A. Introduction
There are many different types of artificial intelligence (AI)Footnote 1 and those that were initially introduced in the legal and other domains tended to be purely reactive and specialise in one area or task. More recently, AI, has resulted in systems that can use their “experience” to make decisions or execute appropriate actions. An extension of this type of AI is AI that can understand thoughts and emotions by organising large amounts of data and information to enable it to have “conversations” and engage as an AI worker or an AI assistant in a more sophisticated manner. AI which is still being developed and in part awaits the development of quantum computing, is sentient, self-aware, intelligent, and perhaps imbued with consciousnessFootnote 2 or which may be merged with humans via neurotechnologies.
Each type of AI—whether supportive, replacement, or disruptive—requires differing governance arrangements.Footnote 3 For example, in relation to the more simplistic forms of AI, it is probable that existing governance arrangements that often relied on an information technology (IT) manager would be sufficient in most organizations to manage risk as the AI is confined to one task or activity. Although the cyber risks and confidentiality issues might still emerge, these issues might be dealt with via simple regulatory and governance responses with a devolution to an IT manager or key person. As AI has begun to replace humans by engaging in conversations and making decisions, the risks posed by disruptive forms of AI have increased, leading to adverse outcomes such as cloning, enhanced cyberhacking, and loss of human interaction. Broader ethical issues are also more prevalent with these types of disruptive technologies that can influence democratic arrangements as well as individual rights, particularly as AI becomes sentient. Naturally, in this context, the governance issues become more complex as there is a greater likelihood of incorrect decisions. Bias and risks are more likely to be present because the AI may be more susceptible to threats and poor learning environments. At times, governance is equated with the regulatory environment; however, it also incorporates the structures and processes within organizations that can assist in managing these types of risk and can also ensure that organizations can be innovative and lead in the ever-changing AI environment.
AI governance has also become more complex as the regulatory arrangements that relate to AI can change rapidly. It can be difficult for organizations to respond to rapidly changing approaches that may be formulated by a range of government and non-government bodies. For example, in February 2024, the UK government announced that it was prepared to support a “binding” oversight approach to AI.Footnote 4 Furthermore, in his address to Parliament in July 2024, King Charles stated that the government “will seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models.”Footnote 5 In contrast, in early 2025, Prime Minister Starmer unveiled the AI Opportunities Action Plan. Unlike the regulatory emphasis in the King’s Speech just months ago, the new approach prioritizes economic growth and technological advancement, backed by £14 billion in private sector investment commitments.Footnote 6 For organizations involved in developing AI, these changes in policy and regulation can be confusing. For those involved in AI within organizations, it can be difficult to manage risk and the changing regulatory regime.Footnote 7 With AI, governance includes managing a complex array of legislative arrangements that can also include, for example, consideration of laws relating to Intellectual Property (IP), copyright, and contracting.Footnote 8
Within law firms, courts and to some extent government, governance has often been dealt with via a hierarchical approach. That is, a managing partner, judge or government official makes decisions that are strategic and operational, often after having some input from a committee or trusted advisors. AI governance in contrast requires a responsive and proactive approach that may involve input from all levels of an organization as well as rapid response times and lateral decision making. AI governance in this context refers to the framework of policies, and processes that guide the responsible development, deployment, and management of AI systems. AI governance can ensure that AI technologies operate ethically, transparently, and in alignment with legal, regulatory, and organizational objectives.Footnote 9
The evolution of AI governance arrangements in the legal world is also linked to AI literacy and education arrangements, and often an organizational AI governance body will be involved in ensuring that both AI literacy and innovation are supported. There can also be a distinction made between those legal organizations that develop AI systems internally and those that procure externally provided systems. For example, organizations developing AI systems internally must ensure that their AI governance frameworks include clear definitions of roles and responsibilities, continuous monitoring, impact assessments, and regular audits to ensure compliance with ethical and legal standards.Footnote 10 Those that rely on external procurement will still need to have the same mechanisms in place. However, it is probable that the operating requirements will differ as suppliers may be able to undertake some of this work and educational work may be farmed out to suppliers. Where AI systems are provided by third parties, organizations need to ensure that the providers offer sufficient guarantees for privacy and data protection. This includes specifying privacy and data protection requirements in contracts and ensuring that providers’ algorithms, data, protocols, designs, and implementations are open for external review and/or testing.Footnote 11 Within law, there may also be a need to educate clients and experts so that neither face sanctions by a court for using AI in an inappropriate manner.
In contrast to more hierarchical governance structures, AI governance within law organizations requires additional and widespread consultation and input. For example, all stakeholders, including researchers, developers, and users of AI systems as well as legislators and regulators and even clients, should contribute to ensuring that the further evolution of AI systems is governed by agreed principlesFootnote 12 that encompass aspects such as fairness, accountability, transparency, privacy, and non-discrimination.
