Most technology decisions in clinical AI projects are framed as engineering choices — speed, cost, developer familiarity. In regulated environments, stack selection is a compliance decision first. The tools you choose determine what you can audit, what you can validate, what you can reconstruct for an inspector, and how quickly you can respond to a change control event.
This guide maps the specific technology components required across the AI agent lifecycle to the corresponding Part 11 obligations they satisfy. It is opinionated and specific by design — the goal is to give validation leads and clinical technology architects a concrete starting point, not a taxonomy of options.
A Part 11 compliant AI agent stack for clinical operations can be divided into seven functional layers, each with distinct compliance obligations:
Each layer is addressed in detail below with specific tool recommendations, configuration guidance, and validation considerations.
The orchestration layer is the "brain" of your AI agent — it coordinates tool calls, manages state, sequences multi-step workflows, and routes outputs to the right downstream systems. For regulated contexts, the orchestration framework must support deterministic routing logic, structured input/output schemas, and granular step-level logging.
Why LangGraph over vanilla LangChain or AutoGen: LangGraph models agent workflows as directed graphs with explicit nodes and edges, which maps cleanly to validated workflow design. Each node is a discrete, testable function. Edges can be deterministic (always route to node B after node A) or conditional (route based on output content). This structure makes it possible to define and validate the agent's operational envelope as a graph specification — a major advantage for IQ/OQ documentation.
Compliance-relevant capabilities:
interrupt_before and interrupt_after node modifiers that pause execution and hand off to a human reviewer. These interrupts are not hacks — they are first-class primitives in the graph model, making it straightforward to implement and validate mandatory human checkpoints.Validation approach: Document the LangGraph graph definition (nodes, edges, conditional logic) as a Functional Specification artifact. OQ test cases should cover every branch of every conditional edge. Freeze the graph version in source control and tie it to the validation package version number.
For workflows that span hours or days — such as a multi-step protocol deviation review that awaits human input across a business cycle — LangGraph alone may not be sufficient. Prefect (preferred for its Python-native design and cleaner audit logging) or Airflow can serve as the outer orchestration layer, with LangGraph handling the AI reasoning sub-tasks within each Prefect task. Prefect's run history, retry logic, and notification system add operational reliability that matters in production clinical environments.
For clinical operations, the primary criterion for LLM selection is data residency and access control, not benchmark performance. Patient data, unpublished safety data, and trial-specific information must not leave controlled infrastructure.
Recommended options (in order of compliance maturity):
Azure OpenAI Service (GPT-4o, GPT-4 Turbo) Azure OpenAI operates under Microsoft's enterprise data protection commitments: customer data is not used to train shared models, data is processed within the customer's selected Azure region, and the service is covered under Microsoft's HIPAA Business Associate Agreement. For organizations already operating within an Azure-based GxP environment (common in pharma due to Azure's extensive compliance certifications including ISO 27001, SOC 2 Type II, and FedRAMP), Azure OpenAI is the lowest-friction choice. Azure Private Endpoints allow traffic to remain entirely within your virtual network, satisfying closed-system requirements under Part 11.
AWS Bedrock (Claude 3.x via Anthropic, Llama 3 via Meta) AWS Bedrock provides similar data isolation guarantees: no model training on customer data, VPC-native access via AWS PrivateLink, and coverage under AWS's BAA. For organizations in the AWS ecosystem, Bedrock is the equivalent choice. Claude models (Anthropic) on Bedrock are particularly strong for long-context document processing — relevant for clinical narratives and protocol analysis tasks.
Self-hosted models (Llama 3, Mistral) on private GPU infrastructure For organizations with the highest sensitivity requirements — Phase I oncology data, rare disease programs where small patient populations increase re-identification risk — self-hosted open-source models on private GPU infrastructure (AWS EC2 P4/P5, Azure NC-series, or on-premises NVIDIA DGX) eliminate third-party data processing entirely. The tradeoff is significant operational overhead for model serving, scaling, and maintenance. Use NVIDIA Triton Inference Server or vLLM for production model serving; both support horizontal scaling and model versioning.
RAG is the standard architecture for giving AI agents access to trial-specific knowledge (protocols, amendments, IB, SOPs) without fine-tuning. The vector database is the retrieval backbone and must be treated as a regulated data store.
Primary Recommendation: Weaviate (self-hosted or Weaviate Cloud with private deployment)
Weaviate supports hybrid search (vector + keyword BM25), which outperforms pure vector search for structured clinical terminology. Its schema-based data model enforces data typing, which supports validation. Critically, Weaviate's audit logging can be configured to record every query — who (or which agent) queried, what was retrieved, and when. This query log becomes part of your reasoning-level audit trail: when reconstructing why an agent produced a particular output, you need to know exactly what context it retrieved.
Alternative: pgvector on PostgreSQL
For organizations that want to minimize infrastructure surface area, pgvector (the vector extension for PostgreSQL) stores embeddings alongside structured data in a single relational database. This simplifies backup, access control, and audit logging by reusing existing PostgreSQL infrastructure that may already be in your validated environment. Performance at scale is lower than purpose-built vector databases, but for most clinical operations use cases (tens of thousands of document chunks, not billions), it is entirely sufficient.
