Regulating AI usage without stifling innovation

AI governance is one of the most urgent priorities for boards and senior leaders right now. Principle 10 of King V (South Africa’s corporate governance code) makes the governing body or board of an organisation accountable for AI governance. AI governance is an imperative for organisations looking to leverage it to find better ways of working. Yet some have not started, others have a patchwork of documents, but all organisations should govern AI so they can use AI safely, securely, fairly, lawfully and responsibly.

Your AI Governance Policy is not your AI business strategy

Your AI strategy and AI Governance Policy are not the same thing.

• Your AI strategy defines your business goals, and the AI use cases your organisation will invest in to create business value.
• Your AI Governance Policy establishes the direction for how your organisation will govern AI, the principles that guide your decisions, and the accountability structures in place for AI initiatives.
• You can see the interplay between the two where part of your AI strategy is integrating AI into your core business operations. In this case, you will need a more comprehensive AI Governance Policy.

Choosing your governance approach

Since AI governance is relatively new, your organisation will be faced with judgement calls on how to govern AI. Several governments, institutions and organisations have put forward AI governance instruments (OCED (1), ISO (2), NIST (3), EU (4), SA (5)).

There is no single correct AI governance approach. In practice, a combination of approaches works best. What’s important is customising it to your business context.

Drafting your AI Governance Policy

You have options to draft your AI Governance Policy, but which ever method you chose, your policy must at least have the below core components.

• You can draft an AI Governance Policy form scratch if your organisation has specific requirements. In this case, we recommend using AI as a thinking partner. Feed it your older templates so it knows your style but do not outsource the intelligence since you must know how your organisation specific decisions and details shape the policy.
• You can also use templates or precedents. This can be challenging as there may not be many tried and tested ones that exist. We recommend adapting your Data Protection Policy as it is a governance document you have drafted before, and the structure and approach translate reasonably well.

Related AI governance documents

• Your AI governance sits within a broader governance framework where each document has a specific purpose. Organisations often confuse an AI Governance Policy with an AI Use Declaration or an Acceptable Use of AI Policy. They are distinct documents and you need to understand the difference:
• Your AI Use Declaration faces outwards and upholds the AI governance principle of transparency. It tells the outside world how your organisation uses AI, what data is involved and what safeguards are in place. Think of this as your AI use declaration or statement.
• Your Acceptable Use of AI Policy faces inward and upholds your AI governance principle of accountability. It makes employees responsible for their use of AI by setting clear boundaries for use of AI and allocates roles and responsibilities in relation to AI use within your organization.

In contrast, your AI Governance Policy flows downward from your board and upholds the AI governance principle of human oversight. It establishes the rules, policies, and ethical frameworks for responsible, legal, and safe AI use.

*****

(1) If your governance approach is principles based, use the OECD or UNESCO guidelines to articulate shared values and ethical norms without specifying processes.

(2) If your organisation follows a process based approach, ISO/IEC 42001 (AI Management System) sets out the processes, controls, roles and review cycles.

(3) If your approach is outcomes based, the NIST AI Risk Management Framework (AI RMF) can inform it. NIST helps you define what trustworthy AI looks like, then work backwards to achieve it.

(4) If your approach is risk based, follow the EU AI Act. It classifies AI systems by risk level and sets obligations accordingly.

(5) If your approach is to drive high adoption of AI in your organisation and integrate AI governance in your already existing governance structures, follow the South African National AI Policy. The SA AI policy while withdrawn requires organisations to use existing laws to govern AI and then implement targeted guidelines and standards for high-risk use cases in your context.

Further information

https://www.michalsons.com/blog/ai-policy-template-and-practical-guidance-for-organisations/80194

https://www.michalsons.com/focus-areas/artificial-intelligence-law/free-generative-ai-acceptable-use-policy

https://www.michalsons.com/blog/workplace-ai-governance-controls/81621

https://www.michalsons.com/blog/director-due-diligence/80263

https://www.ai.gov.au/sites/default/files/2026-05/AI-policy-guide-and-template.docx

https://www.michalsons.com/focus-areas/information-technology-law/king-report-king-code-on-corporate-governance

https://www.michalsons.com/focus-areas/artificial-intelligence-law/south-african-ai-policy-guidance-and-overview

JOHN GILES
&
KARABO MOKOENA

southafrica@lexing.network

Although Argentina does not yet impose specific statutory obligations on the private sector regarding AI governance, multiple legislative initiatives currently under discussion in the National Congress point to a clear regulatory trajectory under which organizations will likely be required to ensure that employees’ use of AI complies with defined legal and operational standards. In this context, the implementation of an AI Governance Policy becomes critical as a proactive compliance and risk-management tool, enabling organizations to structure, control and document their use of AI in a manner that is lawful, secure, and aligned with emerging transparency and accountability expectations.

Defining a purpose

The first step to design such a policy is to decide what does the organization intend to use AI for. AI-based technologies may be used for low-risk activities, such as drafting an e-mail, summarizing a document or supporting brainstorming. They may also be used for more sensitive subjects, including data analytics, customer profiling or recruitment. Each purpose raises materially different legal, operational, reputational, cybersecurity and confidentiality risks and, hence, the policy ought to distinguish between permitted, restricted and prohibited uses.

Choosing a tool

Another key factor is that the policy should also define which AI systems are authorized and under what conditions. Employees should know whether they may use publicly available tools, or if only company-approved platforms are permitted. On that note, it is important to keep in mind that some providers may use user inputs to train or improve their models, retain prompts or outputs, or offer limited contractual assurances regarding confidentiality, security and data deletion. Where sensitive information is involved, it is advisable that the organization only admits enterprise accounts and implements contractual protections with the provider against these risks.

Additional considerations

Furthermore, confidentiality and data protection should be at the forefront of the policy, determining when employees are barred from entering personal data or sensitive information into AI systems.

Governance and accountability are equally important. The organization should designate an overseer of AI use, approving higher-risk use cases, resolving employee questions and coordinating with the Legal, Compliance and IT departments.

In addition, human supervision is an important aspect. Employees should verify AI outputs before relying on them as they may be inaccurate or misleading. This is particularly relevant where the result will influence a business decision or affect third parties. For higher-risk use cases, documenting human review is advisable.

