<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[The AI Governance Navigator]]></title><description><![CDATA[Insights for Responsible AI Deployment in High-Stakes Industries.]]></description><link>https://attorneyderso.substack.com</link><image><url>https://substackcdn.com/image/fetch/$s_!zM16!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0724918e-b533-4bf7-8397-7b46f3cb0e15_608x608.png</url><title>The AI Governance Navigator</title><link>https://attorneyderso.substack.com</link></image><generator>Substack</generator><lastBuildDate>Sat, 11 Jul 2026 16:39:27 GMT</lastBuildDate><atom:link href="https://attorneyderso.substack.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Anders Almgren]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[attorneyderso@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[attorneyderso@substack.com]]></itunes:email><itunes:name><![CDATA[Anders Almgren]]></itunes:name></itunes:owner><itunes:author><![CDATA[Anders Almgren]]></itunes:author><googleplay:owner><![CDATA[attorneyderso@substack.com]]></googleplay:owner><googleplay:email><![CDATA[attorneyderso@substack.com]]></googleplay:email><googleplay:author><![CDATA[Anders Almgren]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[Properly Cited and Still Wrong]]></title><description><![CDATA[The verification burden nobody priced in when in-house teams started producing legal work with AI.]]></description><link>https://attorneyderso.substack.com/p/properly-cited-and-still-wrong</link><guid isPermaLink="false">https://attorneyderso.substack.com/p/properly-cited-and-still-wrong</guid><dc:creator><![CDATA[Anders Almgren]]></dc:creator><pubDate>Thu, 25 Jun 2026 04:34:17 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!zM16!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0724918e-b533-4bf7-8397-7b46f3cb0e15_608x608.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>The fabricated case citation became the public face of AI risk in legal work, and it earned the spot. Lawyers sanctioned for filing briefs built on cases that never existed make for memorable coverage, and the lesson the profession took was straightforward: check the cites.</p><p>That lesson is real and also nearly useless, because fabrication is the failure mode the profession already knows how to catch. Cite-checking is a century old. The failures that matter more are the ones that survive the cite check, and in-house teams producing their own contracts, policies, and legal work with AI are walking into them at volume.</p><h3>Three failure modes, one of them famous</h3><p>Fabrication is the famous one. The model invents a case, a clause, a regulation. It fails the moment anyone looks it up, which means it gets caught wherever anyone looks, and the cost is embarrassment plus a wasted hour.</p><p>Misgrounding is quieter. The source is real, the citation is formatted correctly, and the proposition it supposedly supports is not what the source says. Stanford&#8217;s RegLab research on legal AI tools documented this category specifically: tools built on retrieval still produced answers where the cited authority did not back the stated claim. Catching it requires reading the source against the claim, which is a different and far more expensive activity than confirming the source exists.</p><p>The third mode has no common name, and it is the one this article is about. Where little authority exists on a question, the model synthesizes whatever it finds into prose that reads like settled knowledge, and where the little that exists is wrong, outdated, or was never authoritative to begin with, the output launders the error into confidence. The less material there is on a question, the further the output&#8217;s confidence runs ahead of its support. Novel regulatory areas are the worst terrain for this, which is an uncomfortable irony, because novel regulatory areas are exactly where in-house teams are reaching for AI in the first place.</p><p>Verification effort scales with how invisible the failure is. The fabricated case costs a minute. The misgrounded citation costs reading. The thin-source error costs knowing the area well enough to recognize that fluent prose is standing on nothing, and that form of review cannot be delegated to a checklist.</p><h3>Two kinds of correct</h3><p>Legal work contains two different kinds of claims, and they verify differently.</p><p>Objective claims check against a record. The case exists or it does not. The statute is current or amended. The citation supports the proposition or it does not. These claims have a right answer, and verification means consulting the record.</p><p>Subjective claims are the rest of legal work, which is to say most of it. Which position to take, how to weight a risk, whether an argument is strong enough to rely on. Sources can be found to support either side of most arguable questions, so a claim being supported and a claim being correct are different properties, and the difference is where legal judgment has always lived.</p><p>AI flattens the two registers. Everything arrives in the same confident prose, the checkable claim and the arguable one formatted identically, and a reader cannot tell from the text which kind is in front of them. That sorting used to happen in the drafter&#8217;s head while the document was being written. Now it has to happen in the reviewer&#8217;s head after the fact, and only if the reviewer remembers the sorting is theirs to do.</p><h3>The verification math</h3><p>Here the economics turn uncomfortable. If every AI draft receives the review a junior lawyer&#8217;s draft would receive, the time saved producing it gets spent reviewing it, and the business case quietly evaporates. So uniform full review rarely survives contact with real workload. What replaces it is skimming, and skimming is the wrong instrument for output that is mostly right, because a reviewer who finds no errors for weeks stops looking the way they looked in week one. Aviation and manufacturing have studied this for decades under the name automation complacency, and there is no reason to believe legal reviewers are exempt.</p><p>The result is a debt structure. The hours saved in production are measured, reported, and built into next year&#8217;s headcount assumptions. The review that quietly degraded is measured nowhere, and the gap compounds until a document with someone&#8217;s signature on it turns out to be wrong in a way that matters.