AI Governance Framework: A Practical Guide for In-House Legal Teams
As organizations accelerate their use of AI, the legal department plays a critical role in guiding how – and how far – that adoption goes. Move too slowly, and the business risks falling behind competitors or missing valuable efficiencies. Move too quickly, and it may take on regulatory, reputational, or operational risks it isn’t prepared to manage.
Legal’s responsibility isn’t to slow innovation. It’s to help the business strike the right balance, enabling smart, strategic AI adoption while putting the guardrails in place to protect the organization and its people.
Forward-looking legal professionals can help their organizations avoid potentially serious issues by establishing an AI governance framework, which can create a safe environment for innovation while addressing compliance, data security, and ethical use.
In this report, we’ve outlined key steps for building one for your company. Read on to learn more about everything from device management to mitigating risk, and get trusted guidance for drafting AI usage policies for the modern workplace.
The facts about AI use at work
AI has become a powerful tool for many in the workplace. According to a January 2026 report from Gallup, the percentage of U.S. employees who report using AI at least a few times a year jumped from 27% in late 2024 to 46% in Q4 2025.
When organizations are aware that their employees have harnessed this technology, many have allowed AI use without establishing clear regulatory consensus on its use.
To this point, while 44% of employees said their organization has started integrating AI, only 22% said their organization had “communicated a clear plan or strategy for doing so,” according to a June 2025 Gallup survey.
That means many employees are using AI at work without the benefit of clear standards – and this lack of guidance can result in serious harm not only for these employees but also for their organizations
Enterprise AI adoption and managing risk
Enterprise AI adoption has myriad noteworthy benefits, including those related to efficiency and productivity, but organizations also must develop ways to reduce related risks, which include those related to privacy, inaccuracies, intellectual property, and bias.
Risks can vary according to the work to be done. For example, “the creative use of generative AI by highly skilled workers is lower risk and can be encouraged and accelerated,” according to Bloomberg Law Practical Guidance authored by Stephanie Sharron from Morrison & Foerster and Carlos Escapa from Amazon Web Services.
But for certain sectors or contexts, risks associated with the inappropriate use of AI can be much more significant.
The stakes are particularly high when AI systems generate inaccurate or “hallucinated” outputs. In certain contexts, those errors aren’t just inconvenient – they can pose real safety risks. Tools used to provide medical guidance, support emergency response, or direct complex manufacturing or transportation processes leave little room for error.
That’s why strong guardrails – backed by thoughtful governance and risk management processes – are essential. Yet clear, guidance still remains limited. The legal and compliance questions are still evolving, and the potential for harm varies widely depending on how the technology is deployed. Context matters, and so does careful oversight.
Five steps to building an AI governance framework
That’s why it’s crucial for organizations (in partnership with their in-house counsel or other legal operations professionals) to create a robust AI governance framework that goes beyond a traditional checklist of compliance tasks, so that organizations and teams can safely harness the latest technology with confidence and peace of mind.
Consider these five steps as you develop your own framework and policies. This is a foundational starting point, so keep in mind that you may need to customize these steps or add more to meet the specific needs of your organization.
Step 1: Understand evolving AI regulation and policy
As policymakers move to establish guardrails for AI, the EU and U.S. are taking notably different paths. In Europe, lawmakers have enacted the EU AI Act – a comprehensive framework designed to harmonize rules across member states.
In the U.S., no comparable federal law exists, leaving states to develop their own requirements, such as the Colorado AI Act or the laws in Tennessee and Illinois that protect an artist’s name, image, and likeness from being replicated by generative AI.
For companies operating across these markets, the result is a complex and evolving regulatory landscape. Differing standards and obligations can create meaningful compliance challenges and increase potential liability exposure – particularly for organizations deploying AI at scale.
For companies that are subject to oversight by regulatory bodies, it may be helpful to consider the hierarchy of related regulations.
For instance, when it comes to creating an AI governance framework that is compliant with known regulations, consider that your primary bright line may be compliance with the EU AI Act, as it has the most robust provisions, even in the United States.
Then consider any existing and potentially forthcoming state laws that may affect your organization, and consider the voluntary AI guidelines established by the National Institute of Standards and Technology and resources from its risk management framework.
Organizations also should follow any applicable federal regulations. For example, the Federal Trade Commission, Equal Employment Opportunity Commission, Department of Justice’s Civil Rights Division, and Consumer Financial Protection Bureau issued a joint statement in April 2023 to note the use of AI could violate existing laws under certain circumstances.
Once you’ve established your framework, be prepared to show which regulations or guidance your organization is following. If any AI activity is considered unacceptable or prohibited under applicable laws, your organization should cease those practices and reconsider your proposed AI systems.
AI activities to avoid
Here are some examples of unacceptable AI processing activities that organizations may consider as part of their risk assessment based on laws in the United States and the EU AI Act.
