Every company is now an AI company, whether they intended to be or not. That creates a new category of risk that doesn't fit neatly into existing legal frameworks — and a new responsibility for general counsel.

AI risks generally fall into a few categories: model risk (the AI produces a wrong answer), data risk (training or input data was used inappropriately), bias risk (the model produces discriminatory outputs), regulatory risk (the use violates a sector-specific rule), and contract risk (the AI's outputs trigger obligations the company didn't intend).

The Risk Categories

Each of these requires different controls. A single "AI policy" that doesn't distinguish between them is unlikely to be effective.

Governance Structures

The most effective governance structure we see is a small, cross-functional AI committee with real authority — typically a senior lawyer, a senior engineer, a security lead, and a representative from the affected business unit.

The committee reviews high-impact AI deployments before launch, sets policy on common patterns, and serves as the escalation path when something goes wrong. The structure is lightweight enough to move at the pace of the technology and substantive enough to be more than a rubber stamp.

Documentation

Documentation matters more in AI than in most areas of compliance, because the systems are dynamic and the decisions made about them are easy to lose. The committee's decisions, the rationale, and the controls put in place should be written down — and revisited as the technology evolves.

If a regulator ever asks how a particular AI deployment was governed, the answer should not depend on a specific person's memory.

Engagement With the Business

The general counsel's job in this area is not to slow the business down. It's to enable AI use that the company can stand behind. That requires engagement early, not gating at the end.

The legal team that says "yes, here's how to do this safely" will have far more influence on outcomes than the team that says "no" and watches the business find a workaround.