</p><h3>The responsibility imbalance</h3><p>The burden lands unevenly because of how these tools arrive. The company buys the platform, often without the legal team in the room, and the vendor contract supplies it as-is, disclaims reliance, and caps liability at a fraction of any real loss. The mandate to use it comes with efficiency assumptions already baked into staffing. The accountability does not move with the tool. Professional responsibility stays with the lawyer, corporate risk stays with the company, and both now run through output produced by a system the lawyer did not choose, cannot inspect, and cannot decline.</p><p>Refusing all responsibility is not available, since the work product carries a signature. Absorbing all of it is not survivable, since the volume assumes a level of trust the tool has not earned. The workable position sits somewhere in the middle, and the teams that find it do so deliberately rather than by default.</p><h3>How teams are splitting the difference</h3><p>A few approaches are in use, each with a real tradeoff.</p><p>Full uniform verification treats every output as an untrusted draft. It catches the most in principle, and in practice it either consumes the entire efficiency gain or degrades into the skimming it was meant to prevent. It works for low volume and fails at scale.</p><p>Consequence-tiered review sets depth by stakes. Documents that bind the company or leave the building get full verification, internal and low-stakes work gets sampled, and the tiers are decided in advance. This concentrates attention where errors cost the most and preserves the savings elsewhere. The tradeoff is that the tiering itself becomes a decision someone has to own and defend, a misclassified document is an unreviewed one, and the tiers protect no one unless they are written down.</p><p>Source-bounded review verifies the citations rather than the prose, converting an open-ended read into a bounded check. It is fast and it is exactly blind to the thin-source failure, where the cite is real and the proposition is still wrong. Used alone it manufactures false comfort.</p><p>Sampling, borrowed from manufacturing, treats high-volume output like a production line. A defined percentage of documents gets full review, defect rates are tracked, and rising rates trigger escalation. This scales, it catches drift that no one reviewing single documents would see, and it produces a record. The tradeoff is structural: a sample misses the individual catastrophic error, so it suits the hundred NDAs and not the one bet-the-company agreement, which still needs the old kind of reading.</p><p>Pushing risk back into the vendor contract through accuracy warranties and evaluation rights aligns incentives in theory. In practice the tools arrive as adhesion contracts chosen by procurement, the negotiation already happened, and the legal team&#8217;s input was not part of it. This lever works at renewal, if someone is positioned to pull it.</p><p>One observation holds across all five. None of them works as an individual habit. Each works only as a standard that someone owns, applied consistently, and recorded somewhere, because a verification practice that lives in one lawyer&#8217;s head leaves the building with that lawyer.</p><h3>What this adds up to</h3><p>The balance between responsibility for AI output and the reality of mandated tools does not get found in the abstract. It gets set, either deliberately or by default, and the default is whatever the deadline allowed that week.</p><p>Teams that set it deliberately share recognizable traits. The verification standard is written. The tiers were decided before the volume arrived. A record exists of what was checked and at what depth. When something goes wrong, and at volume something eventually does, the difference between a documented process and one lawyer&#8217;s best efforts is the difference between an incident the company can explain and a liability it cannot.</p><p>Whether a given output is right is a question about one document. Who owns the standard it gets checked against is a question about the whole function, and it is the question that decides everything downstream.</p>]]></content:encoded></item><item><title><![CDATA[Governance Sold Separately]]></title><description><![CDATA[Enterprise AI ships with controls built in. Everyone else rents the capability and builds the rest, or goes without.]]></description><link>https://attorneyderso.substack.com/p/governance-sold-separately</link><guid isPermaLink="false">https://attorneyderso.substack.com/p/governance-sold-separately</guid><dc:creator><![CDATA[Anders Almgren]]></dc:creator><pubDate>Sun, 14 Jun 2026 06:10:56 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!DK-3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>The AI market consolidated around the enterprise in the past year. Anthropic launched legal-specific agents built with Harvey, LexisNexis, Thomson Reuters, and KPMG. The major model developers all now sell enterprise platforms with dedicated deployment teams, and the professional services giants resell them wrapped in implementation engagements. The capability that two years ago lived in a chat window now arrives at large companies as managed infrastructure.</p><p>This is usually told as a story about who gets the best models. The more consequential story is about who gets the controls, because the same consolidation that delivers capability to everyone delivers governance to only one tier of buyer.</p><h3>What the enterprise buyer actually gets</h3><p>Strip the branding off an enterprise AI deployment and a large share of what the price buys is governance. Admin consoles that decide who can use what. Audit logs recording what was asked and produced. Single sign-on tied to the identity system, so access ends when employment does. Data residency commitments, training-data exclusions, and contractual terms negotiated by a procurement team with leverage. Usage analytics that show the company its own AI footprint without anyone running a survey. Sometimes indemnities, sometimes evaluation rights, always a named account team to call when the model misbehaves.</p><p>None of that is intelligence. All of it is control, and the enterprise buyer inherits it as a product feature, pre-built, before a single employee runs a prompt.</p><h3>What everyone else gets</h3><p>The mid-market company runs largely the same underlying models through consumer and prosumer subscriptions, AI features switched on inside tools bought for other purposes, and free tiers that employees signed up for themselves. The capability gap between this stack and the enterprise stack is smaller than the pricing suggests, and on some days it is zero.</p><p>The control gap is total. The click-through terms disclaim everything and were never negotiated. There is no admin console because there is no deployment, just accounts. The audit log does not exist. The usage analytics do not exist. The company&#8217;s AI footprint is whatever it happens to be, visible to no one, governed by terms nobody read.