Conclusion

Finally, an AI Governance Policy should be able to adapt to the rapid evolution of this technology, its corresponding regulatory expectations and business practice. Hence, periodic review and employee training become essential to ensure that the organization adopts AI safely and responsibly while preserving flexibility for innovation.

PABLO A. PALAZZI
argentina@lexing.network

The coordination of AI within a company is a major topic.

Indeed, inappropriate use of AI could result in liability for the company, as well as for its directors.

Under Belgian law, pursuant to Articles 2:56 and 2:51 of the Code of Companies and Associations (1), members of the board of directors, and those responsible for day-to-day management or exercising the power to effectively manage the company, are responsible towards the company for management failure committed in the performance of their duties.

For instance, entering into a contract with a subcontractor, after checking the subcontractor required certification only through the use of a public AI tool may be considered as a management failure if it is considered a reasonably careful director would have performed further checks.

Similar personal liability risk exists for a company director who enters the company’s confidential data into an unsecured AI tool to prepare a board meeting.

In both of these examples, the director could be found to have committed management negligence and, as a result, could be held liable.

Employee training about the use of AI tools

Beyond their own actions, company directors could also be held liable for management failure raised by the use of AI within their company without ensuring appropriate supervision.

Since February 2, 2025, companies using AI systems must ensure a sufficient level of AI literacy among their employees and all persons involved in the operation and use of said AI systems (2).

*****

(1) Code des sociétés et des associations : https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2019032309&table_name=loi#LNK0054

(2) Article 4 of the AI Act: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng

ALEXANDRE CRUQUENAIRE
belgium@lexing.network

What would your organization show if it were required to explain, with documented evidence, how an AI system was designed, tested, deployed, and monitored? And, beyond that, if it were required to demonstrate accountability, assessed risks, and safeguards when outcomes deviate from expectations? These questions separate a useful AI governance policy from generic guidance. In Brazil, CNJ Resolution No. 615/2025 (1) is particularly actionable because it was designed to withstand scrutiny. It frames governance as lifecycle management and adopts a risk-based approach, supported by practical audit and monitoring requirements.

What Resolution 615/2025 delivers that is most implementable

The CNJ framework is valuable because it ties governance to verifiable mechanisms.

• It requires minimum internal processes, including transparency, reporting, and designated responsible parties to oversee directives and improvements (art. 12).
• It also imposes a risk logic, with objective risk assessment criteria and reinforced measures for high-risk settings (arts. 9 and 11).
• In addition, it treats impact assessment as a continuous routine, with monitoring and corrective actions, which makes governance operational rather than merely aspirational (art. 14).
• Finally, it requires publication and organization in a risk-based catalogue, which forces a living inventory and coherent control calibration (art. 24).

These elements matter because they avoid the most common weakness in internal policies: values are described, but evidence, roles, and routines are not.

Where organizational policies must be more specific than the normative text

CNJ’s design is pragmatic. It avoids unworkable standards. Therefore, it allows practical auditability without requiring unrestricted access to source code (art. 1, § 2). This flexibility shifts responsibility to implementers. If internal policies do not define minimum evidence and verification methods, reports may exist without enabling meaningful scrutiny of bias, drift, systemic failures, or relevant impacts. Accordingly, the policy must add objective criteria, metrics, testing, and review routines.

This aligns with trustworthy AI scholarship, where specialists argue that principles must be converted into repeatable lifecycle practices with accountability and continuous validation (2). NIST’s AI RMF follows the same logic by structuring governance as ongoing mapping, measuring, and managing of risks in a verifiable manner (3).

How to structure the policy by themes, without gaps

Implementation starts with inventory and scope. The first chapter should require a centralized register of AI systems, including purpose, impacted stakeholders, autonomy level, data used, supplier, versions, and usage context. Without inventory, proportionality is impossible, and lifecycle governance cannot be demonstrated (art. 24).

Next, the policy must address risk classification and minimum controls per category. High-risk systems require stronger validation, robustness and bias testing, stricter change management, and frequent monitoring, consistent with CNJ’s risk-based governance model (art. 11). NIST’s AI RMF supports this design by structuring risk governance to avoid purely reactive controls.

Then, the policy must define roles, responsibilities, and human oversight with decision authority. It should specify who approves deployment, who authorizes material changes, and who can suspend the system. It should also include contestation pathways. In parallel, Brazilian Data Protection Law (LGPD) reinforces this structure by providing a right to human review of solely automated decisions affecting the data subject’s interests, and by requiring information on criteria and procedures, while preserving trade and industrial secrets (4).

The fourth chapter must consolidate practical auditability and continuous monitoring. The policy should require an evidence package per system, version history, data lineage, test records, performance and risk metrics, monitoring reports, and incident logs. ISO/IEC 42001 is useful as a management-system reference to structure review cycles and continuous improvement (5).

Finally, the policy must provide for transparency and training. Reporting does not work if decision-makers, operators, and supervisors are not trained. CNJ treats continuous capability-building within its internal process architecture and risk management expectations (art. 12). Trustworthy AI literature likewise emphasizes training, review, and accountability as distributed lifecycle practices (6).

Conclusion

A professional AI governance policy does not need to be long. It needs to be demonstrable. CNJ Resolution No. 615/2025 provides a Brazilian blueprint because it translates governance into verifiable routines, minimum internal processes, risk assessment, impact assessment, and a risk-based catalogue (arts. 12, 9, 14 and 24). At the same time, internal policies must define minimum evidence and validation criteria so that reporting does not become mere formality. When the blueprint becomes integrated chapters, inventory, risk, human oversight, evidence-based auditability, and training, governance shifts from promise to proof.

