Artificial Intelligence. The word is now more than a mere buzz word. It has become the unavoidable topic for every in-house lawyer across all legal areas. The legal implications of AI touch virtually every corporate function: from its deployment within employment and human resources, to the development and operationalisation of models designed to streamline internal processes, marketing campaigns, research and development, and the engineering of the next generation of software-as-a-service (‘SaaS’) products.
According to recent study from McKinsey[1], 88% of organizations now use AI in at least one business function. It was only one year ago, that in-house counsel at many organisations were primarily looking into the deployment of large language models (LLMs) enterprise versions and compliance with a couple of AI regulations. Today they must navigate an expanding and increasingly complex number of AI regulatory obligations across multiple jurisdictions, while simultaneously contending with the emergence of novel AI technologies that are disrupting not only legal practice itself, but the very foundational principles lawyers have long been trained to master. IP litigation cases are spawning across the world, with all global practitioners looking forward to finally getting some clarity as to how our existing legal frameworks protect creation, invention and brands, in the age of AI.
Yet, according to the 2025 IAPP AI Governance survey[2], 49% of the responding organizations identified lack of understanding of AI and its underlying technologies as their primary challenge while the same proportion recognized inadequate internal comprehension of AI compliance governance obligations as among their foremost concerns. For in-house counsel, an organisation’s wide lack of understanding of both the technology and the compliance obligations significantly increases the organisation’s legal risk exposure. In a context where both AI adoption and regulatory requirements are accelerating, in-house counsel must be able to rely on robust AI governance frameworks to effectively manage the legal risks arising from this ongoing technological revolution.
This article aims at introducing AI governance frameworks as a strategic tool for managing not only your corporate risks, but also your legal risks as an organisation.
An Introduction to AI Governance Frameworks as A Legal Risk Management Function
AI Governance has no recognized definition. Some authors have proposed a definition of AI governance as ‘‘a system of rules, practices, processes, and technological tools that are employed to ensure an organization’s use of AI technologies aligns with the organization’s strategies, objectives, and values; fulfils legal requirements; and meets principles of ethical AI followed by the organization.’’[3] Following this definition, one of the key objectives of AI governance is to ensure that organizations fulfil their legal requirements.
Looking at how AI governance frameworks are structured, it is apparent that whilst none of these recognized frameworks are designed to ensure compliance with legal obligations, the areas covered by these frameworks are likely supporting organizations adopt rules, policies, processes and practices increasing the likelihood of an organization adhering to prescriptive regulatory frameworks.
While every organisation will build its governance programme differently, two frameworks have emerged as the most widely adopted reference points globally. Neither is legally mandatory, but both are increasingly referenced by the professionals in the space.
- The NIST AI governance framework
Published in January 2023 by the US National Institute of Standards and Technology, the NIST AI RMF is a voluntary, sector-agnostic framework designed to help organisations identify, assess, and manage AI-related risks across the full AI lifecycle. It structures its guidance around four core functions (Govern; Map; Measure; and Manage). Examples of some NIST AI RMF controls as legal risk management functions include:
- Control MAP 1 and 2.1: would require organisations to ensure they have processes in place to classify AI systems which would help comply with assessment and classification of AI systems under the EU AI Act.
- Control GOVERN 2.2: requires organisations to ensure personnel receive adequate AI risk management training which can assist companies in comply with Art 4 EU AI Act AI literacy requirement.
- ISO/IEC 42001:2023
Published in December 2023, ISO/IEC 42001 is the world’s first international management system standard specifically designed for AI. This AI management system follows a similar structure than the management systems under ISO 27001 certification.
Its key requirements include AI-specific risk assessments, controls for data governance, bias mitigation, and transparency. For example, when complying to its data governance controls, it would allow organisations to ensure that they can effectively assess pre-training, training, and post-training datasets for privacy/IP compliance obligations by requiring under the ISO controls a review process for training‑data provenance or an internal approval process for new training sources.
