(1)

AI governance is evolving quickly, and companies need clarity as laws, regulations, and enforcement expectations continue to take shape.

(2)

Strong internal governance, including clear ownership, oversight, and responsible use of corporate data, is critical as AI adoption accelerates.

(3)

Trust will determine how far and how fast AI scales, with companies needing to balance innovation, compliance, security, and responsible deployment.

As discussions around AI governance and compliance continue to evolve, I had the chance to sit down with my friend David Hirsch, who is a partner at McGuireWoods LLP. David has a long history with securities law and complex regulatory enforcement, and he is highly respected in the field. He previously led the SEC’s enforcement unit dedicated to cybersecurity and crypto, which also had AI oversight responsibilities.  

David has contributed meaningfully to the SEC’s approach to cyber regulation and compliance requirements, and related best practices. What stands out to me is that David is a strong bridge between the market, companies, technology, and the law. Given that laws are not fully solidified in this complex field, he had some interesting insights.

Yvette: David, AI is evolving at a pace that is faster than our judicial and legislative systems have been able to respond. Companies would benefit from more clarity and alignment. How are you thinking about this?

David: This is true. Here are a few state-based examples.

• In the Heppner decision, Judge Rakoff, in the U.S. District Court for the Southern District of New York, found that use of a commercially available AI LLM platform may waive attorney client privilege and work product protection. The platform’s terms of use disclosed that prompts and responses could be retained, disclosed to law enforcement and potentially others, and used to train the model. In Judge Rakoff’s view, communications to an AI chat platform effectively disclosed confidential material to a third party, potentially waiving protections.

• The same week in Warner v. Gilbarco, a U.S. district court judge in Michigan ruled the opposite, finding that the plaintiff, who was acting without an attorney, had not waived work product protection by disclosing material to a similar LLM platform. That judge held that only disclosures to a third party waive protection, and chatbots are tools, not people or parties.

In the absence of new laws to define and regulate AI, this is just one example of courts struggling to find the correct legal analogy. This highlights the potential for diverging legal conclusions depending on the judge and court considering the issues. Let me provide a few executive branch examples.

• Through an executive order issued on December 11, 2025, the Trump administration advanced a federal approach to AI policy, including the view that a more unified national framework could preempt conflicting state laws. On March 20, 2026, the White House released a series of legislative priorities it wants Congress to adopt through comprehensive AI legislation, including protecting children, promoting innovation, and preempting state laws.

• The issue of preemption is important because in 2025 alone, 38 states adopted more than 100 bills addressing AI.* That demonstrates the potential that AI developers and corporations in the U.S. will have to navigate a patchwork of separate laws and reporting requirements, some of which may not align with one another. That fragmentation can make it harder for companies to scale a potentially transformative technology consistently across the country, and may require different features and controls depending on the state where a user is based.  

It remains to be seen whether Congress will adopt comprehensive AI legislation that preempts state laws and establishes one clear set of expectations. That may become more challenging as congressional attention increasingly turns toward the November midterm elections.

In the private sector, I’ve spent a lot of time thinking about a major AI platform's recent decision to delay the release of a new model while working with leading cybersecurity and networking companies to address vulnerabilities the platform can surface. This delay likely created a short-term financial impact for the model developer, but it does not appear to have slowed technology development. Ideally, other developers that identify significant potential risks should share a similarly calibrated sense of corporate responsibility. 

As an economic system, the U.S. government typically provides oversight and rules for businesses and technologies that pose risks of significant harm. In the U.S., the focus on risk has, until recently, primarily arisen at the state level, resulting in compliance complexity and inconsistency, with other countries also adopting significant restrictions and rules to promote safe outcomes.  

Yvette: So, how are corporate America and AI companies responding to an evolving legal landscape? What does the industry need from government? Are we competitive internationally, and are we striking the right balance among safety, innovation, and U.S. leadership?

Based on what I've observed, corporations would benefit from more certainty about how the law will be applied to novel issues that AI will present. Those include: 

1. How liability will be apportioned between developers, deployers, and users.

2. Intent as it relates to agentic AI and multi-agent operations. 

3. Intellectual property and copyright in model training and outputs.

4. Algorithmic discrimination and bias in decision-making.

David: But corporate America is not waiting for legislators or the courts to define the rules or clarify how liability will be apportioned for harms that may lie ahead. AI adoption continues to accelerate, and most companies appear to rate the cost of being left behind or missing out on AI-boosted efficiency gains as higher than the risks associated with legal uncertainty.

In terms of what the AI industry needs from government, I’d put continued access to resources high on that list, including significant capital investments, development of data centers, and production of the energy needed to power them.  Those investments and development are driven by the private sector, but continued public-private coordination can help facilitate them, particularly around infrastructure, permitting, energy, and deployment timelines.

Ongoing AI development and consumer adoption in the U.S. also would benefit from government establishing a level playing field with well-defined legal rights and obligations for developers, deployers, and users. In addition to the legal liability questions, it would be helpful for government to offer more guidance on a variety of unresolved AI safety issues, as well as proposals to address the job losses and economic changes that are projected to result from widespread AI adoption.  

The development and adoption of AI in the U.S. is competitive with, or ahead, of what is occurring internationally. The EU has adopted broader and more proscriptive requirements for AI developers and its use in a variety of applications, including healthcare, and when AI is integrated into machinery. Many of those rules do not go into effect until later in 2026 through 2028. Until they are implemented, it is difficult to judge the impact those rules will have and whether they have struck the right balance between support for innovation and addressing anticipated risks.