*****

(1) National Council of Justice (CNJ). Resolution No. 615, March 11, 2025: Establishes rules for the development, governance, auditing, monitoring, and responsible use of solutions that adopt artificial intelligence (AI) techniques within the Judiciary (our translation). Brasília, DF, 2025. Accessed May 4, 2026. https://atos.cnj.jus.br/atos/detalhar/6001

(2) Chen, Hsinchun, Roger H. L. Chiang, and Veda C. Storey. “Business Intelligence and Analytics: From Big Data to Big Impact.” MIS Quarterly 36, no. 4 (2012): 1165–1188. Accessed May 4, 2026. https://misq.umn.edu/misq/article/36/4/1165/1483/Business-Intelligence-and-Analytics-From-Big-Data

(3) National Institute of Standards and Technology. Artificial Intelligence Risk Management Framework (AI RMF 1.0). NIST AI 100-1. Gaithersburg, MD: NIST, 2023. Accessed May 4, 2026. https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf

(4) Brazil. Law No. 13,709 of August 14, 2018 (General Personal Data Protection Law—LGPD) (our translation). Diário Oficial da União (Brasília, DF), August 15, 2018. Accessed May 4, 2026. https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm

(5) International Organization for Standardization, and International Electrotechnical Commission. ISO/IEC 42001:2023: Information Technology—Artificial Intelligence—Management System. Geneva: ISO, 2023. Accessed May 4, 2026. https://www.iso.org/standard/42001

(6) Li, Bowen, Guo-Jun Qi, Xian-Sheng Hua, et al. “Trustworthy AI: From Principles to Practices.” ACM Computing Surveys 55, no. 9 (2023). Accessed May 4, 2026. https://dl.acm.org/doi/10.1145/3555803

FLAVIA M. MURAD SCHAAL
&
DEYSE ALCANTARA DE LIMA

brazil@lexing.network

AI governance within an organization falls into two distinct categories:

• first, the management of AI systems developed or deployed directly by the organization; and
• second, the management of AI tools used by employees or other stakeholders to carry out the organization’s mission.

Every organization—whether they actively develop and deploy AI tools or not—should consider how AI use is governed internally. Below, we provide a brief overview of the obligations surrounding AI governance for organizations doing business in Canada, along with practical guidelines to help draft policies tailored to either of the scenarios described above.

Legal framework applicable to AI in Canada

Canada does not yet have legislation specifically dedicated to artificial intelligence (AI) governance. A federal bill was introduced but subsequently abandoned in 2025 (1). While a version of this bill is expected to be adopted eventually, until then, organizations operating in Canada must navigate a fragmented regulatory landscape composed of several instruments with varying scopes.

The most binding rules in Canada regarding AI usage are those related to personal information protection. AI-powered systems are not exempt from these regulations. Organizations must ensure they understand, on one hand, how personal information transmitted to an AI provider will be processed and, on the other hand, whether the systems deployed by the organization allow users to fulfill their privacy obligations. Without explicitly referencing AI processing, Canada’s applicable privacy laws (2) remain highly relevant to many types of data processing performed through AI tools.

The Office of the Privacy Commissioner of Canada, the body responsible for enforcing the federal privacy law (PIPEDA), has published principles aimed at promoting the responsible use of AI (3). These principles can serve as a foundation for developing an acceptable-use policy for AI.

Canadian provinces have jurisdiction over several matters affecting AI use, particularly regarding privacy protection. Consequently, the applicable rules may vary depending on the province in which an organization operates. For instance, Ontario has adopted a framework for trustworthy artificial intelligence that applies to the public sector (4).

Beyond the formal legal framework, organizations must consider their obligations to partners and clients regarding data that might be used in connection with AI tools. For many organizations, these obligations present a higher risk level than applicable statutes and regulations, and their breach can carry significant consequences. For example, sharing sensitive confidential information entrusted by a client with an AI tool without appropriate safeguards could constitute a violation of contractual obligations toward that client.

Guidelines for Implementing AI governance policies

Effective internal AI governance requires establishing clear policies so that individuals within the organization know which best practices to adopt. The absence of a policy will not stop people from using AI tools; furthermore, an outright ban is usually ineffective and could cost the organization its competitive advantage.

Guidelines for establishing AI development policies:

• Establish a clear governance structure.
• If an AI tool is meant to process personal information, ensure compliance with the principles of necessity, proportionality, transparency, and accountability.
• Refer to the principles published by the OPC (3) and the former Bill C-27 framework (1) to plan for future compliance.

Guidelines for establishing policies on the use of AI-powered tools:

• Ask employees and collaborators which tools they use at work and for what specific tasks.
• Create an inventory of authorized tools along with the terms and conditions governing the use of each approved tool.
• Determine whether the use of AI tools is likely to lead to automated decision-making that requires specific oversight.
• Identify tools that meet collaborators’ needs while ensuring the protection of confidential information.
• Inform teams about the tools authorized by the organization and the types of information that are permitted to be uploaded to them. In Canada, particular attention should be paid to the processing of data that constitutes personal information.
• Educate teams on the consequences of the improper use of AI-powered tools.

*****

(1) Explanation of the proposed bill: https://ised-isde.canada.ca/site/innovation-better-canada/en/artificial-intelligence-and-data-act-aida-companion-document

(2) Law applicable to the private sector at the federal level: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/

(3) Principles: https://www.priv.gc.ca/en/privacy-topics/technology/artificial-intelligence/gd_principles_ai/

(4) https://www.ontario.ca/page/ontarios-trustworthy-artificial-intelligence-ai-framework

BRUNO PROVENCHER-BORDELEAU
canada@lexing.network

Artificial intelligence is no longer optional: it is an everyday reality in most organisations. The challenge is not whether to use it, but how to use it responsibly. In Spain, organisations deploying AI operate under a layered framework that combines European regulation, national data protection law, sector-specific rules and general civil liability. Alongside this body of rules, AESIA (Spain’s AI supervisory authority) publishes practical guidance that translates regulatory obligations into concrete actions for deploying organisations.

Why does your organisation need an AI use policy?

Without a formal policy, your organisation is already using AI but without control. A large share of employees use AI tools for work-related tasks without company authorisation or oversight (shadow AI), and the majority have shared confidential data with external models. This creates direct liability as a “deployer” under the AI Act and as a data controller or data processor under the GDPR.

