Governance at the Intersection of Law and Technology: A Call to Action for General Counsels

In the spring of 2025, boardrooms across Europe prepared for a regulatory milestone. The European Parliament provisionally endorsed the AI Act on 13 March. This marks the world’s first comprehensive, risk-based legal framework for artificial intelligence. After three years of debate, here are the outcomes:

• Classifies AI applications by risk profile
• Imposes strict transparency obligations on high-impact systems
• Restricts real-time biometric surveillance to counter-terrorism contexts

Firms face fines of up to €35 million for non-compliance. They may also incur a penalty of 7 percent of global turnover when the law fully takes effect in 2026. For general counsel, this is not a distant policy exercise but an urgent mandate to build future-proof governance structures today.

Yet AI is only one front in a broader conflict zone where technology and law collide. Over the past 18 months, four governance failures have crystallised the stakes:

Identity-Management Contracts Gone Wrong
In October 2023, Okta, a leading identity management provider, revealed hackers had exfiltrated session tokens. They also exfiltrated contact data from all its customers via its support system. Initially, the issue was thought to affect only a small fraction. However, further investigation showed every enterprise using Okta’s platform had data exposed. This data included names, emails, and session credentials potentially exploitable for phishing or session hijacking. Many contracts lacked explicit breach notification deadlines or audit rights, forcing clients to negotiate emergency addenda and risking regulatory fines.

Cyber-Disclosure Rules That Bite
On 31 May 2024, new rules came into force. They require public companies to disclose material cybersecurity incidents within four business days of determining materiality. Early enforcement shows regulators are serious. Companies have faced scrutiny for incomplete or delayed disclosures. This scrutiny shows that legal governance of incident response is now a boardroom imperative. It is not just an IT task anymore.

EU AI Act Looming
In March, EU lawmakers adopted a provisional deal on the AI Act. The regulation will require firms deploying so-called “high-risk” AI to:

• Conduct fundamental rights impact assessments
• Document training data sources
• Build human-in-the-loop controls

Although enforcement begins in 2026, major firms have already restructured compliance functions, anticipating record-setting penalties. For counsel, the challenge is operational, embedding risk-classification processes and cross-functional governance committees now before the regulation crystallises.

Shareholder Transparency Under the Microscope
UK regulators have reported a significant increase in probes into tech-sector disclosures. This is not a technology failure per se. Investigations into undisclosed beneficial ownership highlight how governance missteps in disclosure can trigger rapid enforcement. Boards and counsel must:

• Strengthen due diligence
• Enforce conflict-of-interest policies
• Fully map and report complex ownership structures

What This Means for General Counsels

These developments share a key lesson. Yesterday’s governance playbooks are obsolete. The risk landscape is defined by fast regulatory shifts. Emerging technologies come with evolving legal contours. There is also greater enforcement focus on transparency and process failures.

• Governance Is Now Real-Time
  Contracts, policies, and playbooks must be living documents. Explicit breach notification clauses, audit rights, and AI-specific data retention rules need negotiation today. They require enforcement now, not after the next incident.
• Cross-Functional Alliances Are Essential
  Legal cannot operate in isolation. General counsel must build integrated governance teams. These teams should link legal, compliance, IT security, and records management. Their purpose is to monitor AI deployments, vendor risks, cyber threats, and disclosure obligations.
• Board-Level Communication Must Be Business-First
  Boards are clear that overly technical reports miss the mark. Counsel must translate granular legal and technology risks into quantifiable business impacts. This includes potential fines. It also involves assessing reputational damage and strategic priorities for resources.
• Agility Trumps Perfection
  Waiting for final regulations or forensic-level incident analyses risks sanctions. Firms should adopt “good-enough” governance frameworks now that can be refined, so policy gaps do not become enforcement headlines.

General counsels face a convergence of AI regulation, cybersecurity demands, data breaches, and heightened scrutiny on shareholder disclosures. Only those who act proactively and build integrated governance strategies will protect their companies effectively. You must anticipate risks, establish resilient frameworks, and communicate legal challenges clearly in business terms. The time to act is now.