By: Natalie Johnson
Most enterprise leaders know AI introduces risk. Fewer understand that risk is something you can assess, price, and decide on. Liability is something that has already materialized. Ungoverned AI quietly manufactures liability at machine speed, long before exposure becomes visible.
TāJuana Albert, who leads AI implementation at GumGum with 25 years of legal experience spanning compliance, IT, audit, and procurement, has spent her career at exactly this intersection. Her warning to enterprise leaders is precise. āAsk not what AI tools have been approved,ā Albert urges, ābut what tools are already deployed across your teams. The gap between those two answers is where the liability lives.ā
Governance Belongs at the Front End, Not the Back
The standard enterprise approach to AI adoption follows a predictable sequence. Strategy teams identify a use case, move to pilot, and bring in legal and compliance at the point of scale. By that stage, the architecture is already mobilized, and vendor contracts are already signed. Governance input at that moment feels like an obstruction, and it creates exactly the adversarial dynamic between legal, compliance, and the business that makes future governance harder to implement.
At GumGum, Albert embedded governance at the very beginning of the use case identification process. The result was adoption with significantly more freedom to grow, because the constraints were understood and addressed before they became blockers. āBuilding them together empowers legal and compliance to be part of the conversation early,ā she explains, āso adoption has a lot more free rein to really grow.ā The cross-functional governance model she built is not a policy document owned by one department. It is a shared framework that brings all impacted parties into the same conversation. None of these functions sees the full picture in isolation. Together, they can ask whether a specific risk can be mitigated through a governance structure while preserving business capability.
Agentic AI Changes the Liability Equation Entirely
Most enterprise governance frameworks being built today were designed with a passive AI model in mind. A human makes a request, AI responds, and a human reviews. Agentic AI dismantles that model. The agent initiates, executes, and completes tasks across multiple systems before a human sees the output, if they see it at all.
Albert identifies three ways this shifts the liability equation. Accountability becomes ambiguous when an AI agent books a contract, modifies a record, or triggers a payment with no clear human authorization. The blast radius of any error is significantly larger because agents operate across multiple integrated systems simultaneously. And audit trails become far more complex to maintain when actions are taken by a non-human entity across integrated systems. Her governance response is not to ban agentic AI; it is to treat its deployment with the same rigor as a software release.
āDefine the scope, build rollback capability, log every step, and include a mandatory human review element,ā she insists. AI hallucinates. It sometimes tells users what they want to hear rather than what is accurate. Full delegation without human oversight is not a governance posture. It is an abdication of one.
Three Governance Priorities Before Regulation Makes the Choice For You
Albertās framework for what enterprise leaders must embed immediately centers on three non-negotiables:
1. Data lineage and documentation. Emerging regulations, including the EU AI Act and US state-level frameworks, will require companies to demonstrate what data trained or informed an AI output, where it originated, and whether consent was obtained. Most enterprises cannot currently answer these questions. Building the documentation infrastructure now is not compliance preparation. It is the foundation that makes compliance possible.
2. Human-in-the-loop thresholds. AI can assist, but humans must remain accountable for decisions. In hiring, credit, healthcare, and legal matters, organizations must define in writing which decisions require substantive human review.
3. Vendor governance. GumGum requires every AI tool requester to submit an intake form that captures what data will be accessed, who the project lead is, which systems the tool will interact with, and the intended output. Free-version AI tools receive particular scrutiny; they typically do not allow users to modify the terms and conditions and offer users less control over data use and model training. GumGum prohibits its use for any company-related work entirely.
āYou have less coverage and greater liability when you use free tools on behalf of a business,ā Albert notes, āand most companies are exposing themselves to this risk right now without realizing it.ā AI governance is not a legal function or a compliance function. It is a leadership function, and the organizations that treat it that way will be the ones that can actually demonstrate, when regulators ask, that they knew what their AI was doing and who was accountable for it.
Follow TāJuana Albert on LinkedIn for more insights on AI governance, enterprise compliance, and building cross-functional frameworks that protect business capability while managing liability.
