Peter Lee underlines the importance of, and the principles underpinning, AI governance, thereby helping businesses to bridge the theory and practice.
Artificial intelligence (AI) is reshaping industries at an extraordinary pace, offering transformative opportunities while introducing complex risks. For organisations, the challenge lies in ensuring that AI systems not only comply with emerging regulations but also align with ethical principles, organisational purpose, and broader strategic and commercial objectives. Increasingly, boards and senior leadership teams are focusing on embedding AI governance frameworks that enable the safe, transparent and commercially effective use of AI across jurisdictions, while ensuring that these systems support and enhance the organisation’s speed to market, mission and values.
For technology lawyers, this rapidly evolving landscape presents both challenges and opportunities. Lawyers are uniquely positioned to guide organisations in embedding robust AI governance practices that mitigate risks, foster innovation, and build trust. This article explores the foundational elements of AI governance, its strategic importance, and the practical steps legal professionals can take to help their clients navigate this complex and dynamic landscape.
Defining AI governance
AI governance refers to the processes, standards, and safeguards that ensure AI systems are safe, ethical, and aligned with organisational goals, human values, and regulatory requirements. It establishes oversight mechanisms to address risks such as bias, privacy infringement and misuse, while fostering innovation and building trust. By providing a structured approach to risk mitigation, AI governance ensures that AI models and systems are developed and deployed responsibly, transparently, and in alignment with expectations.
It is helpful to distinguish AI governance from “Responsible AI”. Responsible AI is commonly used and generally is used to define the “why” and the “what”, that is the principles and vision for ethical AI use. On the other hand, AI governance delivers the “how.” It provides the tools, processes and structures needed to put those principles into practice. In short, Responsible AI sets the vision, while AI governance ensures that vision becomes reality.
This distinction is relevant for lawyers. As organisations adopt AI technologies, legal professionals are tasked with advising on both the strategic vision for ethical AI use and the practical steps required to achieve it. Moreover, the regulatory landscape is unsettled, evolving rapidly and is complex, so lawyers are important actors in AI governance programmes.
It may be helpful to distinguish an AI regulatory compliance programme from an AI governance programme. The former focuses on meeting the specific legal obligations of the relevant regulations within defined timelines. The latter is, typically, an enterprise-wide operating model encompassing policies, roles, risk processes, training, tooling and assurance mechanisms to guide all AI use (whether or not it falls under laws such as the EU AI Act) toward safe, ethical, and commercially effective outcomes. A robust governance programme typically aligns with international standards such as ISO/IEC 42001 and the NIST AI Risk Management Framework, ensuring consistency across jurisdictions and use cases. For legal professionals, understanding this distinction is important when advising clients on both regulatory compliance and broader AI governance strategies.
Organisations are beginning to recognise that robust AI governance not only ensures compliance with regulatory requirements but also mitigates the risk of fines and reputational harm. Clear frameworks for ethical and responsible AI use can also build trust with customers and stakeholders, especially in an era where AI is becoming more widespread and its use less transparent. Additionally, effective governance streamlines decision-making, enabling faster, more efficient deployment of AI solutions and accelerating time to market.
Building an AI governance framework: core components
A robust AI governance framework is built on several key components, each of which plays a critical role in ensuring responsible AI use. These are different for every organisation, but often include:
- Ethical standards: Promoting human-centric, trustworthy AI that respects fundamental human rights, health, and safety.
- Policies and regulations: Complying with applicable legal frameworks and developing internal policies to guide AI implementation.
- Accountability and oversight: Assigning clear responsibility for AI decisions and ensuring human oversight to prevent misuse.
- Transparency and explainability: Creating mechanisms to understand how AI systems make decisions, fostering trust and facilitating debugging.
- Security and privacy: Implementing measures to protect data, prevent unauthorised access, and ensure AI systems do not become cybersecurity threats. This includes safeguarding against the leakage of intellectual property and confidential information, particularly when employees or systems interact with external AI tools or platforms.
- Risk management: Proactively identifying and managing potential risks, such as model bias and data misuse, that can arise from AI technologies. This also involves assessing the risk of intellectual property or confidentiality leakage, ensuring that sensitive data is not inadvertently exposed through AI systems or unapproved tools.
To operationalise these components, organisations should map their Responsible AI principles (such as fairness, transparency, explainability) to written policies and procedures. Standards such as ISO/IEC 42001 and the NIST AI RMF can provide a structured framework for implementing these principles, ensuring consistency and clarity across the organisation.