Applicable regulatory framework in Spain

• AI Act (Reg. EU 2024/1689): AI literacy mandatory; Prohibited practices in force; Transparency obligations; Inventory of high-risk systems;
• GDPR (Reg. EU 2016/679): Legal basis for processing data in AI; DPA with provider; Inform data subjects; International transfers; DPIA if high risk;
• LOPDGDD (LO 3/2018): Spanish general data protection law. Develops and complements the GDPR in the national context;
• 1101–1104 and 1902 CC: Civil liability for errors in unreviewed AI output. The AI system does not bear responsibility, the organisation does;
• Draft Spanish AI Governance Law: Currently in legislative process: will establish additional transparency and governance obligations for organisations deploying AI in Spain;
• Estatuto de los Trabajadores (RDL 2/2015): Right of works councils to be informed about the parameters, rules and instructions of AI-based algorithms or systems that may affect working conditions, access to and maintenance of employment;
• LSSI-CE (Law 34/2002) and Consumer Protection Law (RDL 1/2007): Information duties for AI-mediated commercial communications, chatbots and automated customer interactions; rules on unfair commercial practices when AI is used in consumer-facing contexts.

The role of AESIA and its guidance

AESIA (Agencia Española de Supervisión de la Inteligencia Artificial) is Spain’s national AI supervisory authority. Its remit includes market surveillance, handling complaints, imposing sanctions, and publishing technical compliance guidance. For deploying organisations, AESIA’s documents are a highly relevant source and the primary practical reference for translating the AI Act into concrete obligations.

Key AESIA resources your organisation should know:

• Risk classification and general obligations: framework for determining whether an AI system falls into the unacceptable, high, limited or minimal risk category under the AI Act, and the baseline obligations attached to each level.
• Risk management: structured methodology, aligned with ISO/IEC 23894, to identify, evaluate and mitigate risks to health, safety and fundamental rights across the AI system lifecycle.
• Data governance: requirements for training, validation and testing datasets to ensure quality, representativeness and prevention of discriminatory bias.
• Human oversight and AI literacy: design of technical mechanisms enabling effective human monitoring, and training obligations to mitigate over-reliance and automation bias.
• Traceability and technical documentation: event logging and up-to-date technical documentation supporting accountability, compliance audits and defence in litigation.
• Transparency and cybersecurity: clear instructions of use so deployers can interpret model outputs correctly, plus technical controls against AI-specific vulnerabilities and threats.
• Post-market monitoring and incident reporting: plans to track system performance after deployment and procedures to notify serious incidents to market surveillance authorities.
• AESIA Regulatory Sandbox: controlled experimental environment for organisations, including SMEs and startups, to run conformity-assessment simulations and validate regulatory and ethical adaptation with expert support.

The four pillars of effective AI governance

• 01 AI Use Policy:
  • Minimum content: Approved tools: Permitted data categories; Mandatory human oversight; Incident protocol; Annual review;
  • Regulatory reference: Art. 26 AI Act; Art. 5 GDPR; AESIA Literacy Guide.
• 02 AI Inventory:
  • Minimum content: Register of every AI system in use: provider, purpose, data processed, risk level, signed DPA, internal owner;
  • Regulatory reference: Art. 26 AI Act; Art. 30 GDPR (RoPA); AESIA Classification Guide.
• 03 Roles and responsibilities:
  • Minimum content: AI Officer (management); DPO or GDPR lead; IT or external provider; Trained users;
  • Regulatory reference: Art. 26 AI Act; AESIA Human Oversight, Cybersecurity and Data Governance Guides.
• 04 Approval process:
  • Minimum content: Agile circuit for validating new tools;
  • Regulatory reference: Art. 9 AI Act (risk management); AESIA Risk management Guide.

Tool approval and registration procedure

• Request:
  • Action: Brief form: tool name, provider, purpose, data to be processed;
  • Owner: Requesting employee / team / department.
• Legal review:
  • Action: DPA check, GDPR legal basis, international transfers, AI Act risk level;
  • Owner: DPO / Legal counsel.
• Technical review:
  • Action: Security, audit logs, SSO, data location, encryption;
  • Owner: IT / Technical provider.
• Controlled pilot:
  • Action: Testing with non- sensitive data before final approval;
  • Owner: User(s) team.
• Approval and registration:
  • Action: Sign-off by AI Officer; Entry in inventory; Team training before go-live;
  • Owner: Management / AI Officer.

Operational safeguards

Beyond the four pillars above, the following operational measures close the most frequent compliance gaps:

• Publish and communicate the list of approved tools.
• Keep the approval process fast: if it is slow, employees will act outside it.
• Train all staff: AI literacy is mandatory since 2 February 2025. AESIA has published guidance on the level of training required for each role.
• Set up an incident reporting channel with no-retaliation guarantees.
• Review the inventory every 6 months and update the policy annually or following significant regulatory changes.

Immediate action: roadmap

• Now: Verify no prohibited AI uses exist (Art. 5 AI Act). Audit tools already in use. Review AESIA guidance;
• Next 3 months: Draft AI use policy. Build inventory. Roll out basic AI literacy training;
• Before August 2026: Full compliance with AI Act transparency. Assess high-risk systems. Formally appoint AI Officer.

MARC GALLARDO
marc.gallardo@lexing.es

Artificial intelligence systems are rapidly becoming embedded into everyday business operations, often without corresponding internal governance mechanisms. Organizations increasingly rely on generative AI tools, automated analytics, cybersecurity solutions and decision-support systems, while employees frequently use publicly available AI systems independently and without centralized oversight. Against this background, implementing an internal AI Governance Policy is becoming a core organizational requirement, particularly following the adoption of the EU AI Act (1), which introduces the first comprehensive regulatory framework governing artificial intelligence systems within the European Union.

The AI Act adopts a risk-based approach, distinguishing between prohibited AI practices, high-risk AI systems and transparency obligations. Importantly, many organizations will qualify not as providers, but as deployers using AI systems during professional activities (2). This distinction remains significant because deployers themselves are subject to important obligations, particularly regarding high-risk systems (3). In practice, organizations increasingly need to determine not only whether AI systems may lawfully be used, but also under which governance conditions, approval procedures and oversight mechanisms such use may occur internally.

