General counsels are scrambling to manage the rapid spread of AI across the enterprise, confronting a growing risk landscape that could trigger a wave of litigation, insurance disputes and governance failures.
That means corporate legal departments are facing a rapidly expanding mandate to ensure robust AI governance, regulatory tracking and enterprise risk management – even when they are not directly deploying AI systems.
“It’s the speed, lower barrier to entry and the ubiquity of these systems that have combined into a perfect storm,” Gartner Research Director Stuart Strome said in an interview with The AI Innovator. “The risks of misuse are just so high.”
For example, if an employee enters a client’s information into a public chatbot like ChatGPT to generate an email containing a customer ID, the worker could compromise the client’s personal information.
This act of ‘shadow AI’ – the use of unauthorized AI tools – is easy to do and hard to detect, according to Strome. Shadow AI is generally viewed as more pervasive, faster-moving and potentially harder to control than ‘shadow IT,’ where employees use unauthorized software, services or devices.
“Anyone in the company could use ChatGPT for anything,” Strome said.
The risk landscape expands as AI becomes embedded nearly everywhere – from internally developed systems to third-party software products that may quietly introduce AI features into enterprise workflows.
That means “you also have to worry about vendors incorporating AI into their offerings,” Strome said. “And by the way, not notifying you as a client that they’re doing it.”
That ubiquity is reshaping how legal departments interact with the rest of the enterprise. Strome said AI governance now requires deeper coordination between legal, IT, compliance, privacy and cybersecurity teams.
“Legal often isn’t going to be leading this effort, but legal is accountable for a lot of the risks that manifest with AI,” he said. “So legal needs to ensure, if not drive, effective AI governance.”
He said legal teams must ensure organizations understand regulatory obligations, maintain inventories of high-risk AI systems and establish clear ownership structures around AI deployments.
“Make sure there are clear, defined roles and responsibilities for AI governance,” he said. “Legal isn’t going to be executing a lot of these tasks, but legal has to confer with leadership and say, ‘are we doing these things?’ Because they’re essential for legal risk management, and depending on your jurisdiction, they’re essential for regulatory compliance.”
Don’t reinvent the wheel
As legal teams look to set up the proper AI governance frameworks, Strome advises companies not to “reinvent the wheel.” Rather, first update existing governance processes by addressing specific AI risks such as hallucinations, bias, and IP and privacy violations.
“Find ways where you can adapt your existing frameworks, whether they be risk frameworks or the risk management processes underlying them, to incorporate AI,” he said. “Now, this isn’t always possible, but we suggest it as a first step.”
For example, Strome said many companies have some form of PIA or privacy impact assessment that consists of a series of questions. When a new project hits the desk, its privacy risks are assessed and a set of controls are recommended to the project leader. Incorporate AI into the PIA questions rather than creating a separate PIA focused on just AI.
“There’s no need for them to be two separate processes. Often, the answers to one are going to overlap heavily with the answers to another,” Strome added. “So unify those processes, or if you have an existing privacy impact assessment, incorporate questions related to AI.”
If updating isn’t enough, then look to creating a separate framework, he said.
Complicating matters is the speed at which AI is advancing. Strome noted that it took social media about a decade to catch on.
“What feels different here is the speed,” he said. “Generative AI came on the scene in 2023 − at least for most of our clients, that’s when they started paying attention. And now it’s already old news.”
Currently, agentic AI is capturing attention and brings with it a new set of capabilities. AI agents can autonomously do tasks by tapping databases and tools in an enterprise. With the availability of low-code and no-code AI agent creation tools, this latest trend further lowers the barriers to entry.
“Any employee can develop an agent,” Strome said. “If that agent is granted access to sensitive data, there really is a high potential for a risk event.”
Those risks are driving new demand for AI-specific insurance products. Gartner says traditional business insurance policies often fail to adequately cover AI-related incidents.
Affirmative AI insurance policies are emerging to cover risks such as hallucinations, discrimination claims, copyright infringement and even physical damage caused by AI failures, including negligent medical advice, according to a Gartner report.
Gartner predicts that by 2030, property and casualty insurers will require strong AI governance controls before issuing AI liability coverage, driving a 60% increase in application of these controls.
A ‘bimodal’ landscape
As for the state of enterprise AI preparedness, Strome sees a “bimodal” landscape, with a minority already implementing mature governance programs while many others remain in the early stages.
“I see a lot of clients that are very advanced,” he said. “And I see another group of people who are just at the beginning of their journey that don’t quite know what the compliance obligations mean for them and don’t have a handle on how AI is being used at the organization.”
Strome said roughly one-third of organizations fall into the advanced category – they automate their controls and implement responsible AI by design as part of a “highly mature” AI risk management program. Meanwhile, about half remain in the early stages of AI governance maturity.
The changes are also beginning to reshape hiring and organizational structures inside legal departments. Strome said privacy leaders – often sitting in legal – are increasingly taking on AI governance responsibilities because many AI risks originate in data usage and management.
“We are seeing the privacy role expand quite a bit to take on more of the risk management and governance aspects of AI,” he said.
Organizations are also creating dedicated AI governance positions that coordinate across legal, IT and security teams.
Looking ahead, Strome said AI is expected to alter legal workflows and staffing models, as it will other business departments.
“I think AI is going to have the same impact on legal departments as it has on a lot of other functions,” he said. “It’s maybe not going to erase entire roles and maybe not even fully automate certain workflows, but it’s going to make specific individuals a lot more productive. What that means is it will take fewer lawyers to attend to all the legal matters of the organization.”
That productivity boost may come with consequences for hiring. “I do think you’re going to see … fewer opportunities for those entry-level positions, which is a shame,” he said.
Be First to Comment