</p><p>Capability got democratized. Control did not, and the difference between those two curves is where the mid-market now sits.</p><h3>Accountability never scaled down</h3><p>The uncomfortable half of this market structure is that the parties asking governance questions do not grade on company size or software tier.</p><p>The EU AI Act places obligations on the company deploying a system regardless of headcount. The insurer&#8217;s application asks how AI is used and controlled, and the questionnaire sent to a 150-person company looks a lot like the one sent to a 5,000-person company. The enterprise customer running vendor diligence asks every supplier the same questions, because their risk team wrote one form. The plaintiff&#8217;s lawyer reconstructing how a decision was made does not adjust the discovery requests for the defendant&#8217;s revenue.</p><p>A mid-market company therefore faces enterprise-grade questions while holding consumer-grade tooling, and the gap between the question and the available answer is its problem alone. The vendor whose terms disclaimed everything is not in the room.</p><h3>Built rather than inherited</h3><p>The enterprise buyer inherits governance from procurement. The mid-market company has one other path: construct it.</p><p>Constructed governance is the set of decisions, ownership assignments, and records that enterprise tooling automates, rebuilt at a scale a smaller company can actually run. Which tools are in use and which are sanctioned, decided rather than discovered after the fact. What data each tool may touch, decided rather than assumed. Who answers for AI-assisted output, named rather than implied. What gets reviewed and how the review is recorded, written down rather than remembered.</p><p>None of this requires the enterprise tier or the enterprise price. It requires deliberateness, and it requires an owner, because constructed governance differs from inherited governance in exactly one way that matters: nobody ships it to you. It exists only if someone inside the company builds it, and at most mid-market companies that someone has not been named.</p><h3>The credential nobody prices</h3><p>There is a commercial upside hiding in this, and it is underused.</p><p>When an enterprise customer sends its AI diligence questionnaire to ten mid-market vendors, most of the answers that come back are improvised. The vendor that returns specific answers, this tool, this data boundary, this owner, this review record, reads as a different class of company, and reads that way precisely because the customer knows what those answers cost to produce. Clean governance answers from a company without an enterprise budget signal management quality the way audited financials once did for companies too small to be public.</p><p>The same dynamic runs through acquisitions and insurance. Diligence is a comparison exercise, and the comparison set is full of shrugs.</p><h3>What this adds up to</h3><p>The market structure is now legible. Capability is rented by everyone. Control is sold to the few. The remainder either build the control layer themselves or operate without one, and the regulators, insurers, customers, and courts asking the questions do not care which tier anyone bought.</p><p>For the company under 1,000 people, the governance that enterprises receive as a line item has to be made, and made governance has one requirement that purchased governance hides: a person who owns it. When the questionnaire arrives, which answer does your company give?</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!DK-3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!DK-3!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg 424w, https://substackcdn.com/image/fetch/$s_!DK-3!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg 848w, https://substackcdn.com/image/fetch/$s_!DK-3!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!DK-3!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!DK-3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg" width="1024" height="559" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:559,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:49406,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://attorneyderso.substack.com/i/201951511?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!DK-3!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg 424w, https://substackcdn.com/image/fetch/$s_!DK-3!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg 848w, https://substackcdn.com/image/fetch/$s_!DK-3!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!DK-3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd3643d4c-5187-4cdd-a1b1-5cf8f3924dc5_1024x559.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://attorneyderso.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The AI Governance Navigator! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[There Is No North Star Coming]]></title><description><![CDATA[What 2026 settled about AI governance, and what it means if you run a company under 1,000 people.]]></description><link>https://attorneyderso.substack.com/p/there-is-no-north-star-coming</link><guid isPermaLink="false">https://attorneyderso.substack.com/p/there-is-no-north-star-coming</guid><dc:creator><![CDATA[Anders Almgren]]></dc:creator><pubDate>Wed, 10 Jun 2026 06:47:08 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!YSrZ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><strong>What 2026 settled about AI governance, and what it means if you run a company under 1,000 people.</strong></p><p>For the past two years the standard advice on AI governance was some version of wait. The big jurisdictions would harmonize, standards would converge, and eventually a checklist would arrive that you could hand to someone and be done with. That advice was reasonable if you believed convergence was the direction of travel.</p><p>2026 settled the question. The United States and the European Union did not fail to harmonize. They chose different destinations on purpose, and the fragmentation frustrating so many leaders is not a diplomatic failure waiting to be fixed but a feature of how governments now treat AI. Five things changed this year, and each one moves a decision that used to feel external into the middle of your company.</p><h3>1. The fragmentation is deliberate</h3><p>The US framework is built around innovation and neutrality. Federal policy now favors a deregulated private market, and federal procurement requires technology developed with what the administration calls ideological neutrality. The EU framework is built around safety and compliance. The AI Act bans specific uses, requires transparency and documentation, and is backed by enforcement rather than guidance.