On April 2, 2026, FDA issued a Warning Letter to Purolea Cosmetics Lab in Livonia, Michigan. The letter cited the usual things you’d expect: insanitary conditions, failed batch testing, inadequate quality unit oversight. The kind of cGMP failures that have been showing up in Warning Letters for decades.
But this had something different. In the middle of the findings was a dedicated section titled “Inappropriate Use of Artificial Intelligence in Pharmaceutical Manufacturing.” This is the first time FDA has cited overreliance on AI as a standalone deficiency.
The facts read like a case study someone invented to make the point. Purolea used AI agents to generate drug specifications, procedures, and master production records. When FDA inspectors found the company had skipped required process validation before distributing product, the company told them they didn’t know the requirement existed because the AI never told them.
That is the moment it all fell apart. They actually said that they didn’t know the legal requirement existed because the AI didn’t surface it. Incredible.
If you want to understand why this letter matters, you don’t need to understand AI. You need to understand accountability.
This Isn’t an AI Problem
The legal profession has spent months hand-wringing about AI hallucinations and AI risks after lawyers continue to get caught filing briefs with case citations that AI made up. The courts called them out, for good reason. But those cases weren’t a technology failure. They were judgment failures. Lawyers who didn’t verify their work. That’s all.
Saying “the AI made me do it” feels like something a child says when they get caught doing something careless.
Purolea is the same story in a different domain. A company that didn’t know the regulations and apparently didn’t have anyone the team who did. They used a tool to fill that gap instead of hiring expertise or building it. When the tool failed silently, the consequences landed on the company.
FDA’s message is clear: accountability stays with the human. Always.
The tool doesn’t get cited or fine. The tool doesn’t get a Warning Letter. The company does.
Here, the stakes are arguably worse than fabricated citations in a brief. Purolea was making products that pose a safety risk to the public. The same accountability principle, but the failure surface is human health.
What FDA Actually Said
It’s worth a careful read of the language. FDA didn’t say don’t use AI. In fact, they didn’t even criticize the use of it. They didn’t suggest AI is a bad thing in regulated environments.
What they said was this: if you use AI as an aid in document creation, you must review the AI-generated outputs to ensure they were accurate and actually compliant with cGMP. They went further on what compliant AI use looks like going forward: “any output or recommendations from an AI agent must be reviewed and cleared by an authorized human representative of your firm’s [quality unit].”
That’s it. The standard hasn’t changed. 21 CFR 211.22(c) still puts the obligation on the quality control unit. The fact that an algorithm generated the document doesn’t shift that obligation. It just means the human review has to actually happen by people who know the regulations well enough to catch what AI gets wrong.
The failure at Purolea wasn’t that the company used AI. It was that it let AI substitute for the expertise that should have been there in the first place.
Why This Matters Beyond Manufacturing
There’s actually a lot to unpack here.
The accountability principle in this letter applies to every place AI is touching regulated work. Marketing and advertising. Deal analysis. Promotional review. Contract drafting. Regulatory submissions. Internal investigations. AKS analyses. HR. Anywhere a company is using AI to assist with work that has legal or regulatory consequences, the same questions apply.
First, does your team know they have an obligation to review and verify AI outputs?
Second, does the person reviewing AI outputs understand the underlying requirements well enough to catch if AI gets something wrong?
Third, are you sure the answers to both of these questions are yes?
If the answer to any one of those questions is no, you have a Purolea problem and it just hasn’t been caught yet.
This is the first FDA enforcement action of its kind, but won’t be the last. The citation language is now on the record, inspectors will use it, and the agencies that haven’t acted yet are watching.
Expect the same rationale to surface in other regulatory contexts. The SEC will look at AI in financial reporting and disclosure controls. The FTC will look at AI in marketing claims and consumer protection. OCR will look at AI handling PHI in ways the workforce doesn’t fully understand. State AGs will look at AI in consumer-facing health products. Human accountability does not transfer to the tool.
The accountability question is not unique to FDA. It is the question every regulator is moving toward. Purolea is just the first to put it in writing.
The Shadow AI Problem
Here’s the part that gets uncomfortable. Your team is already using AI, whether you’ve sanctioned it or not.
If you haven’t given them an enterprise tool, they’re probably using a free one or a $20/month personal account. Both run on consumer terms of service. That is not a good thing. They’re analyzing deal terms, drafting promotional copy, summarizing FDA guidance, working through strategy, thinking through tactics with AKS implications, building first drafts of slides and policies. All of this means your company’s confidential information is flowing into models that may retain and learn from those inputs. That should feel concerning.
