionate to the risk.

What did the FDA Purolea warning letter say about AI? The April 2026 warning letter to Purolea Cosmetics Lab included a section titled "Inappropriate Use of Artificial Intelligence in Pharmaceutical Manufacturing." The FDA found that the firm had used AI agents to create drug product specifications, procedures, and master production records without reviewing the outputs to ensure they were accurate and CGMP-compliant. The failure to review those AI-generated documents was cited as a violation of 21 CFR 211.22(c), the regulation governing quality unit responsibilities.

References

  1. FDA, "Considerations for the Use of Artificial Intelligence to Support Regulatory Decision-Making for Drug and Biological Products," Draft Guidance, January 2025. Docket No. FDA-2024-D-4689. fda.gov
  2. EMA, "Reflection Paper on the Use of Artificial Intelligence (AI) in the Medicinal Product Lifecycle," EMA/CHMP/CVMP/83833/2023, adopted September 2024. ema.europa.eu
  3. FDA and EMA, "Guiding Principles of Good AI Practice in Drug Development," January 2026. fda.gov
  4. MHRA, "Impact of AI on the Regulation of Medical Products," April 2024. gov.uk
  5. ISPE, "GAMP Guide: Artificial Intelligence," July 2025. ispe.org
  6. FDA Warning Letter to Purolea Cosmetics Lab, MARCS-CMS 722591, April 2, 2026. fda.gov
  7. European Commission, Draft EU GMP Annex 22: Artificial Intelligence, July 2025. health.ec.europa.eu

Important Disclaimer: This post is for informational purposes only and reflects our understanding of publicly available guidance as of the date of publication. It is not legal or regulatory advice. Requirements vary by jurisdiction, product type, and intended use. If you're making compliance decisions, talk to a qualified regulatory professional who knows your specific situation.

IGOR Logo

Features

Electronic Lab NotebookInventory ManagementTeam CollaborationSecurity & ComplianceMobile Application

Resources

BlogKnowledge BasePricing
Book a Demo
Contact Us

© Copyright 2026
All Rights Reserved by Wildfell Software LLC

SubprocessorsData Processing AgreementAuthorized User AgreementPrivacy Policy