Moving AI beyond pilot: a compliance guide for food businesses

AI For Business


AI has often arrived before the strategy for using it. A planning platform gains an AI feature, a team begins experimenting with a workplace assistant, or a supplier introduces automated analysis into an established service. Businesses then face the challenge of turning readily available technology into a controlled and dependable part of their operation.

Paul Armstrong, Director in the Commercial team at Walker Morris, is seeing workplace assistants used to search for information and produce routine content, alongside more food-specific applications in demand forecasting, inventory management and camera-based shelf monitoring. Much of the technology is being layered onto systems that companies already use.

The potential gains are immediate and operational. Workplace assistants can reduce time spent locating information or drafting routine communications. AI-enabled forecasting and inventory systems can support ordering and stock visibility, while camera analytics can provide faster information about product movement. Within traceability and assurance, AI may help teams interrogate large volumes of records more quickly, provided the underlying information is complete and competent people remain responsible for the conclusions drawn.

Uptake is gathering pace. The latest ONS survey found that 29 percent of businesses within its coverage were using at least one type of AI in June 2026, rising to 49 percent among businesses with 250 or more employees. The voluntary survey excludes agriculture and is classed as official statistics in development, so its findings indicate wider business adoption rather than providing a food-sector benchmark.

Readiness has yet to advance at the same pace. UK Government research into AI adoption found that only 54 percent of existing adopters felt prepared to expand their use. The proportion fell to 38 percent in hotel and catering, while businesses grouped within agriculture, mining, manufacturing and energy were more likely than average to identify limited AI skills as a barrier.

If you’ve used an AI system to help meet your food safety, traceability, withdrawal or recall obligations and the system has fallen over or got it wrong, you as the food business can’t point to that system provider. You’re continuing to be liable as you would have been previously.”

Paul Armstrong, Director in the Commercial team at Walker Morris

Start with the problem, not the platform

In Armstrong’s experience, the organisations scaling most effectively begin with a defined operational problem. That might be excess short-dated stock, unreliable demand forecasts, time-consuming supplier-document checks, slow traceability investigations or repetitive assurance work.

“They’ve typically developed a really clear idea as to what they want to use the AI for before they’ve started,” Armstrong explains. “They’ve looked at their business and their processes and the potential bottlenecks and problems they have. And they’ve been really laser focused and said: ‘Based on what we know about AI and what it can do, we think this and this might be areas where AI could be deployed to improve the situation. And this is what improving it might look like.’”

A use-case-led approach gives the pilot something concrete to prove. A forecasting project might be measured against waste, availability and levels of manual intervention. A traceability tool could be assessed on the speed and accuracy with which it identifies affected batches. An inspection system needs testing against false negatives and unusual cases alongside its average accuracy.

Agreeing those measures before the pilot begins prevents an impressive technical demonstration being mistaken for operational success. The business needs evidence that the improvement justifies the system’s cost, complexity and risk.

With the purpose and success criteria defined, attention can move to the conditions the technology might encounter outside a controlled trial.

Build the pilot to survive production

Food operations expose technology to variations that a limited pilot can easily miss: different sites, products, seasons, suppliers, document formats and working conditions.

The FSA Science Council’s June 2026 report examined applications covering manufactured-food risk assessment, certification data packs, pathology detection in abattoirs and document checks at ports. It found that many available systems have been adapted from other domains and may lack development or validation for food-safety conditions. The report recommends testing with real operational data and understanding both the intended purpose and limitations of each tool. While this is advisory and non-binding, it offers the clearest current food-specific analysis of AI assurance.

Food-assurance data introduces further complications. Relevant evidence may sit across scanned reports, certificates, sensor outputs, specifications, supplier portals and handwritten logs. The Science Council identifies data quality, provenance, common terminology and alignment with food-sector record-keeping practices as foundations for reliable and auditable AI.

Armstrong also cautions against assuming that an AI feature will operate seamlessly because it sits within familiar software. Configuration, integration, testing and user preparation still require time.

