Chapter 1 — AI Risk Governance and Framework Integration — Part E: AI Regulatory Compliance and Legal Considerations

On this page

1.15Compliance With Laws and Regulations
1.16Gaps in Regulatory Coverage
1.17Mapping Legal Requirements for AI
1.18Assessing Legal Exposure and Liability for AI Actions
1.19Intellectual Property Considerations in AI
1.20Vendor Contract Review

Part E: AI Regulatory Compliance and Legal Considerations

AI governance demands rigorous attention to regulatory compliance and legal considerations. As AI technologies evolve rapidly and become more deeply integrated into organizational processes, the regulatory landscape is concurrently developing, often in a fragmented and dynamic manner. Organizations must proactively align their AI use with applicable laws, regulations, and best practices to mitigate legal risk and ensure responsible deployment.

AI laws and regulations provide oversight capabilities for governments and their respective enforcement agencies. Laws and regulations related to AI are relatively new and therefore untested from a litigation perspective. Many AI laws and regulations are still in draft format at the national level or in an administrative division (state, province, etc.) within a country.

Noncompliance with laws and regulations can result in fines or other penalties for enterprises developing AI solutions or for AI users. Some examples of currently proposed or active AI laws and regulations are shown in figure 1.24.

A comparative table lists features of global AI regulations and standards. — Figure 1.24—Comparison of AI Regulations

1.15 Compliance With Laws and Regulations

From a regulatory perspective, the main risk related to AI, especially one based on LLMs, is associated with the information and data entered into systems. Considerations for compliance include:

Information confidentiality—Users can share enterprise IP or expose trade secrets, which may violate regulations, cause reputational damage, or lead to other negative consequences for the enterprise.
Privacy—Privacy of data subjects must be guaranteed at all times, including in the design and development of AI solutions. The enterprise’s internal policies (privacy by design, conservation, secure deletion, etc.) should be reviewed and followed, and a privacy impact assessment (PIA) should be carried out prior to an AI solution’s production (or use by employees).
Intellectual property (IP)—There is an ongoing debate about the ability to copyright output generated by GenAI solutions, which may affect image rights or even constitute plagiarism. Enterprises must expressly prohibit the use of copyrighted material for training models and content creation if proper legal guarantees against IP infringement cannot be made.
Employee rights—Enterprises need to review the potential impact of AI on the rights of employees, job applicants, and other collaborators. The company must determine which use cases comply with applicable regulations and be able to guarantee that the selection process is fair, nondiscriminatory, and complies with applicable labor laws.

1.16 Gaps in Regulatory Coverage

While AI laws, standards, and regulations are developing rapidly, there are still significant gaps in the regulatory landscape, largely due to a lack of coordination between countries, which contributes to inconsistencies in border enforcement.⁶⁰ These disparities can create challenges for organizations operating in multiple regions, as they must navigate a complex web of regulations that may conflict or lack interoperability. Inconsistent regulatory approaches can produce uncertainty, complicate compliance efforts, and increase operational costs for businesses that need to tailor their AI risk governance strategies to meet varying international standards.

Certain industry sectors face similar challenges regarding regulation but take different approaches to addressing these concerns. For example, healthcare has quickly embraced AI governance, because critical concerns such as patient safety, data privacy, and ethical decision making in AI are of key importance in that area. However, the finance industry lacks comprehensive AI governance models. Regulations address certain considerations, such as personalization and process efficiencies, but do not properly address concerns such as fairness, transparency, and bias. Similarly, the education sector faces challenges, as AI tools are used in admissions, grading, and tutoring without clearly defined governance, raising concerns around fairness, transparency, and bias.

Of most importance is the gap within enterprises themselves, where AI governance ownership is unclear, leading to a lack of alignment of AI solutions with the enterprise’s overall policies and strategy.

1.17 Mapping Legal Requirements for AI

Mapping legal and regulatory requirements for AI is a critical step in ensuring compliance and managing legal risk associated with AI systems. Organizations must identify and understand the relevant laws and regulations that apply to their AI activities, which can vary significantly across jurisdictions and sectors. This process involves a comprehensive assessment of the legal landscape to align AI governance with applicable requirements and to anticipate potential conflicts or gaps.