As discussed below, over the past few years, the AI governance landscape has become considerably more defined, with several governments proposing policies for governing AI technologies within their jurisdictions. While AI governance initiatives are still nascent, distinct approaches to regulatory policy appear to be emerging in different jurisdictions. This divergence has the potential to undermine international cooperation on AI governance and bring about challenges for regulatory interoperability. Understanding the similarities and differences between different governments’ approaches is an important first step for promoting deeper cooperation and improved interoperability of regulatory frameworks for AI.Footnote 13
This Article focuses on AI governance by initially considering how it is being addressed through a range of regulatory measures in different jurisdictions and at the international level, before exploring AI governance implemented in the legal domain by reference to the structures and processes that operate, as well as the use of risk assessment tools and ethical assessments. This methodology results in two critical contributions that this Article makes to the current knowledge base in relation to AI governance. First, this Article shifts the discussion of ethical assessments from “saturated”Footnote 14 topics often in the criminal area and linked to algorithmic use, such as “fairness” and “transparency,” to underexplored “truth decay” and “deep fakes” that are inherently relevant to the legal realm. Second, the authors found that most of the existing scholarship work on AI governance adopts a rather broad approach, addressing ethical and policy challenges associated with AI use. By contrast, this Article proposes a novel framework specific to AI governance in the legal domain which is grounded in the institutional realities and regulatory needs of courts, law firms and other legal organizations.
B. Overview of Regulatory Approaches to AI Governance
AI is regulated in a range of ways around the world taking the form of, arguably, two main approaches: namely legislation and principles-based regulation.Footnote 15 Legislation can be directed at specific or anticipated AI changes in a range of areas, such as privacy and cyber protective legislation—legislation about AI—Footnote 16or take the form of a comprehensive legislation targeting AI—legislation on AI—as discussed below. In contrast, the principles-based approach can be focused on guiding the development of AI systems and tools. Despite the various forms, these approaches are essentially directed at encouraging ethical use of AI while managing associated risks, discussed further below, and governance. Questions about “how” organizations manage AI has so far received little regulatory or scholarly attention, although the regulatory regimes and ethical requirements have been the subject of extensive commentary.Footnote 17 That is, regulatory bodies have often set out AI requirements, yet have not addressed key governance arrangements, and there may be an expectation that existing governance approaches are sufficient.
The foundations of good AI governance approaches include ensuring that AI is integrated into organizations so that:
Senior leadership is engaged with AI governance.
Adequate risk assessments are undertaken.
Core ethical requirements are observed.
Regular auditing and reporting take place.
Education and AI literacy is supported.
Escalation processes are in place.
Regulatory processes are complied with.
Innovation is encouraged and where appropriate supported.Footnote 18
In the legal arena, there are many additional subfactors that may be considered under each governance element. For example, there may be additional concerns about safety and confidentiality that require that data management approaches conform to internal as well as external client requirements and supporting innovation may require the use of sandbox and other approaches that can be linked to legal profession and regulatory initiatives.
While regulating AI, applications predominantly are focused on risk management, and two distinct regulatory paradigms arising from the two main approaches, as noted above, have emerged worldwide, one producing what the authors describe as “hard law,” including legislation, government regulations, executive orders, and the other featured by “soft law” instruments, such as industry standards, ethical guidelines and voluntary compliance frameworks.
