Managing Generative AI Legal Risks: A Seven-Question Playbook for GCs

Generative artificial intelligence (GenAI) has gone from a curiosity to a core business driver in less than two years. But with every new use case come generative AI legal risks — from AI “hallucinations” to accidentally sharing protected data. This seven-question playbook helps general counsel stay ahead of these risks and protect their companies from legal and reputational harm.

1. Where are we seeing real results, and what risks surfaced along the way?

Identify the most common GenAI use cases in your organization. Track both successes and challenges, such as accuracy gaps, security concerns, user skepticism, productivity declines, and what the Harvard Business Review recently labeled “workslop.” Document the corresponding legal risks. This process educates the enterprise and provides valuable insights to maximize return on investment (ROI). 

2. Is this the right solution for the task?

Not all GenAI tools are equal, and the vendor landscape is noisy. Distinguish between innovative solutions and those that simply repackage existing technology with an “AI” label. When evaluating GenAI tools, involve subject matter experts to ensure the solution meets both technical and business requirements.

To help evaluate a proposed GenAI tool’s fitness for an intended purpose, business sponsors should answer the following questions:

• What business problem does this tool solve?
• How does it improve current processes? 
• Is it tailored to our organization’s unique needs, or is it generic with limited customization? 
• How does it compare to alternatives in functionality, integration with existing systems and user experience? 
• What evidence/metrics demonstrate its effectiveness? 
• Is the model proprietary, licensed or open source? 
• What is the training data, and can our data—including our prompts—be used for further training? 
• What guardrails exist against hallucinations and bias? 

Clarify capabilities, request a pilot and scrutinize outputs to ensure the tool fits your needs. 

3. How usable—and lawful—is our data?

GenAI relies on clean, governed data. Before approval, the legal, information technology, information security and privacy teams should map data flows and confirm contractual, regulatory, and ethical permissions for each data element.

4. Do we have the right governance in place?

Effective GenAI governance requires collaboration among legal, IT, human resources, business leaders, and subject matter experts. GCs should champion the establishment of an AI steering committee to:

• Set policies on acceptable use, confidentiality and export controls.
• Maintain an inventory of approved and prohibited GenAI tools.
• Update incident response plans to address GenAI-specific risks such as data leaks, model failures, or publicized errors.
• Report regularly to executives on risk, ROI and AI maturity.

Vendor management and evolving legal requirements are also critical. When contracting with GenAI vendors, carefully address intellectual property and data ownership, indemnification and liability for output errors and IP infringement, audit rights, and model updates. Assign responsibility for monitoring and interpreting new AI regulations to ensure ongoing compliance.

5. How will we drive adoption and measure success?

Track adoption by monitoring seats purchased and active use tied to concrete outputs (e.g., contracts drafted, tickets closed). Share early success stories, especially from skeptics, to encourage responsible adoption. Leverage subject matter experts to lead training sessions, helping users understand how to work with GenAI tools safely and effectively. Create a process for users to report GenAI tool issues and share feedback, supporting continuous improvement.

6. How do we define ROI beyond financial gains?

Beyond traditional metrics (e.g., hours saved, error rates lowered), GenAI also produces softer benefits: reduced employee burnout, faster employee onboarding and higher customer satisfaction. Capture and present both financial and human capital metrics in terms that executives grasp: dollar equivalents, risk-adjusted savings, and competitive advantages like improved analysis or better work product. This enables leadership to make informed decisions about future investments and oversight.

7. What skills and mindsets do we need to cultivate next?

GenAI may automate certain tasks, so employees must learn to use these tools effectively. Demystify the technology by teaching users how to spot hallucinations, refine prompts and interpret outputs. Small, domain-specific language models — often more accurate and privacy-compliant than large public models — will further reduce risk, but only if employees know how to use them. 

Final thoughts

GenAI risks and opportunities will continue to evolve. Schedule regular reviews of policies, contracts and training to keep pace with new developments. Pilot GenAI tools under strict governance, starting with low-risk internal processes. Learn, then scale. By asking these seven questions, GCs position their organizations to harness GenAI’s benefits while minimizing legal and reputational risks—keeping their organizations ahead of the curve and out of the headlines.