1.17.1 Identifying Relevant Legal and Regulatory Requirements

AI systems often operate in complex environments involving multiple jurisdictions, each with its own set of laws and regulations. These range from data protection and privacy laws (e.g., General Data Protection Regulation [GDPR]), IP statutes, consumer protection regulations, sector-specific rules, and emerging AI-specific legislation.

To effectively map legal requirements, organizations should engage interdisciplinary teams that include legal counsel, compliance experts, AI developers, and domain specialists. This collaboration supports a thorough understanding of the AI system’s context, intended use, and potential impacts, which is essential for identifying applicable laws and regulatory expectations. Documentation of this mapping process is vital to demonstrate due diligence and support ongoing compliance efforts.

Address Conflicting Regulatory Guidance

One of the primary challenges in mapping legal requirements for AI is the potential for conflicting laws across jurisdictions, such as differing data privacy standards or divergent rules on AI transparency and accountability.

To address these challenges, a global compliance framework can be adopted that incorporates common regulatory requirements and supplements them with region-specific addenda to handle local exceptions and nuances. This approach facilitates a centralized compliance program while respecting jurisdictional differences.

Understanding jurisdictional applicability is especially crucial in the context of cross-border data flows, which are common in AI systems that rely on distributed data sources and cloud-based services. Organizations must determine which laws govern their data and AI operations based on factors such as the location of data subjects, data processing activities, and the entities involved. Failure to correctly identify applicable jurisdictions can result in noncompliance, legal penalties, and reputational damage.

1.17.2 Best Practices for Legal Mapping in AI

While mapping AI-related legal and regulatory requirements can be a daunting task, best practices can help with this process, including:

Collaborate with legal and compliance teams—Engage professionals with expertise in relevant jurisdictions to interpret laws and assess their applicability to AI systems.
Document legal requirements and decisions—Create a centralized AI regulatory inventory to maintain comprehensive records of identified legal requirements, interpretations, and compliance decisions to support audits and regulatory inquiries.
Incorporate legal considerations into the AI life cycle—Integrate legal considerations early in the AI system’s planning and design phases, and update mappings as the system evolves or as laws change.
Ensure policies can adapt to evolving legal landscapes—Create adaptable policies and controls that can accommodate jurisdictional variations and emerging regulatory developments.
Monitor regulatory changes—Establish processes for ongoing surveillance of legal and regulatory updates to promptly adjust compliance strategies.

By systematically identifying and mapping legal requirements, organizations can better manage the complexities of AI regulatory compliance, mitigate legal risk, and foster trustworthy AI deployment across diverse operational contexts.

1.17.3 Ensuring Conformance to Best Practices and Regulatory Standards

Evolving legal and regulatory requirements create one of the biggest hurdles related to AI governance. Therefore, implementing best practices for legal and regulatory compliance can aid in ensuring the enterprise does not unintentionally risk noncompliance.

Effective compliance monitoring is foundational to maintaining conformance with AI-related laws, standards, and best practices. Organizations should implement continuous monitoring mechanisms that track adherence to applicable regulatory requirements. This includes establishing clear metrics and indicators aligned with both mandatory regulations, like the EU AI Act, and voluntary frameworks, like the NIST AI RMF or ISO/IEC AI standards. Monitoring should encompass technical controls, data handling practices, and ethical considerations such as bias mitigation and transparency.

To support this, organizations can leverage automated tools to detect deviations, model drift, or emerging risk. Monitoring should include logging and alerting on AI system outputs, data quality, and compliance with consent requirements for data use. Regular adversarial testing and validation of AI models help ensure that systems remain within defined compliance boundaries and ethical norms.

Transparent and accurate reporting is vital for demonstrating compliance to internal stakeholders, regulators, and external auditors. Organizations should establish formal reporting processes that provide timely updates on compliance status, risk assessments, and remediation efforts. These reports must be comprehensive, comparable across reporting periods, and include explanations for any noncompliance or exceptions, supported by documented justifications.