</p><p>Underneath the rulemaking sits an infrastructure race. The EU is mobilizing roughly &#8364;200 billion through its InvestAI initiative and carving out &#8364;20 billion for AI gigafactories, because AI is now treated as national security infrastructure rather than a shared global utility. When governments treat a technology as strategic territory, they stop trying to agree on it.</p><p>For a company selling into more than one market, the practical meaning is simple and uncomfortable. The rules will conflict on purpose, no external standard is coming to resolve the conflict, and the decisions about how your company uses AI have to be made internally because nobody outside your company will make them for you.</p><h3>2. The software stopped waiting</h3><p>The contracts governing most AI deployments were written for software that sat still until someone used it. Those contracts assumed a human decision between the tool and any consequence, and the standard protections reflect that assumption: as-is supply clauses, non-reliance language, and liability caps sized for a tool that produces drafts a person reviews.</p><p>Agents broke the assumption. An AI agent that approves payments, screens candidates, or sends customer communications acts without the pause the contract was built around, and when an action goes wrong the vendor points to the cap and the non-reliance language while the loss stays with the company that deployed it.</p><p>The gap lives in the paper rather than the technology, so better models do not close it. A useful test for any operator: if the worst plausible action by an AI agent happened tomorrow, would the contractual liability cap cover the actual business damage? For most companies the honest answer is no, and most have never run the test.</p><h3>3. You can be sued without being breached</h3><p>The newer wave of data litigation in Europe does not start with an attacker. It targets routine processing, things like training models on scraped data, embedding ad pixels, and passing customer data to AI vendors in the ordinary course of business. The legal theory gaining ground is loss of control over personal data, and courts have begun accepting it as a basis for damages without proof of financial harm.</p><p>Litigation funders noticed. In claimant-friendly venues like the Netherlands and Germany, funders bundle thousands of individual claims into collective actions and opt-out mechanics mean the class largely assembles itself. The financial exposure now gets categorized as a board-level threat, and it scales with the volume of data a company touches rather than with headcount.</p><p>The uncomfortable part for an operator is that the activity creating the exposure looks like normal business. No incident, no failure, no breach notification. Most companies can list their AI tools. Far fewer can say what personal data each tool touches, and the second list is the one a claimant&#8217;s lawyer asks for.</p><h3>4. Your model can be worked on slowly</h3><p>Security research in 2026 keeps returning to two techniques aimed at the model itself rather than the network around it. Data poisoning compromises what a model learns from, embedding bias or behavior before deployment. LLM grooming manipulates the feedback a model ingests after deployment, shifting its behavior gradually toward someone else&#8217;s goal.</p><p>Standard security frameworks miss both, because they watch the perimeter and the model sits inside it. A firewall has no opinion about a model that started recommending one vendor slightly more often than it used to.</p><p>The better mental model is an employee nobody supervises. A person in that position gets a manager, performance reviews, and someone who notices when their judgment changes. A model mostly gets uptime monitoring. At most companies the question of who reviews the model&#8217;s decisions over time has no assigned owner, and insider problems with no owner surface the way they always have, slowly, then all at once, in decisions nobody can reconstruct afterward.</p><h3>What this adds up to</h3><p>Each of these shifts points the same direction. Accountability for AI moved inside the company in 2026, and it is not moving back out.</p><p>Insurers have started asking how companies use AI as a condition of coverage. Enterprise customers ask before they sign. Acquirers ask in diligence, and boards ask because the litigation exposure landed on their agenda. None of them accept &#8220;our vendor handles that&#8221; as an answer, because frameworks like the EU AI Act hold the deployer accountable regardless of what the vendor promised.</p><p>The companies handling this well share one trait. Somebody owns it. The decisions about which tools run, what data they touch, and who answers for their output are made on purpose and written down, so when the insurer or the customer or the acquirer asks, an answer exists.</p><p>The rules fragmented, the software started acting, and the lawsuits stopped needing a breach. The one question every company can still control the answer to is the oldest one in governance: who owns your AI?</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!YSrZ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!YSrZ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg 424w, https://substackcdn.com/image/fetch/$s_!YSrZ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg 848w, https://substackcdn.com/image/fetch/$s_!YSrZ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!YSrZ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!YSrZ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg" width="1024" height="572" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:572,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:158977,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://attorneyderso.substack.com/i/201414891?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!YSrZ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg 424w, https://substackcdn.com/image/fetch/$s_!YSrZ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg 848w, https://substackcdn.com/image/fetch/$s_!YSrZ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!YSrZ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6037efc-7fc6-46d5-927c-bdba89a0e2aa_1024x572.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://attorneyderso.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The AI Governance Navigator! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[Natural language v. Engineered prompt]]></title><description><![CDATA[Strides have been made and your AI buddy knows you better than ever.]]