
Summary
The FDA’s Purolea Cosmetics warning letter shows why AI governance matters. The issue wasn’t that Purolea used AI to help create compliance documents. The problem was that the company relied on AI-generated output without adequate qualified human review. The FDA and EMA’s good AI practice principles point to a better approach: define the context of use, assess risk, document decisions, involve the right expertise, and maintain accountability throughout the AI lifecycle. The broader lesson is clear: AI can assist with work, but the person or organization using it remains responsible.
Key Points
- AI output doesn’t replace human accountability.
The person or organization using AI still owns the accuracy, completeness, compliance, and appropriateness of the final work. - The FDA did not object to AI-assisted document creation itself.
It objected to using AI-generated compliance documents without adequate qualified human review. - Good AI practice is a governance issue, not just a model performance issue.
Context of use, validation, documentation, oversight, monitoring, and lifecycle management all matter. - The Purolea case has lessons beyond drug manufacturing.
Similar risks can appear in analytics, reporting, compliance, audit preparation, and operational decision support. - AI can support judgment, but it can’t replace it.
Speed, polish, and confidence are not the same as accuracy or accountability.
The Situation
The FDA’s warning letter to Purolea Cosmetics Lab isn't just a story about one company misusing AI. It's a practical example of where AI governance fails when output replaces review, documentation replaces understanding, and automation replaces accountability.
The FDA and EMA’s principles for good AI practice point in the opposite direction: define the context of use, assess risk, document the data and decisions, involve the right expertise, and keep humans accountable throughout the lifecycle.
What Good AI Practice Looks Like
The FDA and EMA do not frame good AI practice as “use better models.” They frame it as a governance problem. AI should have a defined context of use. Its risk should determine the level of validation, mitigation, and oversight.
Its data sources, processing steps, and analytical decisions should be traceable and verifiable. Its performance should be assessed in the context where people will actually use it. Its lifecycle should include monitoring, issue management, and periodic re-evaluation.
What Went Wrong at Purolea
Purolea’s mistake was not that it used AI to help create documents. The FDA didn’t object to AI-assisted document creation by itself. It objected to using AI-generated documents without adequate qualified human review. The firm used AI agents to create specifications, procedures, and manufacturing records, then failed to ensure those documents were accurate and compliant with cGMP. When investigators identified missing process validation, the company’s response pointed back to the AI agent. The FDA didn’t accept that explanation.
That matters beyond drug manufacturing because the same pattern can appear in analytics, reporting, compliance, audit preparation, and operational decision support.
The Real Issue is Accountability
In regulated work, accountability does not move from the organization to the tool. AI can recommend. AI can draft. AI can summarize. But the organization still owns the decision, the review, the approval, and the consequences. That is especially important in quality systems, where a professional-looking document can still be incomplete, generic, or wrong.
What Analytics and Operations Teams Should Take from This
- Define the use case before trusting the output.
“Help draft an SOP” is different from “determine whether this manufacturing process is compliant.” - Match review depth to risk.
A low-risk internal summary does not need the same review as a quality record, regulatory submission, or patient-facing decision. - Require human review where judgment matters.
The reviewer needs enough subject matter expertise to challenge the AI, not just approve the document. - Document the chain of reasoning and approval.
Teams need to know what the AI produced, what the human changed, what sources supported the final decision, and who approved it. - Treat AI as part of a lifecycle.
Monitor performance, watch for drift, update procedures, and revisit assumptions as tools and regulations change.
What This Means in Practice
The practical lesson isn’t that regulated organizations should avoid AI. The lesson is that AI needs structure around it.
Good AI practice isn’t just about model performance. It’s about context, review, documentation, validation, monitoring, and accountability.
That accountability point matters. If an employee uses AI to create a report, draft a procedure, summarize a source, generate a citation, or support a decision, the employee still owns the work they submit. AI can produce the output, but it doesn’t take responsibility for whether the output is accurate, complete, compliant, or appropriate.
That’s the same lesson the FDA made clear in the Purolea warning letter. The company couldn’t point to the AI agent and say, in effect, “it never told us this was required.” The responsibility remained with the organization and its quality unit.
AI can help us work faster. It can help us see patterns, summarize information, and draft better first versions. But in regulated and high-consequence work, speed doesn’t replace judgment.
This isn’t a legal lesson so much as an operational one: AI can support judgment, but it can’t replace accountable review.
The tool can assist. The person using it is still responsible.
Sources
FDA Warning Letter: Purolea Cosmetics Lab
EMA and FDA Set Common Principles for AI in Medicine Development
When AI Isn’t Enough
FDA Issues First Warning Letter for AI Compliance Failures – What Life Sciences Companies Must Know