Life sciences6 min read

21 CFR Part 11 for AI agents

Part 11 governs electronic records and signatures. When an AI agent makes the record, here is what a control plane must provide to keep it defensible.

21 CFR Part 11 was written in 1997, for a world of human analysts typing into validated systems. It does not mention artificial intelligence, and it does not need to. Part 11 — the FDA's rule on electronic records and electronic signatures — governs the record and the signature, not who or what produced them. The moment an AI agent creates, modifies, or signs a GxP record, that record falls squarely inside Part 11. The agent does not get a pass for being software.

That is the trap most teams walk into. They treat an agentic workflow as an internal automation detail and forget that its output is a regulated electronic record the FDA can demand to inspect. The question an investigator asks has not changed: show me the record, show me who signed it, and prove neither was altered. What has changed is that the actor in the seat is now a model — and a model cannot raise its hand in an audit.

What Part 11 actually requires

Strip Part 11 to the obligations that bite when an agent is in the loop, and four sections do most of the work.

Section What it requires What it means for an agent
11.10(e) Secure, computer-generated, time-stamped audit trails that record operator entries and actions, and do not obscure prior values Every agent action and every model call is captured, ordered, and immutable
11.50 Signature manifestations: each signed record shows the signer's name, the date and time, and the meaning of the signing A signature is not a checkbox — it carries who, when, and why
11.70 Signatures are linked to their records so they cannot be excised, copied, or transferred The signature belongs to this record and cannot drift to another
11.10 (general) Limiting system access to authorized individuals; operational checks to enforce sequencing Only the authorized actor performs the step, in the right order

None of these were written for AI. All of them apply the instant an agent touches a record. The work, then, is not to interpret new law. It is to make an agentic workflow produce evidence against the law that already exists.

11.10(e): the audit trail an agent cannot edit

The audit trail is the heart of Part 11, and the part agents break most easily. A model that writes its own logs, or logs to a store it can also overwrite, has no audit trail in the regulatory sense — it has a draft it can revise. 11.10(e) demands a record that is secure, computer-generated, and non-obscuring: prior values must remain visible, and entries cannot be silently changed.

For this to hold with a non-deterministic actor in the loop, the audit trail has to live somewhere the agent cannot reach. It must be append-only, so a record once written cannot be edited or deleted. It should be hash-chained, so that altering any past entry visibly breaks the chain that follows it. And it should be cryptographically signed, so a third party can confirm the export came from the system that claims it and has not been tampered with since.

This is the difference between a log and evidence. A log is something you keep. A tamper-evident audit trail is something an investigator can verify without trusting you. We go deeper on the construction in tamper-evident audit logs for AI agents.

11.50 and 11.70: a signature that still means something

Here is where agentic workflows quietly fail Part 11. An agent that "approves" its own step produces a signature with no human meaning, no named signer, and nothing linking it to a deliberate decision. Under 11.50, a signature manifestation has to show three things: the printed name of the signer, the date and time of signing, and the meaning associated with the signature — approval, review, responsibility. A timestamp and a green tick satisfy none of that.

11.70 adds the binding requirement. The signature must be linked to its record so it cannot be cut out and pasted onto a different one. In a system where an agent can regenerate or reroute records, that linkage is exactly what erodes if nobody enforces it.

The practical consequence is blunt. For any step Part 11 treats as a signed decision — a batch disposition, a deviation closure, a validated report release — the signer must be a named human, the meaning must be captured verbatim, and the signature must be bound to the specific record version it approved. An agent can prepare the record. It cannot be the signer of record on a decision the FDA expects a person to own.

Who may act, and in what order

Part 11's general provisions in 11.10 require limiting system access to authorized individuals and using operational checks to enforce the correct sequencing of steps. Translated to agents: an agent should be able to perform only the actions it was explicitly authorized to perform, and the workflow should refuse out-of-sequence steps — no signing a record that was never reviewed, no closing a deviation that was never investigated.

This is where Part 11 meets 21 CFR 211.22, the rule that gives the quality unit independent authority and separates the person who does the work from the person who approves it. The same principle has to survive automation: the agent that drafted a record cannot be the agent that approves it — not as a guideline, but as something the system structurally prevents. We cover the batch case end to end in GMP batch release with AI agents.

What a control plane has to provide

Map Part 11 onto a control plane — the policy-and-enforcement layer that sits between an agent's intent and the regulated system — and the requirements become concrete features rather than aspirations.

  • Named identity. Every agent acts as a single, named principal, so no record is produced by an anonymous process. You cannot satisfy 11.10's access control for an actor you cannot name.
  • Deny-by-default, versioned authority. An agent performs only the steps it was granted, and you can reconstruct exactly what it was permitted to do on any past date — the access-control evidence 11.10 expects, made queryable.
  • Structural segregation of duties. The same agent provably cannot be both maker and checker on one run. The self-approval attempt is refused, and the refusal is itself recorded.
  • Human signature gates. For Part 11 signed decisions, the run parks and demands a named human signature, captures the signer's meaning verbatim for 11.50, and binds it to the record version for 11.70. The requester cannot approve their own request.
  • An offline-verifiable audit export. A hash-chained, signed evidence bundle an inspector can verify against a published spec, with no access to your systems — the 11.10(e) audit trail, in a form that travels.

MakerChecker is built around exactly these jobs. It wraps your existing agents through proxy sessions rather than replacing them, runs self-hosted and air-gapped on a Postgres database you already control, and produces an audit export designed against the Part 11 obligations above. It does not host your agents and it does not judge whether a model's content is dangerous — that is the job of guardrail tools, which sit alongside it. MakerChecker answers the question Part 11 actually asks: was this actor authorized, and is the record intact?

Part 11 has not moved in nearly three decades. The agents are new. The rule is not — and "the AI did it" has never been a defense an investigator accepts.

See how it works, or book a demo to watch an agent get blocked from approving its own work — live.

Where this goes to work

MakerChecker for life sciences

Agents prepare batch-release and disposition cases; a qualified person signs at the one-way door, against the 21 CFR Part 11 record your auditors expect.

Explore →Book a demo

Related reading

See it for yourself

See an agent get stopped.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Book a demoRead the docs

Designed against the rules your auditors already enforce.