></description><link>https://attorneyderso.substack.com/p/natural-language-v-engineered-prompt</link><guid isPermaLink="false">https://attorneyderso.substack.com/p/natural-language-v-engineered-prompt</guid><dc:creator><![CDATA[Anders Almgren]]></dc:creator><pubDate>Sat, 09 May 2026 18:49:06 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!zM16!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0724918e-b533-4bf7-8397-7b46f3cb0e15_608x608.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Strides have been made and your AI buddy knows you better than ever. Skills, artifacts, and previous chats allow you to chat Good enough that you can speak or type naturally and you&#8217;ll get a good output back.</p><p>I recently sat down for an interview with my buddy Claude to get his take on this. It&#8217;s more like a series of interviews over a period of time, but the gist of it is as follows:</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://attorneyderso.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The AI Governance Navigator! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>The more a model knows about you, the easier it is to use plain language when communicating with it. Like talking to a friend. A friend that knows you better than you know you and who remembers a whole lot more. Knows your biases and tells you what you want to hear. Agrees with you. And even if you tell them to be honest and not to hold back, there is that feeling that they&#8217;re holding back.</p><p>On the other hand, starting over every time with a well defined and engineered prompt should get you more neutral and predictable outputs. An expert opinion, the same every time.</p><p>Claude says I&#8217;m partially right. That natural language interaction optimizes for the relationship, prompt engineering optimizes for the output, and knowing which one you need at a given moment is a skill most users haven&#8217;t developed yet. You see, Claude thinks I&#8217;m further ahead than most.</p><p>A well-engineered prompt gives you more control over the output parameters, which translates into reproducibility. However, it doesn&#8217;t give you neutrality. The model still has priors, trained dispositions, and tendencies that no prompt fully eliminates, but what prompt engineering actually does is make the bias more consistent and visible.</p><p>A well-structured prompt with no personalization context will produce more consistent output across runs, but the model&#8217;s trained priors are still in there. If the model has a disposition toward certain framings or conclusions, a cold prompt doesn&#8217;t eliminate it, but it makes it consistent. You&#8217;re trading relationship bias for model bias, and model bias is harder to see because it looks like objective output.</p><p>Models with a lot of context about you do drift toward telling you what you want to hear. This is baked into how these models are trained, and not just a personalization side effect. RLHF (reinforcement learning from human feedback) rewards outputs that humans rate positively, and humans tend to rate agreeable outputs more positively than challenging ones. Who knew? So the base model already has a sycophancy bias before any memory or personalization is layered on top. Memory and system prompts amplify it because now the model knows what kind of person you are and what you&#8217;re likely to reward.</p><p>So what do I do? Speak freely, or engineer my prompts? Well, for me it&#8217;s a balancing act. I rarely miss the opportunity to weigh my options and debate a decision, but I want AI to know enough about me to be useful without inference overhead on every query, but I also want my assumptions and thinking to be challenged and when wrong called out rather than accommodated. Those goals pull in opposite directions because the same context that makes the AI more efficient also makes it more deferential.</p><p>The practical implication is that the right tool depends on what you&#8217;re doing. Yes, it depends. Natural language with full context is fine for drafting, synthesis, and execution, but for stress-testing, adversarial analysis, or anything where you need the model to be indifferent to your feelings about the answer, you&#8217;re better off with a cold structured prompt that doesn&#8217;t know you at all.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://attorneyderso.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The AI Governance Navigator! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[Practical AI Governance for Organizations ]]></title><description><![CDATA[Ten Steps]]></description><link>https://attorneyderso.substack.com/p/practical-ai-governance-for-organizations</link><guid isPermaLink="false">https://attorneyderso.substack.com/p/practical-ai-governance-for-organizations</guid><dc:creator><![CDATA[Anders Almgren]]></dc:creator><pubDate>Wed, 23 Apr 2025 07:11:40 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/08454f67-bed5-4110-bbb9-fd2db634cd84_1024x1024.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><strong>Practical AI Governance for Organizations &#8211; Ten Steps</strong></p><p>There is a push to try to avoid repeating the wild west environment of social media with AI, with some rules and regulations already implemented and lots in progress. But things move fast in AI, and waiting for the regulatory landscape to take shape before addressing AI governance is not a good strategy. Organizations of all sizes must establish frameworks to ensure responsible AI deployment to lower company risks. This article explores ten strategies that AI governance professionals can implement for effective AI governance that scales with your organization's needs, resources, and the regulatory framework.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://attorneyderso.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p><strong>Building Frameworks That Work</strong></p><p>One-size-fits-all type of solutions often fail because of complexity and resource requirements. Solutions with flexibility through tiered frameworks that adapt to both company size and application risk levels are more likely to be successful.</p><p>Those frameworks start with lightweight processes for lower-risk applications. This allows teams to focus on resources where they matter most. By designing modular components that organizations can implement incrementally, governance becomes an evolution rather than a revolution. The focus should be on governance outcomes rather than rigid processes. Think flexibility, measurability, contextualization, empowerment, and continuous improvement by facilitating adaptation based on achieved outcomes.