China has also created a highly supportive environment for AI development, with significant government backing and a clearly defined strategy aimed at positioning China as a global leader in AI. 

Separate from formal regulation, AI governance is particularly challenging because employees frequently access generative AI platforms through their personal accounts or devices, without their employer knowing what sensitive corporate information is being shared. Cybersecurity professionals refer to this as “shadow AI,” and it poses a variety of governance, compliance, and legal risks. I’ve seen estimates that more than 60% of employees have shared confidential corporate information in prompts to unapproved generative AI platforms.

Yvette: Governance over AI has been very complex for companies, with  differences by country, and within the U.S., by state. The Trump administration has emphasized a more innovation-oriented approach, with a focus on U.S. competitiveness, reduced regulatory friction, and continued AI velocity. At the same time, recent developments involving frontier model safety, cybersecurity, and voluntary federal review for certain advanced models suggest the governance landscape is still shifting. What do you think companies still need from the current governance environment?

David: I agree that the Trump administration has focused its messaging on reducing obstacles and regulatory friction that could slow AI development and corporate adoption in the U.S.  The overall tone from the executive branch and federal regulators has been that governance is important, but innovation and competitiveness are essential.  If you consider government oversight as operating in tension between controlling risks and promoting economic growth, the federal government’s messaging has emphasized growth, competitiveness, innovation, and U.S. leadership, while continuing to recognize the importance of governance.

That approach has continued to evolve. Recent reporting indicates that a number of frontier AI model developers have signed agreements with the U.S. Commerce Department to allow the government to review their models for national security risks before commercial launch.  Those agreements have been described as comparable to earlier voluntary agreements with frontier model developers, later updated to reflect the current administration’s policy approach.  

It is still too soon to understand how pre-release review will affect the velocity and scope of AI development, or how effective it will be in addressing national security risks that AI platforms may pose. It is another example of how policymakers are trying to balance innovation, national security, cybersecurity, and responsible deployment.

For highly regulated industries, such as finance and healthcare, I think additional guidance would certainly be helpful so companies can proceed with confidence that they understand what their regulators expect. Ideally, as part of that process, agencies will adopt positions that persist across administrations. It is very challenging to make the kinds of investments required without durable guidance that companies can rely on over time. 

Yvette: What do you think is needed inside a company to ensure good AI governance? Please also discuss your thoughts on distributed vs centralized control. Are there best practices that you see from a board perspective as well?

David: From a governance perspective, I’ve seen a very broad range of approaches across companies and industries. Some have taken a very centralized, top-down approach, assigning responsibility to a specific committee of the board of directors and an individual executive leader, such as a Chief Technology Officer, or Chief AI Officer.  That approach can be very effective in developing a comprehensive understanding of all AI systems in use at the corporation, establishing controls around how corporate data is shared on AI platforms, and developing procedures for identifying and responding to AI risks and issues. But it can also slow adoption by creating a single channel for approvals, and it risks concentrating decision-making with leaders who may lack operational context for what corporate users and teams actually need.

Some companies have adopted a very different, distributed-control governance model, where AI implementation decisions are made at the business-unit or product-team level.  That can support faster adoption and iteration cycles, and a closer alignment between business needs and solutions. But it can also carry risks, including a less comprehensive corporate AI inventory, less ability to control for AI risks at the enterprise level, and duplication of efforts as multiple teams have to address the same governance challenges.  

Other companies are still in the early stages of defining their AI strategy and working through what governance controls are required and best serve the corporation’s requirements. For those entities, my advice is that there is no better time than today to begin developing and adopting an AI governance strategy.

Good governance starts with making decisions about why the company is employing AI, goals that AI can help accomplish, corporate risk tolerance, and available resources.  Companies should understand how their employees are using AI, what tools are being used, and what oversight and control the company has over that use. They should also define what types of AI use pose risks and consider policies or procedures to address those risks.  

Yvette: What do you think about consumer and corporate trust of AI? What needs to be done, and how does this relate to the discussion above?

David: AI developers in the U.S. have made significant inroads building trust with corporations and persuading them that the rewards of AI adoption outweigh the potential risks and uncertainty. I think, however, that developers still have significant work left to do with consumers.

There are a number of unresolved questions, including whether the benefits of AI will be widely distributed or accrue primarily to a small group of platforms and deployers, how employment will change in the U.S., and how AI will impact our ability to trust what we read, see, and hear.

This tension is unsurprising. Dating back to the Industrial Revolution, significant technological advances have led to job losses and, at times, dramatic social change.  Building trust will require an ongoing effort by AI developers, corporations, government, and social institutions to communicate how AI is benefiting individuals and communities, while also responding effectively to safety issues and disparate negative impacts when they emerge. 

Yvette: Thank you so much David. It’s always great to work with and catch up.  Any closing thoughts or final takeaways for readers?

David: Thanks as always, Yvette, I really enjoyed this. For your readers, it’s important to stay informed. The legal and compliance implications of AI are evolving rapidly and can emerge from a variety of sources, including 50 state legislatures, federal agencies, courts, and international regulatory bodies.  For companies, as AI becomes more important to their bottom line, they should also consider how that impacts their AI governance and compliance programs.

*McGuireWoods publishes an interactive map tracking state level AI legislation: https://mcguirewoods.com/us-state-ai-legislation-financial/.