I. Hard Law Approach
The European Union (EU) has what has been defined as a robust regulatory framework for AI, emphasising safety, data protection, transparency and accountability. The EU’s governance approach is characterised by a strong regulatory framework that emphasises data protection.Footnote 19 The General Data Protection Regulation (GDPR) is a cornerstone of this approach, requiring organizations to implement privacy by design and by default, conduct data protection impact assessments, and ensure transparency in automated decision-making processes.Footnote 20
Further, beyond data regulation and with a holistic hard law approach characterised by legislation, the European Commission proposed harmonized rules on artificial intelligence—the EU AI Act—in 2021. Following an extensive consultative and approval process, the EU Parliament approved the initial draft in May 2023, followed by an official voting process, resulting in the passage of the draft bill into law in March 2024.Footnote 21 This AI legislative approach recognises risks, aside from the many beneficial uses of AI, and that technology can be misused and provide novel and powerful tools for manipulative, exploitative and social control practices. Such practices are particularly harmful and abusive and should be prohibited because they contradict the EU’s values—respect for human dignity, freedom, equality, democracy, and the rule of law, and fundamental rights.Footnote 22
The EU AI Act includes that AI systems used to influence the outcome of democratic processes should be defined as high-risk:
AI systems intended to be used to influence the outcome of an election or referendum or the voting behaviour of natural persons in the exercise of their vote in elections or referenda should be classified as high-risk AI systems with the exception of AI systems whose output natural persons are not directly exposed to, such as tools used to organise, optimise and structure political campaigns from an administrative and logistical point of view.Footnote 23
In addition to the EU, some other jurisdictions have also considered a legislative response to AI governance, including Canada, South Korea and Japan. Although currently there is no regulatory framework specific to AI, Canada is one of the first countries in the world to propose a law to regulate AI. A Bill was introduced in 2022 for the Artificial Intelligence and Data Act which would adopt a risk-based approach to regulating AI.Footnote 24 The Bill has not been passed and remains under consideration. According to the Bill, if an AI system were assessed as high impact, a risk mitigation plan would be required, including measures to monitor risks, and information provided about how the system will be used and whether it will generate decisions, recommendations or predictions. In South Korea, the Framework Act on Artificial Intelligence Development and Establishment of a Foundation for Trustworthiness—AI Framework Act—was made law in January 2025, marking South Korea the first Asian country to adopt a comprehensive AI legislation.Footnote 25 Four months later, a similar legislative landmark move occurred in Japan with the passing of the Act on the Promotion of Research and Development and the Utilization of AI-Related Technologies—AI Promotion Act.Footnote 26
II. Soft Law Approach
Some countries have developed a soft law approach, underpinned by a series of principles for developing and using AI systems, as opposed to adopting comprehensive AI legislation or binding government orders at this stage, although there may be legislation in selected areas, such as privacy or cyber technology regulation.
In 2023, the United Kingdom Department for Science Innovation and Technology released a report titled A Pro-Innovation Approach to AI Regulation, which sets out a regulatory framework for AI underpinned by core principles to guide AI use.Footnote 27 Regulators will implement the framework across sectors, with possible targeted legislative interventions to address gaps in the regulatory framework. It is worth noting though that the British Government, elected to office in 2024, has indicated its intention to introduce binding regulations focused on the most powerful AI models and the associated safety issues. As noted above, however, it is unclear whether the UK will shift its AI governance approach from the current principles-based method to the legislative pathway.
The United States, at its federal level, appears to lean towards a soft-law approach to AI regulation as there is no comprehensive AI legislation, despite emerging state laws addressing different aspects of AI and data protection.Footnote 28 For instance, The Institute of Standards and Technology AI Risk Management Framework—NIST Framework—which is the result of prompting by Congress, constitutes soft law guidance that encourages companies to engage in enterprise risk management around the risks of AI systems. The NIST Framework encourages companies to identify, mitigate, and manage the risks of AI systems, all against the backdrop of a strong corporate compliance culture.Footnote 29 That is, the NIST Framework encourages organizations to establish personnel, infrastructure, and processes that effectively monitor for and address risks, insulating involved personnel from backlash and ensuring that corporate leaders take reported harms seriously. Interestingly, the executive branch of the former Biden Administration introduced binding rules for AI governance. For example, an Executive Order issued by former President Biden mandated reporting requirements on General Purpose AI—GPAI—models above certain thresholds of capability which relate to reporting and information sharing.Footnote 30 However, the Trump Administration has already revoked some binding executive orders following an in-progress review as long as those orders are deemed as barriers to American leadership in AI,Footnote 31 complicating the country’s governance effort. As with the US, China is another jurisdiction that offers an example of a complicated regulatory landscape. China has not had a comprehensive AI legislation although some scholars, including those from think tanks, have proposed different versions of future AI Act.Footnote 32 In the meantime, there are some binding rules relevant to AI that were prescribed by government agencies, including the 2023 Interim Measures for the Management of Generative Artificial Intelligence Services led by the Cyberspace Administration of China.Footnote 33 From the perspective of soft law, however, the Cyber Security of Standardisation Administration released the Artificial Intelligence Security Governance Framework in 2024.Footnote 34 This framework document emphasises the need for sound governance and control from collaborative efforts by various stakeholders—including AI developers, service providers, users, government authorities, etcetera. The framework includes principles for AI safety governance, a classification of AI safety, risks, technological measures to address these risks, and comprehensive governance measures. It suggests best practices for non-mandatory governance measures.Footnote 35 The Framework aims to address the risks and challenges posed by AI while promoting its safe and beneficial development.Footnote 36
