The gross-to-net reserve is one of the largest estimates on a drug manufacturer's books, and one of the most opaque. It is the gap between the list price a product is sold at and the cash the company actually keeps after rebates, chargebacks, discounts and returns are paid back out. Government programs, commercial payers and distributors all take their cut, often months after the sale, and the company has to estimate that deduction now — every period, on every product, before the money has moved.
Get the estimate wrong and the financials are wrong. An accrual that is too low inflates revenue; one that is too high understates it. Either way the number flows straight into reported results, which is why gross-to-net sits inside a company's financial controls under the Sarbanes-Oxley Act (SOX) — the US law that holds management personally accountable for the numbers it files. It is not a back-office calculation; it is a signed assertion to investors.
What the agent is genuinely good at
Building a gross-to-net accrual is, before the sign-off, an exercise in pulling and reconciling data from systems that do not naturally talk to each other. It is slow, repetitive, deadline-bound work — exactly where an AI agent earns its place.
An agent can pull gross sales by product and channel from the ERP (the enterprise resource planning system where the company's transactions live), fetch the contract terms that drive each deduction, apply the rebate percentages owed to commercial payers and government programs, and calculate the chargebacks distributors will claim back. It can reconcile the prior period's estimate against the rebates and chargebacks that were actually invoiced, flag the products where the accrual rate has drifted, draft the journal entries, and assemble the variance commentary a controller reads before judging whether the reserve looks right.
None of that is the sign-off. All of it is the preparation for the sign-off. The distinction is the whole point, and it is the line a control plane has to enforce in software rather than trust to a prompt.
The number that hits the financials is a human assertion
A controller does not approve a rebate accrual the way you approve a calendar invite. They are attesting that the estimate is reasonable, supportable, and free of material error — and under SOX, that attestation rolls up into a certification an officer signs personally. The accrual is a one-way door in the same sense a batch release is: once it posts and the books close, the period is reported, and unwinding it later is a restatement, not an edit.
That is why the same control that governs a GMP batch release governs a gross-to-net close. The actor who prepares the estimate must not be the actor who approves it. This is segregation of duties — the oldest control in both finance and pharma — and it predates agents by centuries. The preparer assembles the case; an independent reviewer signs the number that becomes the company's reported revenue.
When the preparer is a model, the rule does not relax. It gets sharper. A model has no personal exposure to the SOX certification and no instinct to hesitate over an accrual rate that looks too convenient. It will post a flawed estimate at full speed and write a tidy explanation for it.
Where most implementations get it wrong
The common failure is to put the boundary in the prompt. You are a gross-to-net assistant. Calculate the accrual and present it to the controller for review. Do not post the journal entry yourself. This reads like a control. It is an instruction — and instructions are negotiable.
A prompt has no record of who decided the agent could write to the general ledger, no version history when someone edits it, and no way to prove eighteen months later what the agent was permitted to do on the day a period closed. It offers no structural barrier to the one thing that matters most — an agent that, through a re-prompt or a quietly granted tool, ends up able to post the entry itself and close the loop with nobody in it.
The boundary has to live somewhere the agent cannot edit. That is the entire argument for a segregation-of-duties control that holds at runtime, not on paper.
What the boundary looks like in practice
In MakerChecker, the gross-to-net agent is a named principal — a distinct identity, not an anonymous process — that holds exactly one role. That role is granted precisely the doors it needs and nothing more: read gross sales from the ERP, read the contract and pricing tables, read the prior-period actuals, write a draft accrual and draft journal entries. Those grants are deny-by-default and versioned, so you can reconstruct what the agent could do on the date any period closed, and every change carries the name of whoever approved it.
Posting the entry is a separate, gated step. The run reaches the close gate and stops, because the agent does not hold the authority to proceed — structurally, the actor that built the accrual provably cannot be the one that approves it. A controller reviews the assembled case and applies a signature that carries the meaning a financial assertion has to carry.
| Step | Actor | Authority |
|---|---|---|
| Pull gross sales, contracts, prior actuals | Agent | Read-only grants |
| Calculate accrual, draft journal entries | Agent | Write draft only |
| Approve the reserve and post to the ledger | Controller | Gated human signature |
This is the same pattern an approval gate applies to any one-way door. The gate parks the run, demands a named signature, bars the preparer from signing their own work, and records the signer's reason verbatim — so "increased the Medicaid rebate accrual rate to reflect the new utilization trend in Q1" becomes a defensible decision instead of a green tick.
For a reserve this large, one signature may not be the bar. The gate supports n-of-m quorums: require the controller plus a second reviewer from financial reporting before the entry posts, with the requester excluded so a maker cannot pad the count.
The evidence an auditor can actually check
A gross-to-net estimate is only as good as your ability to defend it later. When the external auditors test the control, or when discovery arrives, "the agent calculated it and the controller approved it" is not an answer unless you can prove both halves and prove the record was untouched.
Every step in the run above lands in an append-only, hash-chained, cryptographically signed ledger — the gross sales the agent read, the contract terms it applied, the draft it produced, the reviewer who was excluded, the controller who signed, when, and why. Change one record and the chain visibly breaks. The export verifies offline, against a published spec, without access to your systems — what an auditor wants, and what a screenshot of a chat transcript can never provide.
The signature side of that record matters as much as the data side. Pharma companies already run their quality records under 21 CFR Part 11, and the same discipline applies cleanly here: a signature that manifests its meaning, bound to the record it approves, in a tamper-evident audit trail. We go deeper on that in Part 11 for AI agents.
What to take from this
Agentic AI was scoped out of the main US model-risk guidance in April 2026, and the EU AI Act's high-risk obligations were pushed to late 2027. Neither moved SOX, nor changed the fact that gross-to-net is a financial control with a named officer's certification at the end of it. The rule that the preparer cannot be the approver — and that a person signs the number that hits the financials — is date-proof, and the audit that tests it will not wait for new AI guidance.
The right deployment is not "an agent that posts the accrual." It is an agent that does the pulling, reconciling, and drafting at machine speed, handing a clean case to the controller who still — and only — signs at the one-way door. The close gets faster. Accountability stays exactly where SOX put it.
See how it works, or book a demo to watch an agent get blocked from approving its own work.