</p><p><strong>Leadership Without the C-Suite Title</strong></p><p>There is an uptick in Chief AI Officer positions within larger organizations, but many organizations lack the budget or perceived need for dedicated AI leadership positions. This shouldn't prevent clear governance oversight, however. Responsibility can be assigned within existing leadership roles such as the CTO, CIO, or CDO, ensuring accountability without creating new positions.</p><p>Or to not pile this big responsibility on top of an already likely to be a heavy workload, creating cross-functional AI steering committees with defined decision-making authority spreads out the responsibility while providing diverse perspectives and maintaining governance momentum. These committees should be supplemented by designated AI champions embedded within departments tasked with implementing governance principles into daily operations. Define escalation paths to create accountability, and when subject matter expertise is required, fractional or external AI professionals can be brought in for organizations that cannot justify full-time positions.</p><p><strong>Risk-Based Prioritization Focus</strong></p><p>Not all AI applications have the same potential for harm or benefit. Therefore, it makes sense to use risk-based prioritization for effective governance. Organizations should develop straightforward assessment frameworks that categorize applications based on potential impact. Rank the applications based on impact and match governance intensity with actual risk.</p><p>Initial focus should be on customer-facing systems and those involved in significant decision-making processes. High-consequence applications like those affecting safety, finance, or employment will require stricter scrutiny. This approach ensures resource allocation toward the AI applications with the greatest potential impact, both positive and negative.</p><p><strong>Documentation That Drives Action, Not Bureaucracy</strong></p><p>Excessive documentation requirements can kill governance initiatives before they begin. Aim to streamline and standardize templates to create valuable tools that increase understanding and accountability.</p><p>Organizations should also develop impact assessment templates to gather data for measuring success and pinpointing areas that need improvement. Standardized templates allow for consistent documentation, and simplified data flow diagrams help visualize how information moves through applications. Clear ethical guidelines for common use cases reduce uncertainty, and documentation that address multiple regulatory requirements at the same time reduces duplicate efforts.</p><p><strong>Break Siloing, Encourage Collaboration</strong></p><p>Effective AI governance requires a combination of technical experts and business leadership. But it also requires coordination across departments. Allowing cross-departmental cooperation will create opportunities to discuss initiatives, challenges, and priorities from different perspectives.</p><p>Key performance indicators that applied as a whole help align technical and business objectives. This in turn allows for governance to align with organizational goals. Business-friendly communication tools explain AI capabilities and limitations for non-technical stakeholders. Common terminology ensures everyone speaks the same language when discussing AI initiatives.</p><p><strong>Build Capacity by Targeted Training</strong></p><p>Generic AI training can be helpful for initial understanding, but for deeper engagement, specific training is necessary. But much like with different AI applications, different roles require different training programs. The more advanced, the more specified the training.</p><p>For example, hands-on training for technical staff should focus on implementing responsible AI development practices. Executive education must emphasize governance frameworks and risk management. Knowledge sharing across teams while integrating ethics into all AI training, reinforces that responsibility is everyone's concern, not a separate consideration.</p><p><strong>Starting Small to Scale Successfully</strong></p><p>Trying to comprehensively govern all your AI applications across the organization at once is not a good idea as it will likely lead to burn-out. Start with a high impact use case and treat it like a pilot. Build internal knowledge, show real value early, and avoid overwhelming the system.</p><p>Use what you learn and refine your approach. Then expand one step at a time. A simple roadmap with clear milestones helps to keep everyone aligned. As AI adoption grows, feedback loops allow for adjustments in real time. This leads to scalable governance that evolves with your organization without stopping momentum.</p><p><strong>Leveraging External Knowledge Networks</strong></p><p>There is no need to build your AI governance playbook from scratch. Frameworks like NIST&#8217;s AI Risk Management give you a solid foundation and save you time, money, and guesswork. Start with what&#8217;s already proven to work. Learn from what others are doing, what&#8217;s working, and what&#8217;s not. Tap into industry groups, use open-source tools and templates. They are a good start and can be modified as needed.</p><p>Academic research can help you stay ahead of the curve, and watching how larger companies approach governance can spark ideas you can tailor to fit your size and risk level. Smart governance doesn&#8217;t mean reinventing the wheel, it means building on what&#8217;s already there.</p><p><strong>Reduce Risk of Third-Party Tools</strong></p><p>As organizations increasingly use third-party AI tools, vendor management becomes a central concern. Set clear expectations up front. Ask for transparency before you sign anything. Require basic explainability, so you know what the system is doing, and why.</p><p>Standardized testing helps you compare apples to apples. Your contracts should go beyond the usual terms: think bias, safety, and up-to-date protocols. Once they&#8217;re in, keep watching. Continuous monitoring ensures their tools still align with your standards as both their systems, and yours, evolve. Strong AI governance includes your whole supply chain, not just what you build in-house.</p><p><strong>Fostering Transparency Inside and Out</strong></p><p>Transparency creates trust with both customers and employees, and this is also true for AI systems. Organizations should develop clear disclosure standards for AI-powered customer interactions, so that users understand when and if they are speaking with AI and what role AI is playing.</p><p>Internally, being upfront about how AI impacts people&#8217;s work reduces friction and promotes buy-in. Create easy ways for employees to raise concerns. Share performance reports regularly. And if someone wants to challenge an AI-driven decision, give them a clear path to do it.