One of the most important concepts introduced by the AI Act concerns human oversight. High-risk AI systems must be deployed in a manner allowing effective oversight by natural persons (4). Organizations should therefore avoid governance structures where AI-generated outputs are accepted automatically without meaningful review or intervention capabilities. This becomes particularly relevant in areas such as recruitment, employee evaluation, profiling, fraud prevention and internal compliance monitoring. AI Governance Policies should accordingly define internal responsibilities, escalation procedures, approval requirements and circumstances under which AI-generated outputs cannot be relied upon autonomously. The AI Act also introduces obligations relating to AI literacy, requiring deployers and providers to ensure that relevant personnel possess a sufficient level of understanding regarding the operation and risks of AI systems (5).

Although the AI Act constitutes the primary regulatory driver, AI governance cannot operate independently from existing legal frameworks. AI systems frequently involve the processing of personal data, thereby triggering obligations under the GDPR and the Greek implementing framework (6). AI systems also increasingly form part of the broader cybersecurity attack surface, raising concerns relating to data leakage, model manipulation and operational resilience, particularly under the NIS2 framework and its Greek implementation (7). In parallel, organizations should ensure that internal reporting and escalation structures remain aligned with whistleblowing obligations (8), particularly where AI-related incidents or unlawful practices may need to be internally reported and investigated.

From a Greek perspective, organizations should also consider the existing domestic framework regulating AI systems under Law 4961/2022, which introduced early transparency and accountability obligations relating to artificial intelligence. The law includes provisions concerning algorithmic impact assessments, transparency obligations for public sector AI systems, workplace AI disclosures, AI registries and ethical data governance obligations (9). Private sector entities using AI systems affecting employment-related decision-making processes may already be subject to obligations requiring prior employee information regarding the parameters underpinning automated decision-making processes (10).

Accordingly, implementing an AI Governance Policy should not be viewed merely as a future compliance exercise connected to the AI Act. Rather, it increasingly constitutes a broader governance mechanism through which organizations can demonstrate accountability, manage operational and legal risks, and establish clear conditions for the responsible deployment and use of artificial intelligence systems.

*****

(1) Regulation (EU) 2024/1689

(2) Article 3 EU AI Act

(3) Article 26 EU AI Act

(4) Article 14 EU AI Act

(5) Article 4 EU AI Act

(6) Regulation (EU) 2016/679, Law 4624/2019

(7) Directive (EU) 2022/2555, Law 5160/2024

(8) Directive (EU) 2019/1937, Law 4990/2022

(9) Articles 5, 6, 9 and 10 Law 4961/2022

(10) Article 9 Law 4961/2022

GEORGE BALLAS
&
NIKOLAOS PAPADOPOULOS

greece@lexing.network

AI use is at the core of business operations now. In a recent industry survey by the Privacy Commissioner for Personal Data in Hong Kong (PCPD), virtually all survey participants were using multiple AI tools daily and regularly in their business, and many were deploying agentic AI. Hong Kong adopts a principles-based approach to AI regulation, relying on existing laws and privacy and industry sector regulators to address legal and governance concerns. Organisations need to ensure AI systems are compliant, and deployed and used responsibly. This article provides a one-page guide to implementing an AI governance policy for your organisation.

1. Establish a strategy

Identify the AI solutions that represent the business priorities of your organisation. Remember that poor data governance amplifies AI risks. So, collect and prepare the data carefully. Customise the AI model for your organisation’s particular needs. Test, evaluate and validate for operation, accuracy, privacy and security.

2. Establish governance

Establish policies, plans, guidelines and processes to manage governance considerations. These include policies addressing privacy, security and ethical considerations, legal and regulatory compliance guidelines, data processing arrangements, AI supplier evaluation processes, practical use guidelines and training, feedback and review processes, and management, governance and oversight committees and processes.

3. AI impact assessment

An AI impact assessment is a structured process designed to gather information, identify and evaluate the risks and benefits of a proposed AI system, and provide practical recommendations. An AI impact assessment begins with defining the business purpose and setting clear objectives for adopting AI, including measurable benefits such as efficiency gains or cost reduction. It should then assess safety and reliability, ensuring the system performs consistently and that there are processes to monitor data quality, manage risks and maintain appropriate human oversight. It should also establish accountability by putting in place clear governance structures, defined roles and responsibilities, and appropriate disclosures to stakeholders on how AI is used.

4. Establish compliance

Your organisation must also address privacy and legal compliance. It should review how personal data is collected and used and ensure that appropriate data minimisation and protection measures are in place. It should also consider intellectual property, product liability and contractual risk.

5. Stakeholder engagement. AI deployment and use is a management and governance process. The recommendations in the procurement, testing and assessment phases must be acted upon. There should be a formal record of the adoption of recommendations so that functional business units are mandated to follow the approved recommendations. There should be training and awareness for all relevant staff on best practice standards in AI use. There should be communication and engagement, with feedback and review cycles, for all stakeholders – staff, customers and suppliers.

Conclusion

The success of AI deployment and use in an organisation is inextricably linked to effective, practical management of AI strategy and governance.

PÁDRAIG WALSH
hongkong@lexing.network

Since the introduction of open source and proprietary large language models (LLMs) and Artificial Intelligence (AI) Generative Pre-trained Transformers (GPTs), there has been a steep increase in accessibility to AI.

As AI adoption accelerates across sectors, its attendant risks, and the need for AI governance, have also become apparent. For legal advisors in India, the focus is on how organisations can deploy AI responsibly, safely and in compliance with evolving Indian regulatory expectations.

Regulatory Background

India’s AI governance landscape is relatively permissive, rather than prescriptive. Aside to obligations under the Digital Personal Data Protection Act, 2023 and rules, the approach leans more towards guidance and policy, rather than mandates.

The recently released India AI Governance Guidelines identify seven core principles for responsible AI adoption: trust, people-first design, innovation over restraint, fairness and equity, accountability, explainability, and safety and resilience. (1) Similarly, the RBI’s FREE-AI Framework emphasises governance, protection, assurance and human oversight in AI systems used within the financial sector. (2) While these frameworks are not binding, they provide valuable guidance for organisations developing internal AI governance structures.

That said, there are also indications of legislative change particularly at the intersection of intellectual property and the law, (3) which are likely to have impact on the availability of data for training LLMs, and on the copyrightability of AI-assisted or AI-created works. (4)

AI Governance Policies for India

Drafting an AI governance and/or use policy in India requires deep understanding of the organisation, its internal structure, its sector of operation and the regulatory background. Set out below are some key considerations in this regard.

