
Key takeaways:
- A Gartner survey found 57% of employees use personal AI accounts for work and 33% have fed sensitive company information into public tools. In a plant that means supplier specs, formulations, and CAPA records can leave your control without anyone signing off.
- FSMA 204 requires covered foods to be traceable with records produced to the FDA within 24 hours of a request. Data scattered across personal AI chats is data you can’t produce on that clock.
- The fix isn’t banning AI. It’s naming the tools people can use, defining what never goes into them, and giving the floor a sanctioned option before the unsanctioned one fills the gap.
New research from TraceGains puts a number on how carefully the industry is approaching AI: only 41% of food and beverage companies have formal, enterprise-level AI in place. The research found most of the industry deliberately cautious about deploying AI in a regulated environment.Â
However, if the enterprise isn’t providing sanctioned AI, something less visible may be filling the space.
The exposure is already live, whether or not you’ve approved a tool
Gartner found that more than 57% of employees use personal generative AI accounts for business purposes, with 33% acknowledging they have plugged confidential workplace information into unapproved or public tools. And a TELUS survey of enterprise employees found 68% reach AI tools through personal accounts rather than company-approved ones, and 22% do so even when a sanctioned option exists. More than half (57%) have entered confidential information into public AI platforms like Gemini or ChatGPT.Â
Security teams call this shadow AI. It’s the tool nobody vetted, running on an account IT can’t see, logging whatever gets typed into it.
Picture what that looks like on a food manufacturing floor. A quality tech pastes a supplier’s certificate of analysis into a free chatbot to reformat it. A line supervisor drops the text of a deviation into ChatGPT to draft a corrective action faster. An R&D associate asks a public model to troubleshoot a formulation, ingredient ratios and all. None of it is malicious, but all of it moves proprietary and regulated information onto servers you don’t control, into an account that keeps no record you can retrieve.
How shadow AI collides with food safety
Most coverage files shadow AI under cybersecurity. In a regulated food business, it’s a food safety and recordkeeping problem too.
Start with the rule the industry is now working toward. The FDA’s Food Traceability Rule, Section 204 of FSMA, requires anyone who manufactures, processes, packs, or holds foods on the Food Traceability List to keep specific records and hand them to the FDA in a sortable electronic format within 24 hours of a request. The compliance date moved from January 2026 to July 20, 2028 after Congress directed the agency not to enforce it before then. But the rule itself didn’t change.Â
Shadow AI impacts that 24-hour time limit. The requirement assumes your traceability data lives somewhere you can query it under pressure, during an outbreak or a recall. Every time a record, a lot detail, or a supplier document passes through an ungoverned AI chat, a piece of that trail ends up somewhere you can’t pull it from. The rule technically allows paper, but the 24-hour, multi-party reality makes disconnected records impractical for most covered operations. Shadow AI is disconnection by a thousand small, well-intentioned shortcuts.
Then there’s data integrity. Public models can be wrong, and confidently so. A reformatted CoA or an AI-drafted CAPA that introduces a subtle error becomes a compliance document with a defect baked in, and no one flagged the source. In an audit, “the AI wrote it” is not a defense anyone wants to test.
For global operators, a second regulatory clock is already running
If your operations reach the EU, you should be aware of the EU AI Act, which took effect August 2, 2025 and includes obligations for general purpose AI models. The Commission’s enforcement powers, including fines, apply from August 2, 2026. Transparency duties around AI-generated content also arrive in August 2026.
For a multinational company, how AI touches your regulated processes is becoming a documented, enforceable question. Ungoverned use is a harder position to defend when regulators ask how you manage it.
How to control AI use on the floor
The instinct to ban AI outright backfires. Prohibition doesn’t end the behavior; it pushes it onto personal phones where you have even less visibility. Gartner’s own recommendation is to shift from telling people the rules to shaping the decisions they make in the moment.
A workable approach has four moving parts:
- Name the sanctioned tools. Give people an enterprise option with data controls, so the fast path and the safe path are the same path. When a company-provided tool exists, usage of personal accounts drops, though it doesn’t vanish on its own.
- Define what never goes in. Spell it out clearly: supplier records, formulations, customer data, financials, and anything tied to a traceability record. Vague guidance like “don’t share sensitive data” won’t survive a busy shift.
- Reach the floor, not just the managers. Training shouldn’t stop at the front office. The people handling CoAs, deviations, and lot records need to know the line, in their workflow.
- Make governance a shared owner. Shadow AI touches quality, food safety, IT, legal, and operations. Left to IT alone, the effort stays fragmented.
The tools your people already use should be a governance question you own, not a surprise you discover during an audit.
The research shows the industry is being careful about the AI it formally deploys. But what’s already running in your plant that no one approved, and where is that data going?Â
The compliance deadlines are set, the workforce behavior is measured, and the exposure doesn’t wait for a formal rollout. The time is now to manage the tools people already reach for.




![[Webinar] How Leading Consumer Products and Food & Beverage Manufacturers Turn Regulatory, Supply, and Workforce Pressure into Advantage with AI](https://foodindustryexecutive.com/wp-content/uploads/2026/07/QAD-From-System-of-Record-to-System-of-Action-Rethinking-ERP-and-AI-in-Food-Beverage-and-Consumer-Products-Manufacturing-4-324x160.png)