What legal departments should ask themselves about GenAI

In brief

• Legal departments are charged with protecting and enabling the business, but they wear two hats as advisors and end users of GenAI.
• Aligning with functional leaders around GenAI strategy and goals will help the legal department set guardrails that support responsible innovation.
• Legal functions will get more out of GenAI by defining specific use cases and focusing on informed data management and education.

Generative AI (GenAI) adds opportunities and complexity to business operating environments. Despite the potential, GenAI comes with certain risks and strategic implications for the business and the legal department. Chief legal officers (CLOs) should be prepared to provide necessary legal guardrails that both protect and enable the business to lead the competition and enhance customer value. The following ten questions frame the issues every CLO should address to support GenAI business adoption and simultaneously transform their legal function.

1. How well do I understand what the business wants to accomplish with GenAI?

The propagation of GenAI technology reinforces the need for CLOs to partner with the chief information officer (CIO) and executive leadership to align technology, business strategy and risk management. Close collaboration regarding data and process transformation helps the legal function to deeply understand business issues and to spot and manage risk early. CLOs can accelerate time-to-value by aligning with other functional leaders to establish GenAI sandboxes, thereby encouraging experimentation, accelerating paths to production and scaling learnings across business teams.

2. Am I a leader in a cross-functional GenAI governance committee?

CLOs should be at the forefront of creating a governance model to lead responsible enterprise GenAI adoption. Specifically, CLOs should take steps to stay current with legal developments and risks, be active leaders in cross-functional GenAI governance committees (with the CIO, chief technology officer (CTO), risk, human resources, audit and cybersecurity colleagues), and provide regular updates to the executive board. In doing so, CLOs can better enable innovation, create organizational awareness and help the enterprise realize the commercial benefits of GenAI in compliance with applicable requirements.

3. Are we managing our GenAI approach to comply with the rules of today and tomorrow?

The regulatory landscape is rapidly evolving. In addition to data re-use, privacy and confidentiality issues, GenAI raises potential risks associated with contractual compliance, IP infringement and liability for the use of inaccurate or discriminatory outputs. Some recent examples include initiatives to govern the interoperability and security of data and prevent harm caused by GenAI systems such as the EU AI Act, Digital Operational Resilience Act and Data Act.

The uptick in such initiatives corresponds with an increasing business imperative to embrace evolving GenAI capabilities and drive efficiencies. This requires the legal team to monitor ongoing developments, analyze them and operationalize compliance with interfacing and often overlapping laws. Organizations should adopt a holistic, principles-based approach to incorporate GenAI requirements into existing governance, risk, and control frameworks, enabling compliance across business functions.

4. Have we modified our policies and procedures to deploy safely our current GenAI plans at scale?

As GenAI technology, regulations and societal perspectives continue to evolve, organizational policies and procedures must accommodate the changing landscape throughout the GenAI lifecycle (e.g., design, data acquisition, training and deployment). The legal function can lead responsible GenAI business deployment by implementing robust internal and third-party risk management protocols throughout this lifecycle, aligned to the organization’s existing governance and control frameworks, all underpinned by timely legal advice.

A GenAI compliance readiness assessment can create the foundation for the safe deployment of GenAI, helping align business policies, procedures and activities with developing trends and risks. Such assessments can be used to generate tailored recommendations for priority use cases and map these cases to applicable GenAI regulations and industry-specific legislative regimes.

5. Do I have the right processes to deploy GenAI to my legal team?

GenAI presents an opportunity to re-envision the way legal tasks are performed, changing the way legal teams create and share knowledge, answer legal questions, review contracts, draft legal documents, and summarize regulatory impacts. To identify, evaluate, prioritize, and deploy legal use cases, CLOs should consider two related approaches. First, GenAI use case experimentation supports quick wins, starting the necessary cultural change for lawyers to understand how to integrate GenAI into their daily work. Second, a process-driven approach helps the team understand who, what and when to automate, supporting structural, long-term transformation. Legal operations leaders can guide this journey and help ensure that GenAI can confidently comply with the ethical and legal standards, such as confidentiality and work product protection.

6. Do I understand enterprise GenAI data use cases to advise how they should be governed?

GenAI is powered by data, which is used to train models, answer questions, create code, generate content and automate activities, augmenting people as they perform various tasks. This data may be a mixture of external and internal sources consumed by internal teams, vendors and third parties. To understand the potential scope of issues regarding GenAI internal and third-party data risks, CLOs can, for example, assess current and in-flight contracts to see how data use, disclosures and obligations are addressed. This positions the legal team to further advise how to manage business operational risks associated data privacy, cyber security, intellectual property, insurance and applicable GenAI regulations.

7. How mature is my team’s management of our legal data?

Contract playbooks, legal spend, practical guidance and policy data helps legal departments make decisions and provide legal advice. If this legal data is managed in silos, legal teams will not be positioned to put their data to work. CLOs should understand if legal data is well-organized in a data model that is intentionally structured for legal to take advantage of GenAI. This approach is intended to provide a safe, secure environment in which your teams can share confidential data over which they can apply GenAI. In parallel, deliberate alignment with the enterprise's master data strategy supports enforcement of data integrity across the enterprise and compliance with security, regulatory and ethical requirements.

8. How do I upskill my legal team to use GenAI and advise the business?

Legal teams need to understand GenAI types, capabilities and limitations. Further, legal teams need to learn basic prompt engineering skills. Together, this provides two inter-related benefits. First, the legal team will have the skills to take advantage of evolving capabilities, understanding if there are opportunities to upskill certain team members and roles. Second, these technical and practical skills will help the legal team understand how to advise the business on responsible GenAI adoption. These will likely be new skills for the legal team and active change management is required. Like the practice of law, GenAI use still needs lawyer oversight.