At the international level, there are a range of mechanisms and platforms to coordinate regulation of AI around the world. The World Economic Forum promotes global cooperation and the development of ethical AI principles. It emphasises the importance of transparency, accountability, and inclusivity in AI governance, and encourages collaboration between governments, businesses, and society.Footnote 37 UNESCO also advocates for the ethical use of AI and the protection of human rights. It emphasises the need for international cooperation and the development of global standards for AI governance, focusing on fairness, transparency, and accountability.Footnote 38 In 2023, Australia, alongside the EU and 27 countries, signed the Bletchley Declaration affirming that AI should be developed, deployed and used in a manner that is safe, human-centric, trustworthy and responsible.Footnote 39 In addition, while Australia has formulated mandatory AI standards for government, it continues to support voluntary approaches for non-government entities although legislative arrangements directed at specific issues continue to evolve.Footnote 40
Overall, the regulatory landscape for AI governance is still evolving, with efforts from the EU’s AI Act, some other jurisdictions’ legislative initiatives, as well as the soft law approach reflecting a global push towards comprehensive and ethical AI regulation.Footnote 41 However, even in the jurisdictions that have AI laws in place, there are differences. For example, the EU AI Act has a focus on protecting basic rights that may be impinged by the use of AI, and this is achieved by careful categorisation of risks associated with AI. In contrast, Japan’s AI Act is focussed on driving economic growth by leveraging the development of AI technologies and therefore minimising regulatory burdens and rejecting express penalties.Footnote 42 As Turner observed in his 2019 book, national approaches to AI regulation “are bound up with countries’ current positions in the global order, as well as where they are hoping to be in the future.”Footnote 43 Susskind also noted that AI laws in some countries are more interventionist than others.Footnote 44 At any rate, the regulatory situation of AI is fluid, and from the perspective of governance requires careful monitoring and at times may also require law firms, courts, and others to provide input into the regulatory arrangements.
C. AI Governance in the Legal Domain
As noted above, in terms of regulating the use of GPAI, there are two basic models adopted by governments across the world: the hard law approach underpinned by legislation and government orders, and the soft law approach featured by voluntary guidelines. In some jurisdictions, a plethora of legislation exists where amendments to IP, copyright, criminal, and civil laws may make reference to AI requirements.Footnote 45
Specific to the legal domain, approaches to AI governance appear to be relevant to not only government approaches, but various stakeholders in the legal industry, such as courts, professional bodies, and law firms. Generally, the legal domain is treated as a high-risk area for AI use and therefore results in some strict requirements. These risks and resultant requirements are particularly to satisfy the legal professionals’ accountability for client data protection and fulfill their duty to provide better, quicker, and more cost effective services to clients.Footnote 46 Many of the more focused legal domain AI regulatory approaches are directed at generative AI—Gen AI—and there has so far been much less attention paid to forms of AI that could be described as replacement or disruptive.
With respect to Gen AI, there has been much attention paid to possible pitfalls, and so far little attention has been directed at the large AI publishers who have all rolled out fairly sophisticated generative AI models. As Sir Geoffrey Vos has pointed out: “Generative AI does not generally provide completely reliable information…. It does not check its responses by reference to an authoritative database … lawyers and judges must not feed confidential information into public LLMs….”Footnote 47 Sir Geoffrey Vos therefore contended that lawyers and judges must check the responses generated by AI themselves before using these responses for any purpose because those legal professionals are responsible for the work product, not AI.Footnote 48
Indeed, big law firms which are well resourced have also developed and rolled out their own AI applications to assist with some basic legal tasks, including the automation of routine tasks and the support of drafting efforts. For example, Allens Linklaters has leveraged their “rich data sets generated over years of advising clients on their most significant matters and transactions,” and combined this data, best-in-class technology in the firm, and the intellect of their employees, with an aim to deliver significant innovation and to supplement and elevate the skills of their lawyers, rather than replacing those human employees.Footnote 49 “Allens also initiated a campaign to obtain feedback, ideas and potential use cases internally.”Footnote 50
To respond to the increasing rollout of AI tools in the legal profession, some courts have outlined their instructions to lawyers. For example, in its Practice Note, the Supreme Court of New South Wales in Australia indicated that “Gen AI must not be used in generating the content of affidavits, witness statements, character references or other material that is intended to reflect the deponent or witness’ evidence and/or opinion, or other material tendered in evidence or used in cross examination.”Footnote 51 As a result, the Practice Note continues to prescribe that “[a]n affidavit, witness statement or character reference must contain a disclosure that Gen AI was not used.”Footnote 52 The Practice Note recognises that in some exceptional cases, leave may be sought to use Gen AI for the preparation or generation of any annexure or exhibit to an affidavit, witness statement, or character reference.Footnote 53 In the cases where Gen AI has been used in the preparation of written submissions or summaries or skeletons of argument, there is a requirement in the Practice Note that the author must verify, in the body of the submissions, summaries or skeleton, that all citations, legal and academic authority and case law and legislative references: “(a) exist, (b) are accurate, and (c) are relevant to the proceedings, and make similar verification in relation to references to evidence in written submissions or summaries or skeletons of argument to evidence (whether the evidence be contained in affidavits or transcript).”Footnote 54 Similar directives can also be found in the Practice Notes of Land and Environment Court of New South WalesFootnote 55 and District Court of New South WalesFootnote 56 in Australia.