AI Governance as a Universal Adapter In a Fast-Evolving Global AI Regulatory Environment
The global AI regulatory landscape is very fragmented, and it is challenging for organisations to adopt a one-size-fits all approach when it comes to complying with AI regulatory requirements. From the EU AI Act to China’s many AI-specific regulations, from Brazil’s proposed AI framework to the sector-specific approach favoured in the United States at a state level, organisations operating across multiple jurisdictions face a patchwork of overlapping, and at times conflicting, legal obligations.
In this context, AI governance frameworks can act as a universal adapter. Rather than building bespoke compliance programs for each jurisdiction, organizations can leverage a robust AI governance framework as a foundational compliance baseline, as these would usually rely on principles aligned with most of the more specific regulatory requirements. Adhering to an AI governance framework can act as a very efficient way to set the foundations for good global AI regulatory compliance.
For instance, the section 6.1 of the ISO/IEC 42001 framework mandates organisations to establish a documented AI risk and impact assessment process ensuring new AI systems align with their company AI policy. Providers having adopted such a process in the context of implementing the framework are in a good position to then align such process with Article 9 of the EU AI Act and its requirement to deploy a risk management system. Similarly, an organisation qualifying as a “Deployer” of a high-risk system under the Colorado AI Act will likely have laid good foundations in order to comply with Sec. 6-1-1701 (2) (a) of the Colorado AI Act, requiring the adoption of a risk management policy and program in relation to high-risk systems.
As new AI regulations emerge and continue to be adopted on a regular basis, organisations with mature AI governance frameworks are better equipped to absorb new requirements incrementally, rather than by restarting their compliance effort from the ground up each time a new major AI regulation is adopted.
AI Governance as a tool for IP risk mitigation
For intellectual property counsels, the intersection of AI and IP law presents a uniquely difficult set of challenges. AI systems can implicate IP rights across the lifecycle, from the ingestion of potentially protected works during training, to outputs whose protectability and ownership are contested, to deployment at scale where alleged infringement can be replicated quickly. At the same time, it is easy to over-claim what “governance” can achieve: many core questions (e.g., lawful training, copyrightability thresholds, inventorship, and liability allocation across providers, deployers, and users) remain unsettled and jurisdiction-specific, and some risks are not reliably detectable with today’s technical controls. A governance framework is therefore best viewed as a way to surface, document, and manage decisions under uncertainty, not as a substitute for clear law, strong contracts, and enforceable technical safeguards.
AI governance frameworks can help impose structure on IP risk workstreams, but their effectiveness depends on the availability of reliable inputs and enforcement. At the training-data level, provenance documentation, supplier due diligence, and dataset intake controls may reduce risk, yet they rarely provide complete assurance: data lineage can be partial, datasets are often aggregated and re-used across projects, and organisations may lack audit rights or technical visibility into third-party model training. Even where auditing is feasible, “clean” datasets do not eliminate the risk of being subject to downstream claims about similarity, memorization, or unlawful use. Governance can improve defensibility (showing reasonable steps were taken), but it should not be framed as completely eliminating infringement risk.
At the output level, governance can support internal policies on review, attribution, and acceptable uses of AI-assisted work. However, transparency and record-keeping alone may not resolve ownership or protectability questions. In practice, teams may not consistently capture the level of human contribution, and the legal tests for authorship/inventorship and originality continue to diverge across jurisdictions. Moreover, downstream infringement risk can arise even where an output is not itself protectable (e.g., when it resembles third-party works or includes third-party marks). To be useful, governance should translate into concrete workflow requirements, such as defined human review gates, standardised documentation of contribution, and clear escalation criteria, paired with realistic expectations about what can be proven if challenged.
