本文目前仅提供英文版本。
The General Counsel's AI Governance Briefing: Legal Exposure, Regulatory Risk, and What to Tell the Board
AI creates legal exposure across contract, tort, employment, data protection, consumer, and regulatory law simultaneously. General Counsel need a framework for assessing and communicating this exposure. Here it is.
Key Takeaways
AI creates simultaneous legal exposure across six distinct areas of law — contract, tort, employment, data protection, consumer, and regulatory. Most organisations manage these in silos, creating gaps.
Contractual AI risk is often the most immediate: contracts signed before AI was deployed may not address liability for AI-assisted performance failures, and supplier AI governance warranties are rarely adequate.
The tort liability framework for AI harm is actively developing — courts in the UK, EU, and Australia have heard cases establishing that organisations deploying AI owe a duty of care to those affected by it.
Employment law is the most active enforcement area for AI governance in 2026 — discriminatory hiring AI, unlawful monitoring, and automated performance management are all generating litigation and regulatory action.
The GC's three immediate priorities: audit existing contractual AI exposure, assess whether current data protection compliance covers AI use cases, and brief the board with a clear risk register.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
The six legal exposure areas AI creates simultaneously
The mistake most organisations make is treating AI governance as a compliance project — assigning it to a single team (usually privacy or technology) and expecting that team to manage it. The problem is that AI creates legal exposure across at least six distinct areas of law simultaneously, and those areas are managed by different parts of the organisation with different reporting lines, different external counsel relationships, and different risk tolerances.
The six areas are: contract (AI performance of contractual obligations, AI supplier liability, indemnification); tort (duty of care for AI-caused harm, product liability for AI outputs); employment (discriminatory AI in hiring and performance management, unlawful monitoring, unfair dismissal via automated decisions); data protection (GDPR/Privacy Act obligations for AI processing, automated decision-making rights, breach notification); consumer (misleading AI representations, unfair algorithmic practices, consumer protection obligations); and regulatory (sector-specific AI obligations from financial, health, and other regulators). A GC who does not have visibility across all six areas is not managing AI legal risk — they are managing the part they can see.
Contractual AI risk: the most immediate exposure
Many organisations have contracts — with clients, suppliers, and employees — that were negotiated and signed before AI was deployed in the relevant processes. These contracts do not address AI. They specify performance standards, liability caps, and indemnification provisions that were designed for human performance of the relevant obligations. When AI is introduced into the performance of those obligations, the contractual position becomes uncertain in ways that create real exposure.
Three specific contractual risks deserve immediate attention. First, client contracts that specify performance standards AI may not consistently meet — particularly in professional services where individual expertise was implicitly or explicitly contracted for. Second, supplier contracts that do not contain adequate AI governance warranties — if your supplier uses AI in delivering their services to you, you need representations about their AI governance that most standard supply contracts do not contain. Third, employment contracts and policies that do not address AI monitoring or AI-assisted performance management — the absence of clear terms creates exposure in employment tribunals and labour courts.
Briefing the board: what to say and how to say it
The board briefing on AI legal risk should do three things: establish what the organisation's actual AI exposure is (not theoretical, actual), identify the two or three material risks that require board-level decisions, and propose a governance structure with a named accountable executive. It should not be a catalogue of every possible AI risk or a technical description of the regulatory framework. Boards make better decisions about risks they understand than about risk maps they cannot parse. Translate legal exposure into business impact: penalty range, litigation cost estimate, reputational consequence, and the cost of remediation versus the cost of non-compliance. That is the language in which boards make governance decisions.