The European Union's AI Act has captured the attention of legal departments worldwide, but many US-listed companies may be making a critical mistake: treating its deferred implementation dates as a reason to postpone governance planning.
General counsel and chief legal officers should not focus on when the EU AI Act's requirements become enforceable, but how long it will take their organizations to build the governance infrastructure needed to comply.
The answer is likely much longer than most companies expect.
Understanding the EU AI Act
The EU AI Act is the world's first comprehensive artificial intelligence law. Like the General Data Protection Regulation (GDPR), its reach extends beyond Europe and can apply to companies outside the European Union that place AI systems on the EU market or make them available to EU users.
The law takes a risk-based approach, categorizing AI systems according to their potential impact on individuals and society. Certain AI applications are prohibited outright, while ‘high-risk’ systems used in areas such as employment, education, healthcare, financial services and critical infrastructure face extensive governance, documentation, testing and oversight requirements. The Act also imposes transparency obligations on many general-purpose AI systems, requiring organizations to disclose when users are interacting with AI-generated content or AI systems.
In-house counsel’s role in EI Act compliance
For legal departments, the significance of the Act extends beyond compliance. It establishes a governance model that increasingly treats AI systems like regulated products, requiring organizations to demonstrate that risks have been assessed, controls implemented and ongoing oversight mechanisms are in place.
Compliance with the EU AI Act cannot be achieved by the legal department alone. For example, legal departments can help oversee risk assessments and draft required disclosures. However, product and technical teams will be responsible for documenting AI training data, testing system accuracy, monitoring outputs and identifying potential performance failures. In-house counsel cannot independently validate those requirements without close collaboration across the organization.
This is particularly important for companies developing or deploying AI systems that may be classified as high risk under the EU AI Act. Regulators are expected to examine not only how a system functions, but also how it is marketed, documented and contractually restricted. As a result, legal teams will increasingly be responsible for reviewing customer agreements, product documentation and marketing materials to ensure they align with the system's intended use.
The overlap between EU and US AI governance
The governance challenge becomes more urgent when viewed through a US lens.
Many organizations are waiting for greater clarity from European regulators before investing in governance programs. However, some US. requirements are already moving forward. California's automated decision-making technology regulations create risk assessment obligations for certain AI systems used to make significant decisions affecting consumers and workers. Organizations using AI in areas such as employment, housing, healthcare, education or financial services may already need to begin building the documentation and assessment processes that will eventually support both California and EU compliance efforts.
From a governance perspective, the overlap is significant. Rather than creating separate frameworks for each jurisdiction, legal departments should be identifying opportunities to build a common foundation that can support multiple regulatory regimes.
Transparency requirements offer another example. The EU AI Act requires disclosures for certain general-purpose AI systems, including situations where users interact with AI-generated content. Similar concepts are emerging across US states, particularly for consumer-facing AI tools and companion chatbots.
This creates a layered governance challenge. Organizations need a broad framework that addresses enterprise-wide AI risk while also accounting for state-specific requirements that may influence product design and deployment decisions.
The companies best positioned for compliance will not be those waiting for regulatory certainty. They will be the organizations already bringing legal, product, security and compliance teams together to build repeatable governance processes now.
The EU AI Act may be European legislation, but for US-listed companies, its governance implications have already arrived.
Lily Li
Li advises companies on AI governance, privacy, cybersecurity and emerging technology compliance. She helps organizations navigate evolving regulatory requirements, litigation risks and governance frameworks associated with artificial intelligence...