Addressing shadow AI
One of the most pressing challenges in AI governance is the rise of “shadow AI”, which refers to the use of unapproved AI tools by employees. Often driven by the desire to innovate or save time, shadow AI introduces significant risks, including data breaches, regulatory violations, and a lack of accountability for AI-driven decisions. It also creates a heightened risk of intellectual property or confidentiality leakage, as employees may inadvertently input sensitive or proprietary information into generative AI tools or other unvetted systems. This can expose trade secrets or other confidential data to external parties, potentially causing significant harm to the organisation.
The appropriate response is not to suppress innovation but to establish structured frameworks that enable its responsible and strategic development. Organisations should craft clear policies on AI usage, invest in approved tools that meet employees’ needs, and provide training to empower teams to use AI responsibly. For example, an organisation could implement a centralised approval process for AI tools while offering employees a catalogue of pre-approved options. By addressing shadow AI proactively, organisations can harness its potential while mitigating its risks.
International Standards for AI governance
Standards play an important role in operationalising AI governance requirements and providing assurance of responsible AI use. While voluntary, international standards such as ISO/IEC 42001 and the NIST AI RMF offer structured frameworks that help organisations navigate the complexities of AI implementation. The benefits of adopting standards include:
- Governance roadmap: Standards provide a roadmap for developing robust AI management frameworks and operationalising ethical principles.
- Assurance: They demonstrate trustworthiness and transparency, building confidence among stakeholders.
- Compliance: Standards help organisations meet legal and regulatory requirements.
- Consistency and interoperability: They ensure alignment across jurisdictions and facilitate cross-border operations.
- Accessibility for SMEs: Standards can offer smaller organisations a cost-effective pathway to demonstrate responsible AI use, levelling the playing field with larger businesses.
For lawyers, advising clients on the adoption and integration of standards is an essential part of building effective AI governance frameworks.
Governance of agentic AI
Agentic AI (AI systems capable of autonomously achieving goals with minimal human input) is advancing rapidly, driven by innovations in foundation models. These agents can make decisions, execute actions independently, learn iteratively, and interact with environments or users. They are already demonstrating economic value in fields such as customer service and cybersecurity. However, their increasing autonomy raises significant societal and risk implications, including labour displacement, organisational operating model disruption and risks of misuse or loss of control. The governance of Agentic AI is challenging and includes managing unpredictable behaviours, addressing transparency issues in “black-box” models, and scaling oversight across widespread multi-agent deployments. At the time of writing, the operationalisation of this AI is new in most sectors, but several leading organisations are using agents to streamline operations and boost productivity. For example, Uber uses a multi-agent system to turn natural language into SQL queries for real-time financial insights, eliminating manual data work while Intercom employs voice-based AI agents to handle customer support calls, reducing handling time and enhancing customer experience. Companies using agents should be seeking to apply a structured risk and control framework, layering agent‑specific safeguards onto frameworks such as ISO 42001 and NIST AI RMF. This includes work to grant the AI only the tools and permissions necessary for its tasks, and to deploy it within a controlled, isolated environment to minimise potential harm. They should also be implementing safeguards against malicious prompts, verifying that outputs are based on reliable information, and applying clear labelling to any AI-generated content for transparency. Prior to deployment, they should conduct capability testing, adversarial evaluations, and red‑team exercises to identify vulnerabilities, while ensuring human approval for any high‑impact actions. Once in production, they should continuously monitor the AI’s plans, tool usage and unusual behaviours, supported by automated stop mechanisms and structured post‑deployment reviews and incident response plans.
Conclusion: governance as an enabler of innovation
The rapid evolution of AI presents both transformative opportunities and significant challenges for organisations. Effective AI governance is increasingly important to ensure that AI systems are developed and deployed responsibly, ethically, and in alignment with organisational goals and regulatory requirements. By distinguishing between Responsible AI and AI Governance, organisations can establish a clear vision for ethical AI use and implement the necessary tools and processes to effect that vision. A robust governance framework can mitigate risks, but also fosters innovation, builds trust, and enhances competitive advantage.
For legal professionals, the evolving regulatory landscape, the complexities of AI governance, new challenges such as shadow AI and the governance of agentic AI present an opportunity to play a pivotal role. We can advise on compliance, governance strategies, and the adoption of standards thus helping clients navigate the risks and unlock the full potential of AI technologies. Embedding a robust AI governance framework is not just a regulatory necessity but a strategic imperative for an organisation seeking to thrive in the age of AI.
Peter Lee is a Partner at Simmons & Simmons, where he leads the firm’s AI Governance practice. He also advises on projects that use AI, technology and design to enhance legal functions for clients. Peter is a contributing author to The Law of Artificial Intelligence (Sweet & Maxwell) and is engaged in research on Responsible AI and Industry 5.0 at the University of Cambridge. He also chairs the SESG group at the Society for Computers and Law.
This article is also available in the special AI issue of Computers & Law, which is available to download here.
