Legal AI Governance and Compliance Briefing

Session 1.

The 2026 regulatory map. EU AI Act (August 2 deadline, Annex III high-risk classification for legal use, Article 4 AI literacy, conformity assessments, technical documentation, human oversight, FRIA where applicable). Colorado AI Act (June 2026). Illinois AI Employment Law (January 2026). California ADMT regulations. The ABA position (Formal Opinion 512, July 2024). State bar opinions in major US jurisdictions. Court standing orders requiring AI disclosure. The trajectory of sanctions: Mata, Bednar, Ayinde, Johnson v Dunn, and what they share.

Session 2.

Risk classification of current AI use. The three-question test for any tool: what data does it process, what decisions does it influence, who relies on its output. Mapping current firm or company tools against the EU AI Act risk tiers. Identifying any tools that are de facto high-risk. Exercise: leader maps their own current use against the risk framework.

Session 3.

The governance policy. What goes in, what stays out. Mandatory: written verification protocol, two-person review on filings, AI use log, vendor due diligence file. Recommended: training matrix (associates 8 to 12 hours, partners 4 hours, paralegals 6 hours), client disclosure language, scheduled policy review. Restricted: free-tier general AI on confidential matters, AI-generated content without verification, autonomous AI use without supervision. Exercise: leader drafts their own three-column policy.

Session 4.

Vendor due diligence. ZDR is the floor, not the ceiling. SOC 2 Type II. GDPR or PIPEDA compliance for data residency. Sub-processor disclosure. Training-data treatment. EU AI Act provider obligations versus deployer obligations (Article 6, Annex III). What changes August 2026 for deployers, regardless of where the firm is based. Exercise: leader runs the due diligence checklist against one current vendor.