The bottom line: Use your best professional judgment to ensure compliance with all applicable laws and regulations, and plan for an iterative process of updates and audits to ensure that your framework stays current with legislative developments.
Step 2: Review and update your organizational policies
Governance starts with reviewing and supplementing your organization’s existing rules – not beginning from scratch.
So, consider a review of the following policies.
- Your employee code of conduct
Define your organization’s stance on AI as a management tool. For instance, are you in favor of AI use? And would you allow your employees to use it in all cases or just certain circumstances? - Your device management policy
Determine how to regulate AI access on company vs. personal devices. For instance, would you allow employees to access mass market AI-tools on their devices even though these tools can have privacy issues and can be subject to hallucinations? Or would you permit employees to use only trustworthy and company-approved AI-powered tools on their professional devices? - Your antidiscrimination and HR policies
Ensure that the organizational use of any AI tools for recruitment or other job functions would not violate any EEO laws. And keep accessibility in mind when choosing and implementing AI tools in the workplace, making sure there is space to engage with employees and applicants who request alternatives or accommodations.
Step 3: Draft a clear AI usage policy
If you choose to allow the use of AI to help with productivity and compliance, you must then be specific about how employees are permitted to use such tools. To outline these permissions and requirements, draft your own AI usage policy with the following considerations.
Define what would be “acceptable” AI use vs. “prohibited” use
For instance, would you want your organization to ban the use of all mass-market AI tools – and only allow the use of trusted and company-approved tools? Would you merely ban the input of proprietary code or sensitive client data into public LLMs? And are there certain processes that should avoid the use of AI altogether?
Note how employees should review output from AI-powered tools
To reduce risk, for instance, legal teams may consider mandating human review of output to verify accuracy before use.
Address transparency and set rules on disclosures
In this way, your framework should confirm when employees should note that they have used AI to create a work product.
Step 4: Mitigate risk and confirm compliance
Today’s AI technology has countless benefits for innovation and productivity. But, if misused, it can introduce dangerous risks such as bias, inaccuracies, and data security breaches. To mitigate these threats and confirm compliance, consider the following actions.
- Create an AI oversight committee
Stakeholders and employees with varying skillsets are needed to develop and operationalize an AI governance program – from individuals trained in law, data privacy, intellectual property (IP), technical skills, human resources, marketing, and procurement. - Work with your committee to identify, assess, and document AI risks
Provide direction, support and training to employees, commensurate with their roles and experience, so that they can successfully follow your requirements. - Discuss whether your organization should audit your chosen tool for compliance issues
Notably, laws vary by jurisdiction. For example, Illinois amended its Human Rights Act to prohibit an employer from using an AI system “that has the effect of subjecting employees to discrimination on the basis of protected classes … or to use ZIP codes as a proxy for protected classes,” and New York City Local Law 144 focused on avoiding discrimination by requiring employers to conduct a bias audit before using AI to make employment decisions. And remember that there are laws of general applicability in different countries, industries, and sectors that require AI compliance or comprehensive AI governance laws, so keep those standards in mind. - Identify potential privacy risks before deploying new tools
Organizations must ensure that AI does not violate regulations or policies that safeguard proprietary data and personal protected data. For example, improper implementation of common AI-powered biometric tools, such as facial recognition for employee verification, can expose employers to costly fines or litigation costs for the misuse of personal information.
Step 5: Consider vendor management and liability issues
As savvy legal professionals know, an organization’s compliance responsibilities extend beyond its borders when it works with third parties.
So, consider the following vendor management measures:
- Work with your AI Oversight Committee to determine how to best manage and oversee your company’s compliance with AI requirements with any third-party vendors, suppliers, service providers, contractors, and processors. As part of this work, review indemnification clauses with vendors and check insurance to ensure it covers AI-related claims (such as those related to copyright or privacy breaches).
- Consider allowing only certain AI tools for employee and vendor use. And when working with approved AI vendors, ensure that appropriate contractual provisions are in place – including any AI regulatory requirements – so your organization remains protected and compliant with laws and regulations.
Turn strategy into action with practical tools
Designing an AI governance framework is no longer a theoretical exercise. For legal departments, it is an operational mandate that touches risk management, compliance, vendor oversight, and board reporting. The challenge is moving from high-level principles to clear, defensible processes that can scale with the business.
Bloomberg Law’s Practical Guidance is built for exactly this moment. It pairs in-depth legal analysis with ready-to-use resources – including sample policies, checklists, glossaries, and thoroughly researched overviews – that help senior in-house counsel translate evolving AI expectations into concrete action.
These resources enable legal departments to move beyond reactive guidance. They support a proactive, structured approach to AI governance – grounded in legal rigor, aligned with enterprise risk management, and responsive to board-level expectations.
See how Bloomberg Law can support your team with the guidance, templates, and expert insights needed to build a comprehensive AI governance framework.