1. Understanding Applicable Jurisdictions

One of the first steps is identifying the jurisdictions where the organisation operates, and whether any of those jurisdictions has a more stringent regulatory approach to AI. If so, the policy may either be aligned to such regulation globally, or, in that jurisdiction, with the policy elsewhere being more tailored to local regulation.

2. Defining Permitted AI Use Cases

The next step is to assess the AI use cases within the organisation and the level of risk associated with each. Many organisations are currently using publicly available generative AI tools without formal internal controls – including ‘shadow AI’ where employees use AI tools without the knowledge or approval of management. This creates significant confidentiality, cybersecurity, data protection and regulatory risks.

Organisations should therefore maintain an approved inventory of AI tools and define permissible use cases. Higher-risk activities as (such as automated customer profiling in financial services, recruitment screening or regulatory decision-making) should specifically be marked as requiring enhanced approvals and mandatory human oversight.

3. Bias, Hallucinations, Fairness and Explainability

AI systems may unintentionally produce biased or discriminatory outcomes based on their training data and model design, particularly in sectors such as banking, insurance, recruitment, securities markets and healthcare.

Accordingly, AI governance frameworks should require appropriate risk assessments and guardrails prior to deployment, while also recognising these risks within organisational AI use policies and prescribing measures to mitigate them.

Given the tendency of AI systems to hallucinate, governance policies must also address data handling risks. In particular, organisations should establish clear rules on: (i) uploading personal data into third-party AI systems; (ii) use of confidential or sensitive information; (iii) cross-border data processing; and (iv) data retention and deletion protocols.

4. Vendor and Third-Party AI Risk Management

Many organisations rely on external vendors, SaaS platforms and embedded AI solutions rather than developing AI tools internally. However, outsourcing AI functionality does not eliminate regulatory or legal responsibility. This risk extends to third-party service providers that may themselves use AI tools while delivering services.

AI governance policies should therefore mandate due diligence on vendors, including assessment of: (i) vendors’ AI use policies and AI tools used in service delivery; (ii) cybersecurity standards; (iii) data storage and localisation practices; and (iv) compliance with Indian data protection and sector-specific regulations. In the absence of clear legislative standards, key issues such as liability allocation, audit rights and incident reporting obligations should be contractually addressed.

This approach aligns with sectoral regulators’ guidance in India, emphasising third-party oversight and operational resilience. Organisations should therefore ensure these considerations are reflected not only in internal policies, but also in contractual negotiations with vendors and service providers.

Conclusion

AI governance is rapidly evolving from a technical concern into a core business governance issue. Indian regulators are increasingly expecting organisations deploying AI systems to demonstrate accountability, transparency, risk management and responsible use.

This creates a significant opportunity for legal advisors to help clients move beyond generic AI policies and implement practical governance frameworks tailored to their industry, risk profile and operational needs.

Importantly, an effective AI governance policy should enable not restrict the adoption of AI by helping organisations innovate confidently while safeguarding data, ensuring compliance, mitigating risk and maintaining stakeholder trust.

*****

(1) Ministry of Electronics and Information Technology, Government of India, India AI Governance Guidelines: Enabling Safe and Trusted AI Innovation (2025), available at https://www.psa.gov.in/ai-mission-initiatives (last visited May 27, 2026)

(2) Reserve Bank of India, FREE-AI Committee Report: Framework for Responsible and Ethical Enablement of Artificial Intelligence dated August 13, 2025, available at RBI – FREE AI Committee Report (last visited May 27, 2026).

(3) Department for Promotion of Industry and Internal Trade, Ministry of Commerce and Industry, Government of India, Working Paper on Generative AI and Copyright: Part I – One Nation One License One Payment: Balancing AI Innovation and Copyright (December 2025), available at https://www.dpiit.gov.in/static/uploads/2025/12/ff266bbeed10c48e3479c941484f3525.pdf (last visited May 27, 2026).

(4) There is ambiguity at the moment, on whether AI-assisted works can be copyrighted, and if so, the standards by which the extent of human involvement would be judged, to assess whether an AI-assisted work could be registered or not.

HARINI SUDERSAN
&
BILAL LATEEFI

india@lexing.network

The Current Legal Framework in Mexico

Mexico has no specific legislation on artificial intelligence. AI governance rests on an evolving and fragmented legal framework: the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP, renewed in March 2025), the Federal Copyright Law (LFDA), and the Federal Law on Industrial Property Protection (LFPPI, reformed in April 2026). The supervisory authority for personal data protection is now the Secretaría Anticorrupción y Buen Gobierno (SABG — Secretariat for Anti-Corruption and Good Governance), which replaced the now-defunct INAI as of May 9, 2025.

Steps to Implement an AI Governance Policy

Any organization operating in Mexico that uses AI systems — whether as a developer or as an end user — should adopt, at a minimum, the following measures:

• Mapping and classification of AI systems: identify which AI tools are in use, their purpose, and what data they process, distinguishing those that involve sensitive personal data.
• Vendor contract management: incorporate clauses on ownership of AI-generated outputs, confidentiality of training data, liability for algorithmic bias, and compliance with the LFPDPPP before the SABG.
• Data Protection Impact Assessment (DPIA): mandatory when the system processes sensitive data or makes automated decisions that affect individuals’ rights.
• Internal governance and training: designate an AI officer, establish acceptable-use protocols, and train teams on the ethical and legal risks of generative AI tools.
• Intellectual property: document the human contribution in every creative or inventive process involving AI, as evidentiary support before the IMPI and INDAUTOR. Note: following the April 2026 reform to the LFPPI, using AI to commit industrial property infringements is now expressly sanctionable.

The Risk of Copying the European Model Without Adaptation

Warning: Mexico’s legislative debate is pointing toward an almost literal transposition of the EU AI Act (EU Regulation 2024/1689). This approach would ignore the very different maturity of the Mexican business ecosystem: the compliance burdens — risk assessments for high-risk systems, technical audits, mandatory registries — are calibrated for large European corporations and could paralyze Mexico’s startup ecosystem.