Document versioning in the retrieval corpus: Every document ingested into the RAG corpus must be versioned and its ingestion logged. An agent that answers a protocol question on Day 1 using Amendment 3 and on Day 90 using Amendment 5 must have that difference captured in its audit trail. Build a document registry (a simple relational table) that records document ID, version, ingestion timestamp, and the agent(s) authorized to retrieve it. Changes to the corpus trigger a change control assessment.
This layer sits between the LLM output and the downstream regulated system. It is the most underinvested layer in most AI deployments and the most critical for Part 11 compliance. Every rule in this layer is deterministic and fully validatable.
Guardrails AI provides a framework for defining structured validators that run against LLM outputs before they are acted upon. Validators can check for:
Each validator is a Python function that returns a pass/fail result and a remediation action (fix the output, re-prompt the model, or route for human review). This deterministic behavior is fully testable and documentable in an OQ.
Pydantic provides the data modeling layer. Define a Pydantic model for every output schema the agent produces — adverse event case summaries, data query responses, monitoring visit reports. LLMs can be instructed (via structured output mode in OpenAI/Azure OpenAI or Anthropic's tool use API) to return outputs that conform to a specified JSON schema, and Pydantic validates that schema at runtime. Failed validation is logged and escalates to human review.
Custom rule engines for clinical-specific logic: Guardrails AI handles generic validation. Clinical-specific rules — such as "a fatal SAE narrative must include a description of the causal relationship assessment" or "a protocol deviation record must reference the specific protocol section violated" — should be implemented as a separate, validated rule engine. These rules are business logic, not AI logic, and should be owned and maintained by the clinical operations and quality teams, not the AI development team.
This is where LangSmith earns its place in the stack — and where its limitations in a regulated context also become apparent.
LangSmith is LangChain's native observability platform. It provides:
Critical compliance caveat: LangSmith is a SaaS platform. By default, traces — including the full input context and output text — are sent to LangChain's servers. For clinical data, this is not acceptable without a Data Processing Agreement and careful scoping of what data reaches LangSmith. In production regulated environments, use LangSmith Self-Hosted (available on enterprise plans), deployed within your own VPC. Alternatively, configure LangSmith to receive only metadata (run IDs, latency, token counts, error flags) while full trace content is logged locally to your immutable audit backend.
For organizations that need maximum control over trace data, OpenTelemetry (OTel) provides a vendor-neutral instrumentation standard. LangChain, LangGraph, and most modern Python frameworks support OTel exporters. Configure your OTel collector to export traces to your chosen immutable backend (see Layer 6) rather than to a third-party platform. This approach gives you LangSmith-like trace granularity with complete data sovereignty.
Regardless of the tooling used to capture traces, the reasoning audit log for each agent action should conform to a defined schema. A recommended minimum schema:
{ "run_id": "uuid", "agent_id": "string", "agent_version": "string", "timestamp_utc": "ISO8601", "workflow_step": "string", "input_context": { "user_prompt": "string", "retrieved_documents": [ {"doc_id": "string", "version": "string", "chunk_ids": ["string"]} ], "tool_inputs": {} }, "llm_call": { "model": "string", "model_version": "string", "prompt_version": "string", "temperature": "float", "raw_output": "string" }, "output_validation": { "validators_run": ["string"], "passed": "boolean", "failures": [{"validator": "string", "reason": "string"}] }, "action_taken": { "type": "string", "target_system": "string", "target_record_id": "string", "field_before": {}, "field_after": {} }, "human_review": { "required": "boolean", "reason": "string", "reviewer_id": "string", "review_timestamp_utc": "ISO8601", "decision": "string" }, "confidence_signals": { "output_confidence_score": "float", "routed_for_human_review": "boolean" } } This schema is the foundation of your Part 11 audit trail. Every field should be populated at runtime; null values for required fields trigger an alert.
Every AI agent should be represented as a managed identity (Azure) or IAM role (AWS) — not a static service account with a username and password. Managed identities use short-lived, automatically rotated credentials issued by the cloud platform's identity service. There are no secrets to rotate manually, no credentials to leak, and no shared passwords between agents and humans.
In Azure: create a User-Assigned Managed Identity for each agent. Assign it Role-Based Access Control (RBAC) permissions scoped to exactly the resources it needs. In AWS: create an IAM role with a fine-grained permission policy; agent workloads (running in ECS, Lambda, or EKS) assume this role at runtime.
For access to clinical systems that are not cloud-native (on-premises EDC, legacy CTMS), use service accounts with credentials managed in a secrets vault (see below) and log every authentication event to your SIEM.
API keys for LLMs, credentials for clinical system integrations, and database passwords must never be hardcoded in agent code or stored in environment variables in cleartext. Use a secrets manager:
HashiCorp Vault is preferred for multi-cloud or on-premises deployments. It provides dynamic secrets (short-lived credentials generated on demand and automatically revoked), secret leasing and renewal, and a detailed audit log of every secret access event. The audit log from Vault feeds into your access control audit trail under Part 11.
