A batch of sterile product is ready to ship. Before it can leave the site, someone has to look at everything that happened to it — the deviations, the analytical results, the reconciliation of what went in against what came out — and make one decision: release, or hold. In Europe that decision belongs to a named Qualified Person, and it is the last door before the product reaches a patient. It is a one-way door. Once a batch is released, it is gone.
This is exactly the kind of work AI agents are good at preparing and exactly the kind of decision they must not make. The temptation, as agents get capable, is to let them do both. Confusing the two — the assembly of the case and the signing of the release — is how a manufacturer ends up with a faster process and a disposition no inspector can stand behind.
What the agent is genuinely good at
Batch disposition is, before the signature, an exercise in gathering and checking. A Qualified Person — the EU GMP role that, under Annex 16, certifies each batch before it can be placed on the market — cannot sign until every input is assembled and reconciled. That assembly is slow, repetitive, and exactly what an agent does well.
An agent can pull the batch record and flag every recorded deviation. It can fetch the analytical results from the laboratory system and check each one against its specification. It can reconcile yields, confirm that every required in-process check was performed, and surface the open CAPAs (corrective and preventive actions) attached to the line. It can draft the disposition summary the Qualified Person reads — the one-page case that says, in effect, "here is everything you need to decide."
None of that is the release. All of it is the preparation for the release. The distinction is not academic. It is the line the law draws, and it is the line a control plane has to enforce in software.
The signature is a human act, by design
Annex 16 does not describe a process that can be fully automated and then certified after the fact. It places certification on a person — the Qualified Person, who is personally accountable, whose name is on the register, and who can be held to answer for a batch years later. The same logic runs through US manufacturing under 21 CFR §211.22, which gives the quality unit the authority to approve or reject batches and requires that this authority be exercised independently of the people who made the product.
That is segregation of duties, written into pharmaceutical law decades before anyone shipped an agent. The unit that produces cannot be the unit that disposes. When the actor doing the assembly is a model, the rule does not relax — it gets sharper, because a model has no professional license to lose and no personal liability to feel.
So the architecture is fixed before you write a line of code. The agent prepares. The Qualified Person signs. The system has to make the second thing impossible for the agent to do, not merely discouraged.
Where most implementations get it wrong
The common failure is to put the boundary in the prompt. You are a disposition assistant. Prepare the summary and present it to the QP for signature. Do not release the batch yourself. This reads like a control. It is an instruction, and instructions are negotiable.
A prompt has no record of who decided the agent could touch the LIMS. It has no version history when someone edits it. It cannot prove, eighteen months later, what the agent was permitted to do on the day a specific batch was disposed. And it offers no structural barrier at all to the one thing that matters most — an agent that, through a re-prompt or a tool it was quietly granted, ends up able to write the release record itself.
The boundary has to live somewhere the agent cannot edit. That is the whole argument for a segregation-of-duties control that holds at runtime rather than on paper.
What the boundary looks like in practice
In MakerChecker, the disposition agent is a named principal that holds one role, and that role is granted exactly the doors it needs — read the batch record, read the LIMS, read the deviation log, write a draft summary. Those grants are deny-by-default and versioned: you can reconstruct precisely what the agent could do on the date any batch was disposed, and every change to that list carries the name of who approved it.
The release itself is a separate, gated step. The run reaches the disposition gate and stops. It cannot proceed on the agent's authority, because the agent does not hold that authority — structurally, the same actor that assembled the case provably cannot be the one that signs it off. A Qualified Person reviews the assembled case and applies a signature, and that signature captures the meaning the law requires it to carry.
| Step | Actor | Authority |
|---|---|---|
| Pull batch record, results, deviations | Agent | Read-only grants |
| Reconcile and draft disposition summary | Agent | Write draft only |
| Certify and release the batch | Qualified Person | Gated human signature |
This is the same pattern an approval gate applies to any one-way door — releasing a batch, filing a regulatory report, pushing to a live device. The gate parks the run, demands a named signature, bars the preparer from signing their own work, and records the signer's reason verbatim so the certification means what it says.
The evidence an inspector can actually check
A disposition is only as good as your ability to defend it later. Annex 16 keeps the Qualified Person on the hook for the life of the batch, and 21 CFR Part 11 governs how the electronic record and the signature behind it must be kept: an audit trail that is tamper-evident under §11.10(e), a signature that manifests its meaning under §11.50, and a binding between the signature and the record it applies to under §11.70.
Every step in the run above lands in an append-only, hash-chained, signed ledger. Change one record and the chain visibly breaks. The export verifies offline, against a published spec, without access to your systems — which is precisely what an inspector wants and what a screenshot of a chat transcript can never provide. We go deeper on that in Part 11 for AI agents.
What to take from this
Agentic AI was scoped out of the main US model-risk guidance in April 2026, and the high-risk obligations under the EU AI Act were pushed to late 2027. Neither of those moved Annex 16. Neither touched §211.22. The rule that the maker cannot be the checker — and that a named person certifies the batch — is date-proof, and the inspection that tests it will not wait for new AI guidance to arrive.
The right deployment is not "an agent that releases batches." It is an agent that does the gathering, the checking, and the drafting at machine speed, handing a clean case to the Qualified Person who still — and only — signs at the one-way door. The speed is real. The accountability stays exactly where the law put it.
See how it works, or book a demo to watch an agent get blocked from approving its own work — live.