In some jurisdictions there have been attempts to disqualify AI workers or robots from engagement in legal processes on the basis that they are not legal practitioners.Footnote 57 However, there is an assumption that existing regulatory arrangements can be tweaked to manage the AI revolution.Footnote 58 As AI “workers” that have an identity and are able to mimic human workers are increasingly integrated into law firms and even courts, there are questions that can be raised about both regulation and responsibility. At the next level, where AI is even more disruptive, broader policy, and regulatory arrangements will be required to consider what could or should be done by humans.
D. Risk and Impact Level Assessment Tools
As AI becomes embedded in the operations of many organizations, including in the legal domain, effectively managing the associated risks of AI is essential. In the context of legal profession, managing such risks appears to be focussed on ensuring that legal professionals use AI tools in compliance with their professional and ethical duties to courts and their clients, as reflected by practice notes issued by the courts or guidelines promulgated by the profession. In the case of non-compliance, penalties may follow.Footnote 59 Authors of this Article argue that risk management in this sense appears to be the second-tier approach, and there is a first tier of safety valves in place before the use of AI tools by legal professionals and workers in other sectors is in alignment with professional responsibilities. As discussed below, this first level buffer is embedded in the AI governance system design and takes the form of risk and impact level assessment tools that are directed at AI tools designers.
From the AI governance perspective, either “hard law” legislation or “soft law” type risk management framework documents, have relied on the risk-based methodology in approaching the development of AI tools. For example, the EU AI Act, clearly categorizing AI-related risks, creates ex-ante governance mechanisms for high-risk AI applications, with the aim to prevent AI products from causing harm to its users.Footnote 60 In the U.S., the NIST Framework encourages AI designers to engage in enterprise risk management around the risks of AI systems as previously noted.Footnote 61
To put such risk management arrangements into action, risk and impact-level assessment tools for AI tools are developed by regulators to apply to the design, deployment, and operation of AI tools. The New South Wales Government in Australia has developed the NSW Artificial Intelligence Assessment Framework (AIAF) as a self-assessment tool mandatory for all NSW Government Agencies to use while these government agencies are developing their own AI solutions.Footnote 62 Similarly, in Canada, the Algorithmic Impact Assessment (AIA) is a mandatory risk assessment tool intended to help the federal government agencies determine the impact level of an automated decision-system.Footnote 63 It is worth noting that both assessment tools are prescribed by the government and are applicable to assessing AI products that are potentially deployed by the relevant government agencies while not mandatory to the private sector. Specific to the legal domain, there appears to be a lack of such risk and impact assessment tools for evaluating AI systems that are directed at legal professionals. Instead, it seems that legal professional bodies tend to rely on the blanket ban approach to unacceptable AI practices, including an AI system to “replace or supplement judicial discretion, including in sentencing, and other evaluative decisions affecting individual liberties and freedoms,”Footnote 64 while opening the door for an AI system that can promote access to justice for people with disabilities.Footnote 65 This, in turn, goes back to the question of what risks are acceptable or not, which remains an incredibly challenging question to answer.Footnote 66
E. Ethical Assessments
Most risk assessment arrangements are based on assumptions relating to core ethical principles. For example, core ethical principles in relation to AI use adopted by the Australian Government’s Department of Industry, Science and Resources have been adopted by numerous organizations in Australia. These principles underpinned by some universal values encompass the following:
i. Human, societal and environmental wellbeing: AI systems should benefit individuals, society and the environment.
ii. Human-centred values: AI systems should respect human rights, diversity, and the autonomy of individuals.
iii. Fairness: AI systems should be inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups.
iv. Privacy protection and security: AI systems should respect and uphold privacy rights and data protection, and ensure the security of data.
v. Reliability and safety: AI systems should reliably operate in accordance with their intended purpose.
vi. Transparency and explainability: There should be transparency and responsible disclosure so people can understand when they are being significantly impacted by AI, and can find out when an AI system is engaging with them.
vii. Contestability: When an AI system significantly impacts a person, community, group or environment, there should be a timely process to allow people to challenge the use or outcomes of the AI system.
viii. Accountability: People responsible for the different phases of the AI system lifecycle should be identifiable and accountable for the outcomes of the AI systems, and human oversight of AI systems should be enabled.Footnote 67
However, as the authors have noted elsewhereFootnote 68 the ethical risks may be broader in relation to courts and legal professionals. For example, it could be suggested that lawyers and courts have obligations to support justiceFootnote 69 and this may mean that the way in which AI is assessed and considered includes an assessment that ensures that sectoral as well as individual and societal wellbeing is considered. Similarly, some legal commentators have discussed the risk of “truth decay” and it may be that courts have additional obligations in the AI revolution.
