Five top tips for AI governance

There’s a lot of hype around the transformative potential of AI. However, in our experience, the last twelve months has seen a big shift: from hype to reality. AI is now something that businesses are implementing at speed, and as a result is crossing many in-house legal team’s desks on a daily basis.

Boards are keen to realise the cost saving potential of AI, tech teams are keen to embrace the cutting-edge possibilities of what AI can achieve, with legal teams being left in the middle trying find a path to safe, responsible and compliant use of AI.

At the heart of any AI programme is AI governance, but given the numerous challenges presented by AI, knowing where to start can be difficult. In this article, we provide our five top tips on how to get AI governance right.

1. Get the right people in the room

AI, whilst having huge transformative potential, presents a wide range of legal challenges. As such, an AI governance committee should include voices from all relevant aspects of a business, not just the IT and legal teams.

• IT team, for input on the technical realities of AI
• Legal team, to advise on how to stay compliant with the changing law (including representatives from all aspects of legal, given the legal considerations around AI transcend numerous legal areas, for example, intellectual property, regulatory and data protection)
• Risk team, to help navigate the cybersecurity challenges posed by AI
• Management team, to ensure business objectives and brand values are upheld; and
• Procurement team, to ensure that policies and procedures around AI are reflected within the businesses procurement processes.

2. Get the balance right

Whilst there are many legal factors to consider when deploying AI within your business, a successful AI governance programme will seek to balance assessing those risks and the potential benefits that AI can bring to your business.

If processes and procedures, for example risk assessments of particular AI use cases, become too burdensome, bureaucratic or lengthy then this may dissuade potential AI implementation which could positively impact your business.

Guardrails around the use of AI should fundamentally, in our view, be realistic and workable.

3. Stay up to date

Your AI governance framework should cover the entire AI lifecycle (not just initial procurement and implementation) and be periodically updated to ensure this reflects both best practice and any changes in laws.

As such, implementing an AI governance framework is not a “set and forget” exercise. Dynamic governance is crucial to enable a business to benefit from the most innovative and developed forms of technology, whilst remaining compliant with the changing rules and regulations.

Additionally, AI technology and the laws that govern it are evolving quickly. As such, AI policies and procedures need to be regularly monitored and updated to reflect changes in the AI regulatory ecosystem. Businesses should therefore stay active, track any changes in law and align policies and procedures accordingly and efficiently.

4. Improve AI literacy

You should ensure that all your staff receive training on what policies are in place around AI, the relevant guardrails that should be observed when using AI and what procedures need to be followed when requesting / approving a new AI tool or use case.

Additionally, the best AI governance examples we have seen contain AI literacy programmes. AI literacy is not about turning everyone in your business into AI experts, but instead means upskilling your employees to be able to understand, use and interact with AI responsibly and safely.

The level of AI understanding and knowledge required will vary across your business depending on the role and responsibilities of each individual. For an effective AI governance programme, it is important for all employees to be able to make informed decisions about AI technologies, understand their implications, and navigate the ethical considerations they present.

Fundamentally, AI literacy is not just good business practice, it is also a legal requirement under certain regulations, such as the EU AI Act.

5. Start small and precise

Barely a week goes by without a new and exciting AI product being launched onto the market. The speed of change, and progress, is staggering. In line with that trend, the past 12-24 months has seen a proliferation in the number of AI tools on the market.

Given this, the temptation can be to procure a number of AI tools and then see how they might benefit your business. In our view, the best approach is the opposite: define your use case and then procure an AI tool that meets that specific – and clearly defined – need.

Taking this approach will allow you to build and tailor your business' AI governance programme in a way that fits with the type and nature of both your use cases and the AI tools you are looking to procure.

If you’d like to learn more about how we can support you on your AI journey, visit our AI In Focus page, or get in touch with one of our experts below.

Authors – Michelle Sally and Tom Sharpe

Written with help from Antonia Oxford (Trainee Solicitor)

This publication is intended for general guidance and represents our understanding of the relevant law and practice as of April 2025. Specific advice should be sought for specific cases. For more information see our terms and conditions.