1.18 Assessing Legal Exposure and Liability for AI Actions

The use of AI systems introduces complex legal exposures and liability considerations that organizations must carefully assess and manage. Unlike traditional human actions where it is clear who is responsible, AI systems can act autonomously, raising critical questions about who is responsible and accountable when AI causes harm or violates laws. For example, if an AI chatbot makes inappropriate remarks to minors, it is unclear whether liability rests with the AI developers, deployers, or the organization using the AI. This ambiguity extends to scenarios such as job automation, where human employees are replaced by AI systems—personal liability shifts to corporate liability without a clear framework for this change.⁶¹

As a result, enterprises must ensure that clear roles and responsibilities, RACI charts, and accountabilities are documented. See 1.9 RACI for AI Solutions for more information.

1.18.1 Liability Issues

Legal liability for AI actions is a developing area with no universally accepted standards. Organizations must consider that liability may arise from multiple sources, including design flaws, data quality issues, deployment decisions, or operational misuse. Accountability frameworks should clearly delineate roles and responsibilities among AI actors across the AI life cycle to ensure that each party understands their legal obligations and potential exposure.⁶²

Establishing transparent accountability mechanisms is essential. This includes documenting decision-making processes, assumptions, and risk assessments related to AI system use. Organizations should implement policies that separate AI system development from testing and evaluation functions to enable independent oversight and course correction. Furthermore, conflict of interest prevention and whistleblower protections can enhance accountability and reduce legal risk.⁶³

1.19 Intellectual Property Considerations in AI

IP issues are central to the legal and regulatory landscape surrounding AI. Organizations developing or deploying AI solutions must carefully analyze IP concerns related to ownership, copyright, data licensing, and the use of third-party data and models to mitigate legal risk and protect valuable assets.

1.19.1 Ownership of AI-generated Content

A key challenge in AI IP governance is determining the ownership of content generated by AI systems, particularly GenAI. This is because it is unclear whether the user, the AI developer, or the owners of the data used to train the model hold the rights to the output. For example, when an enterprise uses an AI model to generate code that incorporates information from the AI provider’s dataset, the true IP holder may be ambiguous.

To address this, risk managers should ensure that ownership provisions are explicitly defined in contracts with AI vendors and developers, involving legal counsel to clarify rights before entering agreements.⁶⁴

1.19.2 Copyright Considerations

AI training datasets often include copyrighted works, patents, or proprietary research, which can lead to inadvertent infringement. Since GenAI systems learn from user-provided data and existing content, improper sourcing can render AI outputs legally problematic or unusable. Organizations must prohibit the use of copyrighted material for training or content creation unless appropriate legal guarantees against infringement are secured.

The use of copyrighted material without proper licensing or attribution in training AI models has resulted in multiple lawsuits from authors and artists. A recent ruling on a case between a group of authors and Anthropic found that the company had used pirated content, specifically e-books, to train its Claude LLM. This led to a proposed class-wide settlement for authors whose works were used.⁶⁵ This case does not address whether or not AI training data transforms copyrighted data enough to constitute fair use, but it does indicate that companies would have difficulty justifying the use of pirated content for AI training and validation.

1.19.3 Data Licensing

Given the vast data requirements for AI model training, data licensing agreements are critical. These agreements govern how AI developers access, use, share, and distribute data owned by third parties. Essential considerations in data licensing include clear definitions of data ownership (both input and output), licensing restrictions like exclusivity and redistribution rights, and compliance with ethical and legal standards. Failure to execute sound data licensing agreements can lead to reputational damage, financial penalties, and loss of public trust.

Use of Third-party Data and Models

The integration of third-party data and AI models introduces additional IP risk. AI providers often train models on publicly available or licensed datasets, but the provenance and legality of these data sources must be verified to avoid infringement. Moreover, the use of third-party AI models to generate content or insights raises questions about IP ownership and liability. Organizations should conduct thorough due diligence on AI vendors, including reviewing data sourcing practices, licensing terms, and IP rights. Contracts should include enforceable clauses that address IP ownership, usage rights, and indemnification to protect the enterprise’s interests.