It has been said for example that:
As a general and trite observation, any decline in trust of judicial institutions is a matter of note and concern. To the extent that the courts are viewed as “source[s] of factual information,” the fourth trend pointed out by Kavanagh and Rich in relation to declining trust focuses the mind and provokes thought about how such a trend may be resisted and reversed.Footnote 70
To the extent that courts, and by extension lawyers, may be perceived to be a source of truth may add an additional ethical requirement particularly when AI extends beyond supportive AI. Although discussion of “truth decay” has been predominantly focused on the United States, in 2024, Australian Defence Force Chief General Angus Campbell, drew attention to the potential for technology, and especially Gen AI, to exacerbate truth decay in Australia.Footnote 71 General Campbell said the following:
As these technologies quickly mature, there may soon come a time when it is impossible for the average person to distinguish fact from fiction, and although a tech counter response can be anticipated, the first impression is often the most powerful…. This tech future may accelerate truth decay, greatly challenging the quality of what we call public “common sense,” seriously damaging public confidence in elected officials and undermining the trust that binds us.Footnote 72
While truth decay can be linked to generative AI and the generation of incorrect, false information,Footnote 73 or biased information,Footnote 74 it has the potential to erode confidence in the judiciary, the legal process, and the role of lawyers. As domestic legal avenues are replaced by privatised form of justice and more international borderless systems, there are questions about how the legal profession can manage any responsibilities that it has to reduce or prevent truth decay. This may require thoughtful governance approaches that are directed at more complex ethical approaches that cannot necessarily be explored by an IT manager and require cross organizational leadership. As “deep fakes” become more prominent, there are also questions about how the legal profession will respond to AI workers and others who may establish their own identities. To some extent, this issue is one that is the focus of regulators; however, there are questions about how and to what extent professional obligationsFootnote 75 might manage these issues and personhood more broadly—particularly if disruptive technology incorporated neurotech and the merging of humans, technology and more refined forms of AI.Footnote 76
While commentary about AI development can focus on the many benefits of AI and obligations to clients and others, ethical approaches may require more than this. For example, the statement:
It is the principle that we all owe a duty to those we serve—namely citizens and businesses here in England and Wales—to make constructive use of whatever technology is available if it helps to provide a better, quicker and more cost effective service to clients and the public, if you are a lawyer, and to provide a better, quicker and more cost effective dispute resolution process if you are a judge,Footnote 77
can be balanced with a second observation, that might also lead into a third observation about an overarching duty to humankind:
The second principle is that it is an integral part of the adoption of new technologies that we need to do all we can to protect the very same citizens and businesses from their adverse effects. That means that, where appropriate, we need to promote effective regulation, rule-making, data protection, the protection of confidential material, and the minimisation of cyber-crime and cyber-fakes. All these present risks to the communities we serve to a greater or lesser extent.Footnote 78
The question of how ethical frameworks could bind law firms is closely linked to the core values within societies. For example, the multitude of generative AI approaches will evoke regulatory responses which may not have been as pronounced in Western countries when generative AI was primarily seen as a system originating in the United States. The shift towards a range of country sponsored or supported forms of generative AI may raise particular issues for the legal profession as regulators may not “catch up” to these developments before clients and indeed legal professionals have adopted new forms of AI that may raise ethical issues.
F. Core Components of Good AI Governance
While regulatory and ethical frameworks are in constant development and are often responding to AI changes and shifts, our examination of the material referred to above suggests that there are a number of generally accepted core components essential for good AI governance practices, including governance structures, adherence to regulatory requirements, monitoring AI, and education and training.Footnote 79
The diagram in Figure 1 suggests that in some instances, legal organizations may need to rethink their own governance arrangements, particularly where these have developed over time and are more hierarchical than collaborative. In courts for example, the AI landscape requires different organizational responses which are not only responsive but proactive to ensure that courts are not ‘left behind’ by the AI revolution. For law firms, assurances by legal publishers and others may not be sufficient to reduce risk and alternate risk assessment arrangements may be required. In addition, the evolving AI landscape requires that legal organizations have reasonable understandings about the broader AI landscape and the potential ethical and other issues that are likely to emerge so that they can be responsive as well as proactive.