The table below maps some of the main IP risk categories arising from AI adoption to the governance measures most likely to reduce exposure, organised by risk type and illustrated with the regulatory obligations and practical controls that in-house counsel should consider embedding within their organisation’s broader AI governance framework.
| IP Risk Category | Typical AI Scenarios | Key Governance Measures | Relevant Regulatory Frameworks |
| Training data copyright infringement | Use of scraped or licensed corpora where copyright status, licensing scope, or TDM exceptions are unclear | Require training data provenance reviews and documentation; mandate supplier warranties of lawful sourcing; implement internal approval processes for new training data sources including legal review of TDM exceptions and opt-outs | EU AI Act (GPAI training data summaries and copyright policies); Text and Data Mining exceptions (EU DSM Directive, Art. 4; UK CDPA); California Artificial Intelligence Training Data Transparency Act; US Copyright Act; CAIA (Colorado) training transparency obligations |
| Output copyright infringement | AI-generated text, code, images, or music that reproduces or closely mimics protected third-party works | Implement output review workflows for higher-risk use cases; require human verification of originality prior to publication or commercial use; deploy output guardrails filtering known copyrighted content | EU and UK copyright law (originality/authorship thresholds); EU AI Act transparency obligations; US Copyright Act |
| Trade secret and confidential information exposure | Employees entering source code, deal data, or client information into consumer LLMs with training-on-inputs practices | Adopt formal AI use policies prohibiting entry of confidential data into public tools; Mapping of AI systems including shadow AI use; AI Literacy programmes; Acceptable Use Policies; AI Use Process Approval | GDPR (where personal data involved); EU Trade Secrets Directive; General Contractual Responsibility; |
| Trademark, Infringements | AI-generated marketing or customer-facing content incorporating third-party marks or making unverifiable claims | Define which use cases require human review prior to publication; implement automated brand and trademark filters; establish clear accountability and sign-off processes | EU Trade Mark Regulation; UK Trade Marks Act 1994; EU AI Act (transparency for AI-generated content); DSA (for platforms) |
In sum, AI governance frameworks offer IP counsels a systematic approach to managing the wide-ranging IP risks arising from AI adoption. Rather than addressing each risk in isolation, a well-designed governance framework enables organisations to embed IP risk identification and mitigation into the broader AI lifecycle, ensuring that IP considerations are integrated from the design stage rather than addressed only after issues materialise.
A few key practical steps to take toward better AI governance
Much can be achieved through process and structure, rather than technical expertise alone. Here are the steps we recommend for organisations beginning this journey:
- Build an AI inventory. You cannot govern what you cannot see. Use the methodology of your personal data mapping exercise and record of processing activities to identify every AI system in use across the organisation, including tools adopted informally by employees. A recent IBM-sponsored study found that while 80% of American office workers are already using AI in their roles, only 22% rely exclusively on tools provided by their employer.
- Invest in AI literacy. Governance depends on people understanding what AI is and what risks it introduces. Basic training for employees, particularly in high-risk functions such as HR, finance, and legal, is among the most effective measures an organisation can take at this stage.
- Introduce an AI policy(ies). Set clear rules for how employees may and may not use AI tools. As shown above, legal risks need to be mitigated by the adoption of clear policies understood by all relevant parties.
- Appoint an AI Officer or lead function. This does not need to be a new hire. According to the IAPP’s AI Governance Profession Report 2025, 22% of organisations place primary AI governance responsibility with their privacy function, and a further 22% with legal and compliance. Some organisations have indeed considered that the Data Protection Officer or a senior compliance professional can take on responsibility for driving AI governance internally and ensuring that all related programmes work in coordination.
- Adapt your existing risk framework. You do not need to build from scratch. Extend your privacy impact assessment methodology and risk register to capture AI-specific risks. Use your existing risk-rating approach, to ensure that AI systems are included as a category.
For further information, please contact:
Camille Abou Farhat, Bird & Bird
camille.aboufarhat@twobirds.com
[1] The State of AI: Global Survey 2025 | McKinsey
[2] AI Governance Profession Report 2025, 16 April 2025 https://ai_governance_profession_report_2025.pdf
[3] M. Mäntymäki, M. Minkkinen, T. Birkstedt, and M. Viljanen, ‘‘Defining organizational AI governance,’’ AI Ethics, vol. 2, no. 4, pp. 603–609, Feb. 2022