1.19.4 Managing IP Risk

To manage IP risk effectively, organizations should:

Implement strict policies prohibiting unauthorized use of copyrighted material in AI training and output.
Engage legal counsel to draft and review contracts with AI vendors, ensuring clear IP ownership and licensing terms.
Conduct risk assessments focused on IP issues during AI solution development and deployment.
Maintain transparency and documentation regarding data sources and licensing agreements.
Educate employees and partners on IP protection responsibilities, including adherence to nondisclosure agreements (NDAs) and secure handling of proprietary information.
Provide (or have vendors provide) specific attestations regarding the content provenance and licensing of training data, especially for GenAI models, to mitigate IP infringement risk.

By proactively addressing IP considerations, organizations can safeguard their competitive advantage, reduce legal exposure, and foster RAI innovation.

1.20 Vendor Contract Review

The AI revolution extends beyond the enterprise to its vendors and the vendors these vendors use. In many cases, especially as it relates to software as a service (SaaS) and other software agreements, vendors are implementing AI-enabled functionality, often without giving the contracting organization prior notice.

In addition, AI introduces privacy, ethical, and societal considerations that may not have been previously considered. This makes the review of new and existing vendor contracts key to ensuring legal and regulatory concepts are adequately addressed in line with the enterprise’s risk tolerance and appetite.

See 3.17 AI Vendor Management for more information on third-party risk management (TPRM).

1.20.1 Contract Clause Review

While periodic review of vendor contracts is an important part of TPRM, several areas of a contract are particularly relevant to the use of AI. Figure 1.25 provides for descriptions of these contract areas.

Figure 1.25—Contract Clauses Relevant to AI Solutions

Clause	Purpose	Areas of Need
Data use and ownership	Contracts must clearly specify the ownership and permissible use of data used in an artificial intelligence (AI) solution. Since outsourcing does not transfer data ownership or liability, the organization retains accountability for data security and compliance even when data processing is delegated to a vendor.	The scope of data usage, including any restrictions on using organizational data for AI model training or other purposes Data storage locations and jurisdictional requirements, ensuring compliance with data residency laws and regulations Obligations for data protection, including encryption, access controls, and breach notification procedures Post-termination data handling, such as data return, destruction, or transfer protocols
Compliance	Given the evolving regulatory landscape for AI, contracts must incorporate clauses that require vendors to comply with all relevant laws, regulations, and ethical standards.	Adherence to data protection laws (e.g., General Data Protection Regulation [GDPR]) and AI-specific regulations (e.g., EU AI Act) Implementation of privacy by design and security by design principles Cooperation with audits and assessments to verify compliance Notification obligations for regulatory changes that may impact service delivery or compliance status
Liability and indemnification	Contracts should clearly delineate liability for damages arising from AI system failures, data breaches, or regulatory noncompliance.	Indemnity clauses requiring the vendor to compensate the organization for losses caused by the vendor’s negligence or breach of contract Limitations of liability that balance risk sharing without absolving the vendor of responsibility for critical failures Requirements for timely notification of incidents and cooperation in remediation efforts Service level agreements (SLAs) that define performance standards and remedies for nonperformance, including financial penalties or service credits
Intellectual property (IP) rights	As discussed, AI solutions often involve complex IP issues, especially concerning AI-generated content and the use of third-party data or models.	Ownership of AI-generated outputs Licensing terms for any third-party data, software, or models incorporated into the AI solution Protection of the organization’s proprietary information and trade secrets through nondisclosure agreements (NDAs) Clauses preventing unauthorized use or disclosure of IP by the vendor or its subcontractors
Enforceable covenants and audit rights	To maintain control and oversight, contracts should include provisions that enable the organization to take a variety of necessary actions.	Conducting audits or obtaining third-party attestation reports (e.g., Statement on Standards for Attestation Engagements [SSAE] 18) to verify vendor compliance with security and regulatory requirements Requiring advance notification of changes to AI features or underlying models that may affect risk or compliance posture Establishing clear terms for contract duration, renewal, pricing, and termination, including rights to terminate for cause or convenience Defining dispute resolution mechanisms and jurisdiction for legal proceedings

1.20.2 Shared Responsibility Model

Shared responsibility is a concept that many enterprises are familiar with, particularly in regard to cloud service providers (CSPs). This concept can also extend to contracting with enterprises to provide AI-enabled services. Contracts should be reviewed to ensure that the responsibilities of each party are clearly defined, including situations where both parties share responsibility. See 3.18 AI Shared Responsibility Model for more information.