Organizational governance arrangements regarding AI

I. Governance Structures
The governance of AI involves establishing robust control structures containing policies, guidelines and frameworks to address these challenges. As previously suggested in this Article, despite different jurisdictions, AI governance structures can involve adopting various governance approaches and setting up mechanisms to continuously monitor and evaluate AI systems, ensuring they comply with established ethical norms and legal regulations.Footnote 80 Importantly, however, AI governance requires different organizational approaches. It is simply not possible to delegate AI governance to an IT manager or Chief Information Officer (CIO) as the governance involves an entire organization and the risks are broader than those that might arise with more simplistic forms of AI.
Effective governance structures in AI are multidisciplinary and can involve stakeholders from various fields, including technology, law, ethics, and business. As AI systems become more sophisticated and integrated into critical aspects of society, the role of effective AI governance in guiding and shaping the trajectory of AI development and its societal impact becomes ever more crucial.Footnote 81 Among all the stakeholders accountable for good AI governance, Big Tech companies such as Google, Microsoft, IBM, and Meta are leading the development of ethical AI practices, emphasising collaboration across multiple disciplines to navigate the challenges of a rapidly evolving technology. These companies have established internal ethical frameworks and governance models, such as Google’s AI Principles and IBM’s AI Ethics Board, to guide the responsible development and deployment of AI technologies. However, it is simply not sufficient to rely on Big Tech governance mechanisms, as in each legal domain area, there are issues and decision-making about AI that cannot be abrogated.
Legal domain organizations that are developing AI systems internally and procuring external systems must ensure that their AI governance frameworks include clear definitions of roles and responsibilities, continuous monitoring, impact assessments, and regular audits to ensure compliance with ethical and legal standards.Footnote 82 When AI systems are provided by third parties, organizations must ensure, through their governance structures, that the providers offer sufficient guarantees for privacy and data protection and that broader ethical issues are considered.Footnote 83 In the legal profession, this responsibility can include considering whether confidential and sensitive information would be disclosed externally via use of the generative AI tool and whether relevant client terms and firm policies are adhered to.Footnote 84 The capacity to meet these responsibilities may form part of a risk and impact level assessment previously discussed in this Article.
II. Adhering to Regulatory Requirements
With governance structures and associated mandatory legislation and/or voluntary guidelines and standards in place, adherence to those regulatory requirements set out by “hard law,” or in the case of “soft law,” encouragement of adherence to those guidelines and standards, is key to good governance practices. It is, in particular, worth investigating how “soft law” can be implemented by stakeholders in their own domain given the nature of “soft law.”
There can be specific practices that are mapped to implement AI governance principles, standards and guidelines that are of “soft” nature. For example, in Australia, such practices are developed by drawing extensively from those of the Australian, state and territory governments, as well as by such publications as Implementing Australia’s AI Ethics Principles and NSW Artificial Intelligence Assurance Framework.Footnote 85
III. Monitoring AI
Good AI governance practices also involve an approach beyond mere adherence to encompass a more robust system for monitoring and managing AI applications. For example, for enterprise-level businesses, the AI governance solution should enable broad oversight and control over AI systems and tools.Footnote 86 As a result, monitoring and the associated reporting and evaluation plans are deemed by many as an essential component of AI governance.Footnote 87 Indeed, the role of continuous monitoring of AI has been explicitly recognised in the EU AI Act,Footnote 88 and in some “soft law” guidelines manifested by principles, such as reliability and safety or a “lifecycle” approach to AI systems.Footnote 89
Monitoring requires that governance bodies step back from time to time and ask ethical issues that are relevant. In the legal domain, these issues can relate to some core justice values, such as open justice, judicial accountability, access to justice, procedural fairness, and efficiency as these values can be influenced by AI tools and systems.Footnote 90
Despite the wide acceptance of the significance of continuous monitoring of AI, one challenge in this regard remains as to whether monitoring can be achieved given current technological capabilities. Specifically, this refers to “the infeasibility of accurately monitoring advanced AI systems to predict the emergence of certain capabilities prior to their manifestation.”Footnote 91 Some have argued that monitorability and AI safety may be achieved through monitoring AI’s “chains of thought” for the intent to misbehave.Footnote 92 Technicality is beyond the scope of this Article, but this debate about technological capabilities highlights the many “unknowns” about AI and, as such, mirrors the fact that the AI governance landscape continues to be evolving. Indeed, as the Australian Government Productivity Commission argued, the regulatory design and review of AI remain an “ongoing” process.Footnote 93
IV. Education and Training
In light of the rapid uptake of various AI tools and systems across sectors, there is a growing consensus that AI literacy matters. In the US, “to promote AI literacy and proficiency among Americans”Footnote 94 clearly indicates that advancing AI literacy is an official national priority. There are also a range of training initiatives in different jurisdictions that are directed at educating citizens in the sphere of AI literacy.Footnote 95
In Australia, the Human Technology Institute and the Australian Institute of Company Directors published two useful documents in 2024, outlining the eight key elements of AI governance to help company directors, and their senior management teams consider how best to develop their good practices in this area.Footnote 96 One of the eight governance elements is framed as “People, Skills and Culture” which is essentially about upskilling, by way of education and training.
