As artificial intelligence transforms legal practice, law firms face increasing pressure to adopt AI while ensuring compliance with emerging regulations. In a recent Platforum9 Session, Ciara O’Buachalla, a former lawyer turned legal tech entrepreneur, provided crucial insights into how firms can navigate the European Union’s AI Act and establish proper governance frameworks.
The Regulatory Landscape Takes Shape
The EU AI Act’s implementation follows a carefully staged approach, with key dates that firms must prepare for. Starting February 2, 2025, rules on prohibited AI systems take effect, followed by regulations on general purpose AI models in August 2025. The final stage arrives in August 2026, when high-risk AI system rules and regulatory sandboxes become operational.
Building the Foundation for Compliance
The journey towards compliance begins with a comprehensive mapping of AI usage across the organisation. “First, map out all current planned AI use cases across departments, functions, tools, even features,” O’Buachalla advises. This inventory becomes the foundation for all subsequent governance decisions.
Organisations must then determine their role within the AI ecosystem. A firm might be a provider developing AI systems, a deployer using them under their authority, an importer bringing solutions into the EU market, or a distributor making them available within the EU. Each role carries distinct obligations under the Act.
Perhaps most critically, firms must conduct thorough risk assessments of their AI systems. This isn’t a one-time exercise but an ongoing process that must cover the entire AI lifecycle, from data collection through deployment and monitoring.
The Data Challenge
The Act places significant emphasis on data governance, requiring organisations to ensure their training data is relevant, representative, and free from errors. This requirement becomes particularly challenging when considering bias in data sets—an issue O’Buachalla highlights as especially problematic since human bias can be amplified by AI systems.
Key data governance requirements include:
- Rigorous procedures for data collection and storage
- Robust processing and sharing protocols
- Technical measures to protect personal data
Importantly, GDPR compliance remains fundamental to AI governance. “AI governance starts with GDPR compliance,” O’Buachalla emphasises.
Understanding the Stakes
The penalties for non-compliance are severe and tiered according to the violation:
- Deploying prohibited AI systems could cost organisations up to €35 million or 7% of annual worldwide turnover
- Breaches relating to high-risk AI systems may incur penalties up to €15 million or 3%
- Providing incorrect information to regulators risks fines up to €7.5 million or 1%
Creating an Effective Governance Structure
Success in AI governance requires a cross-functional approach. While some organisations are appointing dedicated AI officers, O’Buachalla suggests that the exact structure matters less than ensuring clear responsibilities and collaboration across departments. “It’s not just one person’s job,” she notes. “You need a team with IT expertise, compliance knowledge, and project management skills.”
Training becomes crucial in this context. Firms must develop comprehensive AI usage policies and ensure ongoing AI literacy training for all staff. This becomes particularly important as employees increasingly access AI tools independently—whether sanctioned by the firm or not.
Managing External Relationships
Vendor management takes on new importance under the AI Act. When selecting third-party AI providers, firms must carefully evaluate their compliance documentation and seek specific assurances. Enterprise agreements need robust service level agreements and clear delineation of responsibilities regarding AI governance.
The Path Forward
“It’s not going away,” O’Buachalla emphasises. “I would see it as an opportunity. If you get it right, that is a competitive advantage you have, whether it’s your product, your service, or your internal systems.”
While the regulatory requirements may seem daunting, they also present an opportunity for firms to differentiate themselves. Those that develop robust compliance frameworks now will be better positioned to leverage AI technology while maintaining regulatory compliance and client trust.
The key lies in viewing AI governance not as a one-time compliance exercise but as an ongoing process of adaptation and improvement. Regular risk assessments, policy updates, and continued training must become part of the firm’s operational DNA.
As the legal industry continues its technological transformation, the firms that thrive will be those that successfully balance innovation with compliance, using AI governance as a foundation for sustainable growth rather than seeing it as merely a regulatory burden.