Skip to main content

Compliance & Legal

Why this function belongs in the AI Operating Model

In regulated industries, an AI initiative carries legal risks: automated decisions affecting customers, processing of personal data, regulatory requirements for explainability and audit, and rights to use third-party models and data. Compliance and legal determine what is permissible at all, before the team invests resources in delivery.

This function works closely with InfoSec and risk management, but it owns its own layer — compliance with the law and regulatory requirements, not technical threats.

Where it engages

AI Operating Model stageRole of compliance & legal
AssessmentDetermines the applicable regulation and the fundamental permissibility of the scenario
Before the pilotApproves personal data processing, legal bases, consents, vendor contracts
Before productionIssues a legal opinion: disclosure, explainability, liability
In supportTracks changes in regulation and license terms

What the function receives as input

  • The use-case scenario and the nature of the decisions (informational vs. automated, customer-affecting).
  • A list of data and the legal bases for its processing (jointly with InfoSec and the data warehouse).
  • Model and service vendors, license terms, and data-processing terms.

What the function delivers as output

  • A legal opinion on permissibility and conditions.
  • Requirements for information disclosure, explainability, and recording of decisions.
  • Constraints on data, jurisdictions, and use-case scenarios.

Key touchpoint artifacts

  • Initiative legal opinion — permissibility, legal bases, constraints.
  • Personal data impact assessment — which personal data is used and on what basis.
  • Register of vendor contracts and licenses — rights to use models and data.

Anti-patterns

  • Calling in legal at the end. A fundamental prohibition surfaces after delivery — resources are wasted.
  • "The AI will decide on its own." Automated customer decisions without explainability and logging are a direct regulatory risk.
  • Gray licenses. Using a model or data without verifying the rights to commercial use.