The General Counsel's AI Governance Briefing: Legal Exposure, Regulatory Risk, and What to Tell the Board

The six legal exposure areas AI creates simultaneously

The mistake most organisations make is treating AI governance as a compliance project — assigning it to a single team (usually privacy or technology) and expecting that team to manage it. The problem is that AI creates legal exposure across at least six distinct areas of law simultaneously, and those areas are managed by different parts of the organisation with different reporting lines, different external counsel relationships, and different risk tolerances.

The six areas are: contract (AI performance of contractual obligations, AI supplier liability, indemnification); tort (duty of care for AI-caused harm, product liability for AI outputs); employment (discriminatory AI in hiring and performance management, unlawful monitoring, unfair dismissal via automated decisions); data protection (GDPR/Privacy Act obligations for AI processing, automated decision-making rights, breach notification); consumer (misleading AI representations, unfair algorithmic practices, consumer protection obligations); and regulatory (sector-specific AI obligations from financial, health, and other regulators). A GC who does not have visibility across all six areas is not managing AI legal risk — they are managing the part they can see.

Contractual AI risk: the most immediate exposure

Many organisations have contracts — with clients, suppliers, and employees — that were negotiated and signed before AI was deployed in the relevant processes. These contracts do not address AI. They specify performance standards, liability caps, and indemnification provisions that were designed for human performance of the relevant obligations. When AI is introduced into the performance of those obligations, the contractual position becomes uncertain in ways that create real exposure.

Three specific contractual risks deserve immediate attention. First, client contracts that specify performance standards AI may not consistently meet — particularly in professional services where individual expertise was implicitly or explicitly contracted for. Second, supplier contracts that do not contain adequate AI governance warranties — if your supplier uses AI in delivering their services to you, you need representations about their AI governance that most standard supply contracts do not contain. Third, employment contracts and policies that do not address AI monitoring or AI-assisted performance management — the absence of clear terms creates exposure in employment tribunals and labour courts.

Briefing the board: what to say and how to say it

The board briefing on AI legal risk should do three things: establish what the organisation's actual AI exposure is (not theoretical, actual), identify the two or three material risks that require board-level decisions, and propose a governance structure with a named accountable executive. It should not be a catalogue of every possible AI risk or a technical description of the regulatory framework. Boards make better decisions about risks they understand than about risk maps they cannot parse. Translate legal exposure into business impact: penalty range, litigation cost estimate, reputational consequence, and the cost of remediation versus the cost of non-compliance. That is the language in which boards make governance decisions.