A reefer container carrying a vaccine consignment crosses a border at 3 a.m. A data logger records four hours above the labelled storage range — a temperature excursion. By the time anyone at the distributor reads the alert, the pallets have already moved to a regional hub, and a wholesaler downstream is asking when they can sell. The clock that matters is not the regulator's. It is the one counting down to the moment that stock either gets quarantined or reaches a patient.
This is the exact problem AI agents are good at. An agent can watch the logger feed, catch the excursion the instant it clears threshold, pull the product's stability data, and assemble a disposition packet faster than a human reading email. The temptation — and the danger — is to let that same agent finish the job: clear the hold, mark the lot sellable, and let the pallets keep moving. That last step is not monitoring. It is a quality decision, and in a regulated supply chain a quality decision belongs to a named person.
What "disposition" actually means
In pharmaceutical distribution, disposition is the formal decision about what happens to a batch of product after something goes wrong: release it, quarantine it, or reject it. A temperature excursion is any deviation outside the labelled storage condition — too warm, too cold, too long. A stability assessment is the analysis that asks whether the product can still be guaranteed safe and effective given how far, and how long, it strayed.
None of those words are new. The point is who is allowed to say them. Under 21 CFR §211.22, the quality unit — not operations, not logistics, and certainly not an autonomous process — carries the authority to approve or reject the disposition of drug product. That responsibility is the original segregation of duties: the people who move and sell the stock are structurally separated from the people who decide it is fit to move and sell. An agent that both assesses an excursion and releases the lot collapses that separation in a single actor. It becomes maker and checker at once, which is precisely the arrangement the rule exists to forbid.
What the agent should do, and where it must stop
The useful division is not "agent versus human." It is "preparation versus decision." An agent is allowed to prepare exhaustively. It is not allowed to decide alone.
| Step | Who | Why |
|---|---|---|
| Detect the excursion from logger data | Agent | Speed; no judgment required |
| Pull product stability budget and excursion history | Agent | Data assembly |
| Compute mean kinetic temperature, flag the breach | Agent | Calculation, fully reproducible |
| Draft the disposition recommendation | Agent | A proposal, not a verdict |
| Quarantine, release, or reject | Quality unit, by signature | One-way door; statutory authority |
The agent's output is a recommendation with its working shown — the readings, the stability budget it consulted, the calculation, and the version of every input. A human in the quality unit reads that packet and signs the disposition. The agent never holds the pen.
Why a prompt cannot enforce this
The naive version of this control is an instruction: agent, never release stock without human sign-off. That is a request, not a constraint. A re-prompt, a model swap, an edge case the instruction did not anticipate, or a well-meaning "just this once" override, and the boundary is gone — with no record that it was ever there. When an inspector asks who authorized the release of an excursion-affected lot, and asks you to prove the log was not edited afterward, a paragraph of guidance is not evidence.
The boundary has to live somewhere the agent cannot reach. That is the job of an agent control plane: a layer between what the agent wants to do and what actually happens. It holds the authority rules outside the agent, enforces them at runtime, and records every attempt — including the ones it refuses.
In MakerChecker terms, the cold-chain agent is granted exactly two skills: assess excursion and draft disposition. The skill that would change a lot's market status is simply never granted to it — deny-by-default, and the grant is versioned, so you can show what the agent was permitted to do on any past date. The release itself is an approval gate: the run parks, a named quality-unit member signs, and the agent that prepared the packet is structurally barred from being the one who approves it. Not "should not." Cannot — the same actor provably cannot be maker and checker on one run.
The audit trail an inspector will actually ask for
A temperature excursion generates a paper trail by law. The question an inspector asks months later is whether that trail is intact and whether it shows a real human decision behind the release.
MakerChecker writes every step — the excursion ingest, the stability calculation, the recommendation, the human signature, the disposition — into an append-only ledger that is hash-chained and cryptographically signed. Alter one record and the chain visibly breaks. The signature captures the signer's reason verbatim, so it carries its meaning rather than being a bare click, which is the substance behind 21 CFR §11.50's requirement that a signature manifest what it means. The audit trail itself is tamper-evident in the sense §11.10(e) demands, and the export can be verified offline, against a published spec, by someone with no access to your systems.
That last property matters more than it sounds. It means your evidence does not depend on trusting the vendor, the cloud, or the agent. A regulator can confirm the record is genuine without logging into anything you operate.
The same pattern, everywhere quality decides
Cold-chain disposition is one instance of a shape that repeats across regulated operations. An agent prepares; a named human decides the one-way step; the system proves both happened and that the record is intact. The same structure governs GMP batch release, where the Qualified Person signs under EU GMP Annex 16, and pharmacovigilance triage, where an adverse-event signal is assessed by an agent but the reportability call stays human.
Note what this is not. It is not a guardrail asking whether the agent's output is toxic or off-policy — that is a separate and complementary question. This is the authorization question: is this actor allowed to take this action? An excursion agent might produce a perfectly sensible, perfectly safe recommendation to release. It still must not be the one that releases.
That distinction is the whole discipline. In a regulated cold chain, the value of an AI agent is not that it can decide faster. It is that it can do all the work up to the decision, leave a clean record, and hand a quarantine-or-release call to the person the law holds responsible — who now signs with the full picture in front of them, in seconds rather than hours.
See how it works, or book a demo to watch an agent get blocked from releasing its own excursion call — live.