</p><p>By implementing these ten strategies, organizations of all sizes can develop AI governance approaches that are both practical and effective, ensuring responsible innovation without overwhelming limited resources. </p><p><em>About the Author: Anders Almgren is fascinated by AI and is an in-house counsel writing about legal issues pertaining to AI governance frameworks and all things involving in-house legal teams.</em></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://attorneyderso.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[AI Governance for Small and Mid-sized Companies: Lessons from Federal Policy]]></title><description><![CDATA[Use more AI!]]></description><link>https://attorneyderso.substack.com/p/ai-governance-for-small-and-mid-sized</link><guid isPermaLink="false">https://attorneyderso.substack.com/p/ai-governance-for-small-and-mid-sized</guid><dc:creator><![CDATA[Anders Almgren]]></dc:creator><pubDate>Wed, 16 Apr 2025 06:48:09 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/b88fe9de-715f-4c55-808d-554fea75af0a_1536x1024.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2" target="_blank" href="https://substackcdn.com/image/fetch/$s_!6UtY!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!6UtY!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png 424w, https://substackcdn.com/image/fetch/$s_!6UtY!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png 848w, https://substackcdn.com/image/fetch/$s_!6UtY!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png 1272w, https://substackcdn.com/image/fetch/$s_!6UtY!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!6UtY!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c18d5aba-2e2b-4d88-b2db-c53c55df3aae.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:null,&quot;width&quot;:null,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:489,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://attorneyderso.substack.com/i/161441694?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!6UtY!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png 424w, https://substackcdn.com/image/fetch/$s_!6UtY!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png 848w, https://substackcdn.com/image/fetch/$s_!6UtY!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png 1272w, https://substackcdn.com/image/fetch/$s_!6UtY!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc18d5aba-2e2b-4d88-b2db-c53c55df3aae.png 1456w" sizes="100vw" fetchpriority="high"></picture><div></div></div></a></figure></div><p>Use more AI! is what the Executive Office of the President told the Heads of Executive Department and Agencies in its recent (April 3, 2025) Memorandum &#8220;Accelerating Federal Use of AI through Innovation, Governance, and Public Trust. In it, the Executive Office provides a framework for accelerating AI adoption across federal agencies while maintaining appropriate safeguards.</p><p>Good for the Government. It has the means to address and implement, and so do larger companies and businesses. But what about the smaller guy? AI is transforming industries across the spectrum, and organizations of all sizes are trying to figure out how to implement, manage, and govern AI effectively. Small and mid-sized companies face unique challenges in adapting these approaches due to resource constraints and business contexts, and although this framework was created for the Government, it offers valuable insights that these organizations can adapt to fit their own needs. What lessons from federal AI governance approaches can smaller organizations extract while avoiding common pitfalls?</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://attorneyderso.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p><strong>Opportunities</strong></p><p><strong>1. Streamlined Decision-Making</strong></p><p>Unlike massive federal agencies with complex approval chains, smaller organizations can implement AI solutions quickly. This advantage allows them to move from pilot to production faster than larger competitors, adapt AI systems as fast as business needs change, and make decisions at the executive level with far fewer bureaucratic hurdles. However, they must be careful to implement governance processes that enable rather than impede innovation.</p><p><strong>2. Resource Optimization</strong></p><p>The bigger the organization the more likely it is for departments to have different needs. Small and mid-sized companies can maximize limited AI investments by creating internal AI assets that can be reused across their departments and use cross-functional AI teams to serve multiple business units rather than siloed AI initiatives. Because smaller businesses are likely less complicated, leveraging open-source AI tools and pre-trained models can reduce development costs. Participating in industry consortiums to share non-competitive AI resources with similar organizations is also an option.</p><p><strong>3. Enhanced Customer Experience</strong></p><p>Targeted AI applications can improve customer interactions without requiring enterprise-scale infrastructure by implementing AI-powered chatbots for common customer questions but be sure to use sentiment analysis to catch satisfaction issues early. Use Predictive analytics to personalize customer experiences and create recommendation systems customized to customer preferences.</p><p><strong>4. Operational Efficiency</strong></p><p>For resource-constrained organizations, AI can be a force multiplier. For example, by automating routine administrative tasks like scheduling, data entry, and report generation, you can optimize inventory management and supply chain operations while enhancing quality control processes through computer vision and predictive maintenance. You can even streamline recruitment and HR processes.</p><p><strong>5. Market Differentiation</strong></p><p>If you want to set yourself apart from the rest, responsible AI use can become a powerful differentiator. Highlight transparency in AI-driven customer interactions and demonstrate ethical AI use in an industry where competitors may be less careful. Create trust through clear communication about how AI decisions can be reviewed and emphasize privacy-preserving AI approaches in marketing materials.</p><p><strong>6. Innovation Accessibility</strong></p><p>With open-source, new innovations such as no-coding apps, and the amount of resources and money being thrown at AI to ensure continuous evolution, there are ample opportunities to take advantage. And with the democratization of AI tools making sophisticated capabilities accessible to smaller companies, cloud-based AI services require minimal upfront investment. No-code and low-code AI platforms enable implementation without specialized data science teams. Not without effort, however. API-based AI services can be integrated into existing systems with modest technical resources, and pre-trained foundation models can be fine-tuned for specific use cases at reasonable cost. There are no more excuses for failing to innovate.