Mexico should pursue proportionate, context-sensitive governance, drawing inspiration from more flexible frameworks such as the UK’s principles-based approach or Canada’s sectoral model. This means developing regulatory cooperation mechanisms with countries that share compatible open-market frameworks — particularly with the United States under the USMCA — and ensuring that alignment with Europe does not become a barrier to domestic innovation.

Current Status of the LFPPI and LFDA in the Face of AI

The LFPPI reform of April 3, 2026 (Official Gazette, in force since April 4, 2026) significantly modernized the industrial property system: it introduces mandatory resolution deadlines before the IMPI (1 year for patents; 5 months for trademark registrations), the provisional patent application, new categories of trademarks (multimedia, motion, and position marks), and — critically for AI governance — expressly classifies the use of artificial intelligence to commit industrial property infringements as an administrative violation (reformed art. 386).

However, the reform did not resolve the most critical gap: art. 36 of the LFPPI still reserves inventor rights exclusively to the “natural person who creates an invention,” and art. 46 defines an invention as “any human creation.” Neither the LFPPI nor the LFDA recognize AI systems as authors or inventors. The recommended practice remains to document the human contribution that designed, supervised, and validated the AI-assisted process.

This position is consistent with international consensus: the UK Supreme Court (Thaler v. Comptroller-General, UKSC 49, December 2023) and the US Federal Circuit (Thaler v. Vidal, 43 F.4th 1207, August 2022) both hold that AI cannot be an inventor; rights vest in the human being who directs it.

*****

LEGISLATION

(1) LFPDPPP: New Federal Law on Personal Data Protection Held by Private Parties, in force since March 21, 2025. Repeals the 2010 version. Designates the SABG as the new supervisory authority. (2025)

(2) LFPPI: Federal Law on Industrial Property Protection, reformed April 3, 2026 (Official Gazette). 200+ articles amended. Art. 36 & 46: inventor remains a natural person. Art. 386: new sanctions for AI-enabled infringements. (2026)

(3) LFDA: Federal Copyright Law (1996, reform pending). Still requires a human author; gap remains on AI-generated works.

REGULATORY BODIES

(4) SABG: Secretariat for Anti-Corruption and Good Governance. New personal data authority since May 9, 2025, replacing the now-defunct INAI.

(5) IMPI: Mexican Institute of Industrial Property. Communicated the LFPPI 2026 reform as a strengthening of the IP system ahead of the USMCA review.

(6) INDAUTOR: National Copyright Institute. Has rejected registration of AI-generated designs for lack of identifiable human intellectual activity.

COMPARATIVE REGULATION

(7) EU AI Act: EU Regulation 2024/1689, in force since August 2024. Central reference in Mexico’s legislative debate; risk of uncritical adoption by emerging economies.

(8) OECD AI Principles: (2019, updated 2024). Flexible framework adaptable to different levels of regulatory development.

 CASE LAW

(9) Thaler v. Vidal: US Federal Circuit, 43 F.4th 1207 (August 2022). AI cannot be an inventor under the US Patent Act.

(10) Thaler v. Comptroller-General: UK Supreme Court, UKSC 49 (December 20, 2023). Only natural persons may be inventors under the Patents Act 1977.

(11) DABUS / EPO: Decision J 0008/20, European Patent Office (2021). Refused to recognize an AI system as an inventor.

MITZY PÉREZ

mexico@lexing.network

Organizations in Sweden rapidly integrate artificial intelligence into their operations, moving beyond tech-optimism toward structured AI governance has become an administrative necessity. Successful AI governance mitigates compliance risks, ensure absolute data privacy, and builds essential trust with Nordic consumers and regulators. Given the dual-enforcement environment of European and national regulations, bridging the gap between technical deployment and legal alignment is a critical challenge that Swedish entities must address.

Defining AI Governance

To establish a clear operational baseline, the organization defines AI Governance as the internal framework of rules, risk assessments, and accountabilities established to ensure an organization’s AI technologies align with both its legal obligations and ethical principles. This structured approach moves corporate responsibility from theoretical ethics to enforceable, day-to-day business practices. By anchoring this definition at the core of corporate policy, Swedish entities can systematically evaluate algorithmic impacts while maintaining compliance with shifting cross-border legal standards (1).

Harmonizing AI with GDPR and IMY Supervision

A foundational pillar of AI governance in Sweden is recognizing that the AI Act and the General Data Protection Regulation (GDPR) operate simultaneously. The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – IMY) has heavily prioritized AI oversight, specifically targeting the use of AI in public and private ecosystems. Policies must mandate that any training data or prompt processing involving Swedish citizens adheres strictly to data minimization, lawful grounds, and the completion of rigorous Data Protection Impact Assessments (DPIAs) (2).

Adopting National Guidelines for Generative AI

For organizations deploying large language models or automated text/image tools, the joint national guidelines launched by IMY and the Swedish Agency for Digital Government (Digg) offer a vital blueprint (3). Originally designed for public administration, these comprehensive guidelines serve as an exceptional best-practice standard for the private sector. AI policies should explicitly incorporate these national recommendations, covering lifecycle management, procurement ethics, cybersecurity, and labor law impacts.

Enforcing the “Human-in-the-Loop” Mandate

Swedish legal principles do not recognize AI systems as independent legal entities; liability invariably tracks back to the natural or legal persons operating them. Drawing from recent IMY regulatory sandbox findings (such as the Atea/Lidingö Municipality public record AI initiatives) (4), organizations must implement a strict “human-in-the-loop” mechanism. Internal policies must dictate that AI is strictly an auxiliary tool, requiring human case handlers to independently verify and sign off on automated outputs before any legal or operational execution.

Continuous Compliance Monitoring and Open Collaboration

Organizations are encouraged to leverage national resources like AI Sweden to embed transparency, objectivity, and data sustainability into their corporate cultures. Continuous employee training and proactive legal auditing will ensure that Swedish enterprises maintain a competitive, legally compliant edge in a rapidly changing digital landscape.

*****

(1) See ISO/IEC 42001 (Artificial intelligence – Management system) and the OECD AI Principles for the baseline international criteria on organizational accountability and ethical AI frameworks.

(2) GDPR, Art. 6(1) (Lawfulness of processing) & Art. 35 (Data Protection Impact Assessments).