AWS Secrets Manager is the simpler choice for AWS-native deployments. It handles automatic rotation for supported services (RDS, Redshift) and integrates natively with IAM for access control.
This is the layer most organizations underspecify and the one FDA inspectors will scrutinize most carefully. Part 11 requires that audit trail records be computer-generated, protected from modification, and retained for the duration required by the applicable predicate rule. Standard relational databases with update and delete permissions do not satisfy this requirement without additional controls.
Amazon QLDB is purpose-built for immutable audit logging. Its core properties make it an excellent Part 11 audit backend:
Implementation pattern: Write your full reasoning audit log schema (defined above) as QLDB documents. Use a QLDB stream to replicate records to S3 in Parquet format for long-term retention and cost-effective archival. Configure S3 Object Lock (WORM mode) on the archival bucket for an additional layer of tamper protection.
For Azure-native deployments, Azure Blob Storage with Immutability Policies (time-based retention + legal hold) provides WORM storage for audit log archives. For the active audit database, Azure Cosmos DB in append-only mode (no delete or replace operations permitted via RBAC) is a workable alternative to QLDB, though it lacks QLDB's native cryptographic verification.
Audit trail data is regulated data. Your backup and DR strategy must satisfy the retention requirements of your applicable predicate rules (typically 2 years post-study completion for clinical trial records under 21 CFR Part 312, though specific requirements vary). Document RPO and RTO requirements in your system's validation documentation and test against them during qualification.
AWS, Azure, and Google Cloud have all published GxP-applicable infrastructure qualification documentation (IQ evidence packages) that cover their shared infrastructure. These packages — available under NDA from each provider — document the physical, logical, and operational controls that satisfy the infrastructure portion of your computer system validation. Leverage these packages to avoid re-qualifying foundational cloud infrastructure from scratch.
AWS GxP: AWS publishes a GxP Systems on AWS whitepaper and provides access to their Compliance Program documentation. AWS GovCloud regions are appropriate for the most sensitive data requirements.
Azure: Microsoft publishes a GxP Guidelines for Microsoft Azure document and Azure's compliance certifications (ISO 27001, SOC 2, FedRAMP High, HIPAA) are among the most extensive in the industry.
Agent workloads should run in containers managed by Kubernetes (EKS on AWS, AKS on Azure). Containerization provides:
Use OPA Gatekeeper (Open Policy Agent) as a Kubernetes admission controller to enforce deployment policies: only images from approved registries, only images signed with your organization's code signing key, only deployments with required metadata labels (agent ID, version, validation status). These policies are the technical enforcement of your change control process.
Production AI agents require operational monitoring beyond what LangSmith provides. Use Datadog (preferred for its out-of-the-box integrations and compliance-relevant audit logging of its own access) or the open-source Grafana + Prometheus stack for:
To make the above concrete, here is how the full stack assembles for a specific use case: an AI agent that processes incoming adverse event reports, drafts case narratives, and routes for medical review.
The following table maps each technology component to its corresponding validation artifact:
| Component | Validation Artifact | Owner |
|---|---|---|
| LangGraph graph definition | Functional Specification + OQ test suite | Clinical Tech / Validation |
| Azure OpenAI endpoint config | Configuration Specification + IQ evidence | IT / Validation |
| Weaviate schema + document registry | Data Management Plan + IQ/OQ | Clinical Data Management |
| Guardrails AI validators | Functional Spec + OQ (every validator rule) | Clinical Ops / Validation |
| Pydantic output schemas | Functional Spec (schema as spec) | Clinical Tech |
| LangSmith Self-Hosted | Vendor qualification package + IQ/OQ | IT / Validation |
| Amazon QLDB | IQ (AWS GxP package) + configuration IQ | IT |
| Managed Identity / IAM roles | Access Control Specification | IT Security |
| HashiCorp Vault | IQ/OQ | IT |
| Container images (EKS) | Build Specification + deployment IQ | IT / Validation |
| OPA Gatekeeper policies | Configuration Specification | IT |
| Prompt versions (LangSmith Hub) | Change Control record per version | Clinical Tech |
In traditional clinical systems validation, the technology stack is largely invisible in the compliance narrative — what matters is that the validated system behaves as specified. In AI agent deployments, the stack is inseparable from the compliance strategy. The choice to use LangGraph over a less-structured orchestration framework is a choice to have a validatable operational envelope. The choice to deploy LangSmith self-hosted is a choice to keep reasoning traces within controlled infrastructure. The choice to write audit logs to QLDB rather than a standard database is a choice to provide cryptographically verifiable tamper evidence.
These are not overengineered solutions. They are the minimum infrastructure required to deploy AI agents in clinical operations with confidence — confidence that your audit trail will hold up in an inspection, that your change control process will catch model drift before it becomes a data integrity issue, and that the patients whose data these agents process are protected by the same rigor that has always defined GxP compliance.
Technology versions and product features referenced in this article reflect the state of the market as of early 2026. Organizations should evaluate current vendor documentation and engage qualified system integrators and regulatory consultants when designing and validating AI agent infrastructure for regulated clinical use.