Evidence from the UK Business Data Survey 2026 illustrates the implementation gap. Among businesses using AI, 21 percent said their tools were integrated into existing systems; only 5 percent had a formal written AI policy. These are economy-wide findings, yet they carry particular relevance for food manufacturers managing controlled processes, fragmented data, multiple supplier systems and multi-site operations.

A production-minded pilot must test the entire operating process: data quality, systems integration, security, human review, usage costs, supplier support and arrangements for downtime. A demand model, for example, should be challenged with seasonal peaks, promotions, disrupted supply and incomplete data rather than assessed only during ordinary trading.

The pilot should conclude with a genuine go/no-go decision based on evidence that the system delivers a meaningful benefit, operates within agreed tolerances and remains safe and supportable under real conditions.

Even a technically successful system will struggle to scale when the people expected to use and challenge it have been treated as an afterthought.

The human factor is a control

Technology can only scale when the people expected to use, supervise and challenge it understand the role they are being asked to play. Armstrong advocates bringing those employees into the implementation process early:

“What about the people who are going to be using this thing day-to-day?” he asks. “Have they been brought along on that journey? Are they comfortable with using it? Do they understand its strengths and limitations? I think investing in that training and hearts and minds piece is really important.”

Armstrong links the human factor to adoption as well as safety. Employees cannot monitor a system effectively unless they understand its purpose, limitations and the circumstances requiring intervention. Involving operational users early can also address concerns about changing roles and build the confidence needed for wider adoption.

Meaningful oversight requires a defined procedure, suitable expertise, enough information to challenge the output and the authority to override or suspend the system. The FSA Science Council says safety-assurance process owners should remain explicitly identified and competent. AI can support analysis, pattern recognition and anomaly detection, while human judgement should remain central at safety-critical points such as HACCP decisions and regulatory inspections.

Where personal data or automated decisions are involved, the ICO’s AI audit framework recommends standardised review procedures, agreed tolerances, records of human challenges and overrides, and a manual or hybrid fallback when performance drops below an acceptable level.

The degree of scrutiny should reflect the consequences of an error. Sampling or exception-based checks may suit lower-risk applications. Outputs affecting allergens, product release, authenticity, withdrawals or recalls warrant much closer review and, depending on the system, may require a competent person to examine every case.

Such oversight can operate effectively only when the organisation knows where AI is being used, who owns each application and which controls apply.

Show that the business remains in control

AI use can spread much faster than the policies and assurance processes intended to govern it.

“Once people start to use and deploy AI in their business, because it’s so powerful and potentially so helpful, adoption can often go through the roof really quickly,” Armstrong explains. “And that is a good thing. But there’s often a disconnect around the governance work that you need to do internally to make sure that adoption isn’t uncontrolled and going to create problems.”

In practice, Armstrong says this involves an AI-use policy, an assurance log, guardrails covering which systems people may use and for what purposes, and an internal sign-off route for new applications.

A central register should cover dedicated AI products and functionality embedded within ERP, CRM, forecasting and other established platforms. It should record each system’s purpose, owner, users, data, risk level, approved controls and deployment status.

For higher-risk food applications, the evidence should connect the complete decision chain: risk assessment, validation results, accepted performance thresholds, human-review and escalation procedures, training, supplier due diligence, system changes and ongoing monitoring.

Logs should distinguish AI-generated outputs from final human decisions and record challenges or overrides. The Science Council identifies false-positive and false-negative rates, human override frequency, challenges and drift alerts as relevant indicators. It also concludes that one-off validation is insufficient because data, models and operating conditions change over time.

Internal policy must also address shadow AI. Armstrong identifies it as “a really big risk area”: employees may use ChatGPT or similar tools on personal devices, leaving the organisation with no visibility of the information being submitted or purpose of the activity.

An approved-tool list, restrictions on sensitive data and a route for proposing new uses can give employees a controlled channel for experimentation while preserving organisational oversight.

Once people start to use and deploy AI in their business, adoption can often go through the roof really quickly. But there’s often a disconnect around the governance work that you need to do internally to make sure that adoption isn’t uncontrolled.”

Paul Armstrong, Director in the Commercial team at Walker Morris

Accountability and contracts stay with the food business

Existing responsibilities for food safety, traceability, labelling, authenticity, withdrawal and recall continue to apply when AI is introduced.