The authors concur with the two documents’ contention about the role of education and training in business organization governance in the context of AI use. The authors further argue that AI education and training should not be confined to the business organizations in their AI governance. Instead, it should be a key component for AI governance across all types of institutions, public and private, and commercial and not-for-profit, because, as Gartner AI Trends suggest, AI literacy has been identified as a critical trend and organizations must prioritise training to ensure employees and in some instances clients or litigants understand AI capabilities, limitations and ethical implications.Footnote 97 This also echoes the observation that leaders and managers must develop AI literacy to make informed decisions about AI adoption, mitigate risks and drive organizational success.Footnote 98 Specifically, in the legal profession, AI education and training may involve lawyers completing AI literacy online courses delivered by higher education institutionsFootnote 99 and/or professional associations.Footnote 100 These training modules vary in their specific content but generally include tips that can be used to engage with AI tools, such as prompting skills and ethical use of AI.
G. Conclusion
Challenges associated with AI are clearly defined that include unlawful bias and discrimination, erosion of purpose limitation, lack of transparency and intelligibility, erosion of consent and information security risks. As such, there is a universal consensus that good AI governance practices should be developed and implemented across the sectors.
AI governance has become increasingly complex as the regulatory arrangements that relate to AI can change rapidly due to technological advances, as well as government changes and associated governance shifts. The complex evolution of AI governance arrangements in the legal domain is also linked to AI literacy and education arrangements, and often an organizational AI governance body will be involved in ensuring that both AI literacy and innovation are supported. Despite the complexities inherent to the AI governance landscape, AI is generally regulated around the world in the form of two main models, both of which are directed at managing risks posed by the use of AI tools—namely hard law and soft law approaches. In some jurisdictions, there is currently a mix of the two approaches, including US and China. Regardless of the various forms, these approaches are essentially directed at encouraging ethical use of AI, and AI governance has so far received limited regulatory or scholarly attention although the regulatory regimes and ethical requirements have been the subject of extensive commentary.
In the legal domain, approaches to AI governance appear to be highly relevant to stakeholders, such as courts, professional bodies—for example—law societies, bar associations, and law firms. Generally, the legal domain is treated as a high-risk area for AI use and therefore results in some strict requirements. These risks and resultant requirements are particularly to satisfy the legal professionals’ accountability for client data protection and fulfill their duty to provide better, quicker and more cost-effective services to clients. Many of the more focussed legal domain AI regulatory approaches are directed at generative AI, and there has so far been much less attention paid to forms of AI that could be described as replacement or disruptive. Nevertheless, successful AI governance relies on a robust foundation of policies, plans, and documentation that address technical, operational, legal, and ethical dimensions. It also requires a governance body that operates at a high level and is able to provide support within an organization as well as ensuring that external governance requirements are met. In the legal domain, this may require some shifts on thinking. Hierarchical approaches or approaches where governance is devolved or managed by an internal organizational unit may not be sufficient to manage the myriad of issues that arise in relation to AI. While an internal unit may, for example, be engaged in setting up risk assessment mechanisms to ensure that there is a basic level of regulatory compliance, this is not sufficient to support AI innovation in legal domain organizations and may also not consider the broader ethical implications of AI integration.
As AI becomes embedded in the operations of many organizations, including in the legal domain, effectively managing the associated risks of AI is essential. Underpinned by either “hard law” legislation or “soft law” type risk management framework documents, some countries have developed risk and impact assessment tools to assist stakeholders with managing AI-related challenges. These tools usually have embedded risk assessment arrangements that are based on assumptions relating to core ethical principles, such as human, societal and environmental wellbeing, human-centred values, fairness, privacy, security, et cetera. To achieve the goal of good AI governance, authors propose that there be four key components in these practices, including ensuring that governance structures are fit for purpose in an evolving technological landscape, that there is ongoing adherence to regulatory and ethical requirements, monitoring AI use while enabling innovation, and supporting education and training.
Acknowledgements
The authors declare none.
Competing Interests
The authors declare none.
Funding Statement
No specific funding has been declared in relation to this Article.