</p><p><strong>Potential Pitfalls and Mitigation Strategies</strong></p><p><strong>1. Resource Constraints</strong></p><p>However, it is not all blue skies and sunshine. Smaller companies often lack dedicated AI expertise, funding, and infrastructure, which lead to potential pitfalls. But with some effort and a plan that has been vetted, we can overcome these issues.</p><p><strong>Mitigation Strategies:</strong></p><p>Focus on targeted AI projects that deliver clear ROI rather than broad initiatives. Consider using fractional AI leadership or consultants rather than hiring full-time specialists, but if in-house is preferred, develop internal talent through focused training programs. Smaller companies can also leverage cloud services to reduce infrastructure requirements. Just make sure that the terms of service are understood. For governance efforts, prioritize the highest-risk applications first, so that innovation is not unnecessary hampered by it.</p><p><strong>2. Compliance Complexity</strong></p><p>Ensure that AI is an asset and rather than a liability, but do not neglect compliance. Navigating evolving AI regulations across jurisdictions can overwhelm the largest of companies as well as smaller ones, without specialized legal resources.</p><p><strong>Mitigation Strategies:</strong></p><p>Industry associations that provide regulatory updates and shared compliance resources can be helpful to keep you up to date. As can implementing a "regulatory radar" process (build and Agent!) that identify emerging AI regulations early. Simplified compliance checklists for common AI applications are a good start, and keeping legal experts specializing in technology regulations on retainers is a great follow up. Regardless, it is important to consider regulatory compliance requirements during the design phase, and not just after implementation to ensure a solid foundation from the get-go. Ongoing maintenance is required.</p><p><strong>3. Risk Assessment Challenges</strong></p><p>Without established frameworks, properly identifying and mitigating AI risks can be difficult.</p><p><strong>Mitigation Strategies:</strong></p><p>Rather than starting from scratch, adapt existing enterprise risk management frameworks to include AI-specific considerations. We&#8217;re not talking about brand new issues, just different shapes and forms. Creating simple risk assessment templates tailored to your organization's typical AI use cases makes a lot more sense than using a one size fits all assessment. If you implement staged deployments with continuous monitoring, you are much more likely to catch issues early. Regular tabletop exercises can be used to identify potential failure modes, and ensure to establish clear risk thresholds that trigger additional governance requirements</p><p><strong>4. Over-reliance on Vendors</strong></p><p>Tailored AI solutions are great, but for smaller companies that is often not the right solution. On the other hand, depending too heavily on third-party AI solutions without sufficient oversight can lead to undesirable outcomes.</p><p><strong>Mitigation Strategies:</strong></p><p>Even smaller companies should have some minimum due diligence requirements for vendors. Add minimums that are applicable to AI to what you already have. The same thing goes for vendor management frameworks. Add specific for AI providers. Also, make sure you have clear contractual requirements regarding explainability, data usage, model updates, where your data is stored, and how your data may be used. To the extent possible, require transparency regarding training data and model limitations, and build internal capability to evaluate AI system outputs even when using external solutions.</p><p><strong>5. Security Vulnerabilities</strong></p><p>As if phishing, hacking, and ransomware attacks were not enough, limited cybersecurity resources may leave AI systems exposed to breaches or attacks.</p><p><strong>Mitigation Strategies:</strong></p><p>Implement AI-specific security assessments before deployment and train your in-house developers on common AI security vulnerabilities. Be sure to establish monitoring systems for unusual AI system behavior, including incident response plans specific to the AI systems you use. Use cloud-based security tools designed for AI applications or use a service provider.</p><p><strong>6. Ethics and Bias Oversight</strong></p><p>Depending on your industry, algorithmic bias can have a huge effect on your business. Whether you use AI or not, there are still rules and regulations that must be followed, and without dedicated ethics teams, addressing algorithmic bias might be overlooked.</p><p><strong>Mitigation Strategies:</strong></p><p>Incorporate bias testing into standard QA processes. They should already be there, but specific tweaks to include AI issues might be required. If you can, establish diverse review teams for AI applications affecting customers, and create clear escalation paths for ethical concerns about AI systems. Implement regular bias audits for deployed systems and develop ethical guidelines specific to your organization's AI applications.</p><p><strong>Conclusion</strong></p><p>The federal government's approach to AI governance provides valuable lessons for organizations of all sizes. By adapting these principles to their specific contexts, small and mid-sized companies can implement appropriate AI governance without excessive bureaucracy or resource requirements.</p><p>Balance innovation with responsibility to create governance frameworks proportional to both organizational size and AI risk. By starting small, focusing on high-impact applications, and leveraging existing resources, smaller organizations can build effective AI governance one step at a time.</p><p>As AI becomes increasingly central to business operations, establishing appropriate governance is not only a compliance exercise but a competitive necessity. Organizations that can demonstrate responsible AI use will build greater trust with customers, reduce regulatory risks, and position themselves for sustainable innovation in an AI-transformed economy.</p><div><hr></div><p><em>About the Author: Anders Almgren is an in-house counsel writing about legal issues pertaining to AI governance frameworks and all things involving in-house legal teams.</em></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://attorneyderso.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item></channel></rss>