“You’ve got general food law: you’ve got to be producing safe products, you’ve got your traceability obligations, and you’ve got your withdrawal and recall obligations,” Armstrong says. “Ultimately, you as the food business remain responsible for getting all of that right. If you’ve used an AI system to help you do that and the system has fallen over or got it wrong, you as the food business can’t point to that system provider. You’re continuing to be liable as you would have been previously.”

Though a contract may provide remedies against a technology supplier, it does not automatically transfer the food business operator’s regulatory responsibility. The Science Council reaches the same conclusion: ultimate accountability cannot shift to a supplier or algorithm.

Consumer-facing systems create a parallel responsibility. CMA guidance on using AI agents says businesses remain responsible when an AI agent acts illegally, including where a third party supplied the system. It calls for testing before deployment, active monitoring and meaningful human oversight.

That advice has direct implications for food-product information. Prices and promotional offers must remain accurate, while AI-generated content concerning ingredients, allergens, nutrition, provenance, health benefits or sustainability requires appropriate expert review before publication.

Contracts should give the business the information and support required to operate the system safely. For bespoke or highly configured tools, Armstrong highlights the importance of explainability, access to operational records and contractual support for governance and monitoring after go-live. Depending on the use case, the agreement may also need to address validated uses, performance criteria, model changes, revalidation, incident cooperation and continuity arrangements.

Customers generally have little leverage to negotiate the standard terms offered with mass-market workplace assistants. Businesses should therefore review those terms carefully, configure privacy and data settings, and restrict higher risk uses internally. Armstrong also advises choosing a vendor that can scale with the project and remain sufficiently engaged, noting that a smaller provider may sometimes offer more support than a major supplier.

Although the food business retains responsibility, the route to demonstrating compliance differs between the UK and EU.

Understand the UK–EU divide

As the House of Commons Library’s current briefing explains, the UK regulates AI through existing legal frameworks and currently has no single law covering AI as a technology. Food law, data protection, consumer protection, product liability and employment law apply according to the use case, requiring businesses to navigate several overlapping regimes.

Each application therefore needs to be mapped against the obligations and regulators relevant to it. A forecasting tool, consumer chatbot, employee-monitoring system and machine-safety component can each create a different compliance profile.

The EU AI Act uses a more prescriptive, risk-based approach and allocates duties according to whether an organisation is acting as a provider, deployer, importer or distributor. Its AI-literacy obligation has applied since February 2025, requiring providers and deployers to take measures appropriate to the people using their systems and the context of use.

Office assistance and inventory forecasting generally fall outside the Act’s high-risk categories unless their intended purpose brings them within a listed context. Food businesses should examine AI used in employment, biometrics or as a safety component of regulated machinery particularly carefully, while establishing their own role under the Act instead of assuming every obligation rests with the vendor. The Commission’s draft high-risk classification guidelines remain under consultation until 23 July 2026.

Following the May 2026 political agreement on the AI Omnibus, Commission materials set application dates of December 2027 for certain stand-alone high-risk systems and August 2028 for AI embedded in regulated products. Businesses should continue monitoring the final legislative text and supporting guidance.

Alongside the AI-specific regime, liability law is adapting to digital products and emerging technologies. The UK Law Commission plans to consult on possible product-liability reform during the second half of 2026. The EU’s revised Product Liability Directive applies to products placed on the market or put into service from 9 December 2026 and expressly encompasses software and AI systems.

The readiness test

Before taking an AI system beyond pilot, a food business should be able to answer:

  • What defined operational or compliance problem is it solving?
  • Has it been tested using our products, processes and real operating data?
  • What could happen if its output is wrong or the system is unavailable?
  • Which decisions must remain with a competent person?
  • Can we reproduce and explain what the system and human reviewer did?
  • Do our governance and contracts allow us to detect, investigate and correct failure?

AI can make food operations more predictive, efficient and responsive. Food businesses are more likely to realise that value when a defined use case is supported by reliable data, competent people, effective supplier relationships and evidence that accountability has remained with the business throughout.



Source link