Consumer terms and enterprise or business terms are not the same thing. Business and enterprise contracts include data handling provisions, training carve-outs, audit rights, and protections you cannot get from a free product or a personal consumer account, even if paid. This is widely misunderstood, even among lawyers as I have learned in talking with people about this the last several weeks.
If your company hasn’t made a decision about which AI tools your team uses, your team has made the decision for you. Bigger companies often have the people, the budgets, and the in-house infrastructure to write the policies and stand up the governance. But much of the rest of the industry does not.
If you are running legal or compliance at a small or mid-sized life sciences company, the bandwidth to think through governance frameworks for a tool that didn’t exist three years ago is tight. I understand that, because I work with companies in exactly that position. Important to understand, however, is that the regulatory stakes are not smaller because the company is. FDA does not grade on a curve for size. Plaintiffs’ lawyers do not either. The accountability principle is the same whether you have a hundred-person legal department or a department of one or none. This is a problem that lands with equal weight across the entire industry.
That’s the shadow AI problem. And it compounds the Purolea problem. You can’t oversee what you don’t know is happening. You can’t review output you don’t know exists. You can’t train people on the limitations of a tool you didn’t approve them to use in the first place.
What About Your Vendors?
Here is something the Purolea letter says that many readers might skip past: FDA regards contractors as extensions of the manufacturer. We know this, of course. But the liability here may not be immediately obvious since the technology is so new. But the bottom line is that a company is responsible for its vendor’s actions as they relate to the company’s products, including AI.
Translate that into the AI context. Your CDMO is using AI. Your CRO is using AI. Your med comms agency is using AI. Your regulatory consultant is using AI. Your packaging partner is using AI. Your medical writing vendor is using AI. Some of them have governance frameworks in place, but many (maybe even most) do not.
The accountability principle does not stop at your own four walls. This belongs in your contracts now, not at the next renewal cycle. Quality agreements need AI disclosure provisions. MSAs need representations about AI use, human review, and data handling. Statements of work need clarity on what tools are permitted for the engagement. Audit rights need to extend to AI governance, not just to the underlying work product.
Most vendors are not thinking about this, which is precisely why their clients need to.
What Boards and Leadership Need to Be Asking
Silence on AI inside companies is dangerous, because the absence of policy doesn’t mean the absence of use. It just means the use is invisible.
The questions leadership should be asking now, not at the next quarterly meeting:
What AI tools are sanctioned for company use, and on what terms? If there is no answer, employees are choosing for the company by default.
Where in our workflows is AI output being treated as if it has been verified? The risk lives in the seams between drafting and approval, where competent-looking output can quietly skip the review step.
Do the people reviewing AI-assisted work understand the underlying regulations well enough to catch errors? AI literacy without regulatory literacy is the Purolea pattern.
How do we document that human review actually occurred? “We reviewed it” is not an audit trail. Inspectors are going to ask.
What is our board’s visibility into AI use across the organization? If the answer is “we trust the team to use it responsibly,” that’s not governance. That’s hope, which is not a reliable strategy here.
The Path Forward
This isn’t a case for locking AI down. It’s a warning shot. Sit up straight. Pay attention. Fix this. Do better, industry. Most of the policies I see written in reaction to enforcement actions are designed to restrict use rather than to govern it well. The result is predictable: employees keep using AI anyway, just less visibly.
The better answer is governance that lets your team move fast and stay safe. Frameworks that give people freedom to operate within clear guardrails, not policies that send shadow AI further underground.
That means sanctioning the tools you want used, on enterprise terms. Investing in the regulatory and substantive literacy of the people doing the reviewing. Building review checkpoints into the workflows where AI output is most likely to skip them. Training your team on what AI gets wrong and why. And giving your board the visibility they need to ask the right questions.
The companies that get this right will pull ahead. The ones that don’t will end up with their own version of the Purolea letter on their desk one morning, wondering how they got there.
The allure of AI is real. It is intoxicating when teams are stretched and time is short. It spits out an answer that makes perfect sense, looks polished, and saves hours. That’s the gift, but it’s also the trap.
AI is a tool. It is powerful, it is helpful, and it is also frequently wrong in ways that aren’t obvious. None of that changes who is accountable for the work.
There’s an echo chamber right now of voices worried about AI stealing jobs. And while some of that may be true, what AI cannot steal is human judgment. And clearly, as Purolea has shown us, it’s still needed.
That part stays exactly where it has always been.
With us. Let’s use it.
Notice: This content is for informational purposes only and isn’t legal advice. We hope it’s useful, but it may not apply to your specific situation. Reading it doesn’t create an attorney-client relationship with Lapis Legal. If you have legal questions, please reach out to a qualified attorney. This email may be considered attorney advertising in some states, including New Jersey. No part of it has been reviewed or approved by the Supreme Court of New Jersey.
© 2026 Lapis Legal