AI product risk is not only a policy problem
AI governance becomes useful when it is connected to the product record. A policy may say that a model is used only for assistance, but the legal question often turns on how the feature is implemented, what the user sees, what gets logged, what the vendor receives, and who can reconstruct the decision path later.
What to preserve
Teams should preserve prompts, system instructions, model versions, evaluation records, safety reviews, user disclosures, vendor terms, output handling rules and escalation paths. These are not only compliance artifacts. They can become evidence in a dispute, regulator inquiry, procurement review or investor diligence process.
What counsel should ask
- Is the model making, ranking, drafting or merely summarizing a decision?
- Are inputs or outputs stored, reused, transferred or used for training?
- Can the organization explain why a specific output was shown to a specific user?
- Do vendor terms match the operational reality of the integration?
The legal memo improves when the technical map is accurate. That is where AI risk work should begin.