(3) Digg & IMY Joint Guidelines on Generative AI: https://www.digg.se/ai-for-offentlig-forvaltning/riktlinjer-for-generativ-ai

(4) IMY Sandbox Report: Disclosure of Public Records Using AI (Diarienummer: IMY-2024-5156) https://www.imy.se/globalassets/dokument/rapporter/english-summary-disclosure-of-public-records-using-ai.pdf

KATARINA BOHM HALLKVIST
&
ANDRES ALMA

sweden@lexing.network

For organizations doing business in the United States, the U.S. still lacks a single, comprehensive federal AI statute for the private sector, but companies already face a growing mix of state laws, existing consumer protection and civil rights rules, sector-specific obligations, and federal guidance that together create real governance expectations. A written AI governance policy helps translate that fragmented landscape into operational rules for procurement, development, deployment, testing, oversight, and incident response.

The strongest starting point remains the National Institute of Standards and Technology AI Risk Management Framework. Although voluntary, the NIST framework gives organizations a credible structure for governing AI risks through the core functions to govern, map, measure, and manage. NIST’s generative AI profile adds more detailed guidance for organizations using or deploying generative systems, including documentation, testing, monitoring, and controls around misuse and downstream impacts. (1)

Why a policy is necessary

A workable AI governance policy should identify which systems are covered, classify uses by risk, assign responsibility, and require controls before deployment and during use. At a minimum, organizations should address:

• cataloging AI systems and vendors, including internal tools and externally procured models;
• documenting intended use, data sources, outputs, and foreseeable impacts on individuals and business processes;
• pre-deployment testing for accuracy, bias, privacy, cybersecurity, and reliability;
• human oversight for consequential uses, including employment, lending, insurance, housing, healthcare, education, and legal services; and
• consumer-facing notices, escalation paths, record retention, and periodic review.

This is especially important because many U.S. AI obligations do not arise from a law labelled “AI.” They often arise from privacy statutes, unfair and deceptive practices standards, anti-discrimination rules, procurement requirements, or sector-specific obligations that apply when AI is used in regulated contexts.

The state-by-state patchwork

The clearest challenge for multinational and multistate organizations is fragmentation. State legislatures have moved faster than Congress, producing a patchwork of laws that differ by subject matter, sector, and compliance model. Colorado’s 2024 AI law is a notable example because it imposes obligations on developers and deployers of certain high-risk systems, including requirements tied to algorithmic discrimination, disclosures, impact assessments, and governance measures. Though the future of Colorado’s AI law is uncertain at the time of this writing, it nonetheless illustrates the direction of travel: lawmakers are focusing on high impact uses, transparency, and accountability. (2)

California provides another important signal. Instead of adopting one broad private-sector AI law, California has enacted multiple AI-related measures addressing transparency, deepfakes, health-related uses, privacy, and state agency oversight. For organizations doing business nationally, the practical lesson is familiar from U.S. privacy law: building to meet the most demanding state requirements can reduce friction and legal uncertainty across the rest of the country. (3)

Best practice

In real terms, the most defensible course is to draft one enterprise policy that assumes the organization may be subject to the strictest applicable U.S. requirements. That generally means:

• treating high-impact AI uses as governed activities that require formal review and approval;
• requiring vendor diligence and contract controls for third-party AI tools;
• aligning notice, appeal, and human review processes to the most stringent plausible standard; and
• building auditable documentation that can be used across privacy, consumer protection, employment, and civil rights inquiries.

This approach is not simply conservative. It is efficient. It reduces the cost of redesigning controls state by state and positions the organization to respond if additional states adopt broader AI laws or regulators begin to treat governance failures as evidence of unfair, deceptive, or discriminatory practices.

Federal role and recent executive action

The federal government remains relevant in three key respects. First, federal agencies continue to enforce existing laws that apply to AI, including consumer protection, fair lending, employment, and civil rights rules. Second, NIST and other federal bodies continue to shape the practical baseline for responsible AI governance. Third, presidential administrations can accelerate or slow federal coordination even without enacting a comprehensive AI statute.

President Trump’s January 23, 2025 Executive Order, “Removing Barriers to American Leadership in Artificial Intelligence,” revoked the prior administration’s 2023 AI executive order and directed a review of federal AI policies that are seen as obstacles to innovation. The order reflects a deregulatory posture at the federal level and a policy preference for promoting U.S. AI leadership. However, it does not eliminate state regulations, private litigation risk, or the application of existing federal statutes. For most private organizations, the practical fallout has therefore been more limited than the rhetoric might suggest: the executive order changed the tone of federal policy, but it did not create a safe harbor from compliance obligations arising elsewhere. (4)

Thus, organizations should resist the temptation to read a deregulatory federal signal as a reason to delay governance. The absence of a single federal rulebook does not mean the absence of risk. It means governance must be built to withstand a fragmented and changing environment.

What an effective U.S. AI governance policy should include

At a minimum, the policy should require:

• board or executive accountability, with a named owner for AI governance;
• an AI use inventory and risk-tiering process;
• privacy, security, bias, and accuracy testing before launch and during material changes;
• rules for procurement, contract language, and vendor monitoring;
• escalation procedures for incidents, complaints, and model failures; and
• training for employees on approved uses, prohibited uses, and documentation expectations.

Conclusion

For organizations that do business in the United States, AI governance should be treated as an enterprise compliance discipline, not a technology side project. The legal environment remains decentralized, and federal policy may continue to shift from one administration to the next. Yet that uncertainty is itself a reason to act. A policy grounded in risk identification, documentation, human oversight, and the most demanding applicable state standards is the best way to create a durable governance framework for the U.S. market. In short, the most practical U.S. rule is this: govern AI as though the strictest regulator, the closest litigant, and the next legislative session all matter, because they do.

*****

(1) NIST Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, July 26, 2024

(2) Colorado General Assembly, SB24-205 Consumer Protections for Artificial Intelligence, published 2024 session page: https://leg.colorado.gov/bills/sb24-205

(3) National Conference of State Legislatures, Artificial Intelligence Legislation Database, May 1, 2026: https://www.ncsl.org/financial-services/artificial-intelligence-legislation-database

LEE MERREOT

eastusa@lexing.network