When Tech Leads and Legal Follows: How to Close the AI Governance Gap

AI governance frameworks are becoming standard across enterprises. Effective implementation is not.

The American Arbitration Association (AAA) recently conducted a national survey of general counsel, technology leaders, and C-suite executives about risk-based governance and human accountability. Its preliminary findings offer an early look at how organizations structure their oversight of artificial intelligence (AI) systems. Concerningly, legal teams appear to be less involved in the decision-making process than their counterparts on the technology side.

Out of 262 senior leader respondents in the United States and Canada, 85% report that their organization has at least some form of AI governance framework in place. On its surface, this suggests meaningful institutional progress. Yet only 15% say those structures and processes work effectively in practice. More than half of respondents (61%) describe execution as inconsistent, and nearly one-quarter acknowledge a significant gap between formal policies and operational reality.

These findings reflect the first half of survey responses collected during the study. The full AI Governance Survey Report, including deeper analysis and findings from the complete respondent group, will be available in mid-May.

Why there is an AI governance gap

The fractured decision-making structure on AI deployment makes for uneven execution. A majority of respondents (57%) report that the chief technology officer or chief information officer holds final decision-making authority over new AI systems, while only 5% report that the chief legal officer holds final authority. IT functions contribute to governance decisions in 91% of organizations, but legal or compliance teams are involved in just 29%.

This inconsistent involvement of the legal team has big implications. AI deployment decisions increasingly impact privacy, regulatory, contractual, and reputational risk. When technical leaders approve systems independently of legal teams, responsibility for risk, compliance, and operational decision making can quickly become misaligned.

Collaboration is key

Encouragingly, respondents identify cross-functional collaboration as the defining characteristic of effective governance programs. Strong collaboration among legal, technical, and business teams was the most-cited differentiator between organizations that manage AI governance effectively and those that struggle, named in the top three by 69% of respondents. Executive sponsorship and clearly defined governance roles follow closely behind.

Governance effectiveness depends less on documentation and more on coordinated, integrated decision making. Where legal, technology, and business leaders operate in alignment, governance frameworks are more likely to function as intended. Where authority and accountability diverge, execution gaps persist.

What to do next

The survey results suggest several areas for general counsel and legal operations leaders to prioritize when evaluating their governance posture:

• Examine how deployment authority is structured and whether legal perspectives are incorporated before final approval decisions are made.
• Align accountability with influence. If legal teams bear accountability for regulatory and litigation exposure, governance structures should reflect that responsibility.
• Formalize cross-functional engagement so that legal, technical, and business leaders are integrated early in the lifecycle of AI initiatives.
• Evaluate execution consistency across business units to determine whether governance principles are being applied uniformly.

More specifically, legal teams can take the following practical steps:

• Map AI decision authority. Identify who currently approves AI deployments in your organization and whether legal is consulted before those approvals occur. If legal is absent from the approval chain, flag this as a governance gap.
• Catalog active AI tools. Ask IT for a current list of AI systems in use or under development across the organization. Determine which ones may raise privacy, regulatory, contractual, or reputational risk concerns.
• Conduct an AI governance health check. Inventory AI policies, controls and oversight mechanisms, and identify any governance deficiencies.
• Review one recent AI deployment. Examine the most recent AI system implemented in your organization and trace how the decision to implement it was made. Was legal consulted? Were risk assessments performed? This quick audit can reveal structural weaknesses in governance processes.
• Establish a standing cross-functional committee. If one does not already exist, propose a recurring AI governance committee with representatives from legal, IT, risk, and relevant business units to oversee AI governance across the organization.
• Define escalation triggers. Work with technology leaders to identify AI use cases that should automatically trigger legal review, such as systems that process personal data, make automated decisions, or interact directly with customers.

The AAA’s approach to AI governance

AI governance functions as an operational discipline embedded in system design, deployment, and oversight, rather than a policy layer applied after the fact.

Our enterprise-wide governance program is led by a cross-functional AI governance committee composed of representatives from legal, engineering, risk, compliance, and key business units. We designed this structure to ensure that technical authority and legal accountability remain coordinated from the outset.

We align our practices with the National Institute of Standards and Technology (NIST) AI Risk Management Framework by embedding governance across the entire AI lifecycle—from ideation through deployment and ongoing monitoring.

Our team formally registers and classifies all AI use cases through standardized risk assessments. These risk ratings dictate approval thresholds, required controls, and monitoring rigor. To maintain transparency and executive visibility, we integrate oversight and escalation pathways directly into our enterprise risk management channels.

The objective is not to slow innovation, but to structure it responsibly. By aligning decision rights, risk ownership, and oversight mechanisms, governance becomes part of how AI systems are built and managed.

Organizations that align structure with execution, and authority with accountability, will be best positioned to navigate the next phase of AI adoption responsibly.