Article

What are the governance considerations?

The CLO’s guide to Generative AI risks and opportunities

Despite only 17% of organizations having communicated clear AI policies to their employees, a recent survey of 2,000 American workers revealed that 16% of its respondents regularly use ChatGPT at work.1 However, banning the use of Generative AI (GenAI) is also problematic. Not only could organizations that avoid using GenAI fail to capture its potential benefits, but complete bans on GenAI may result in employees hiding their use (called shadow IT),2 which can also expose an organization to risk.3

Instead, organizations should consider the following:

Does my organization have a centralized AI governance function, task force, or center of excellence (COE) composed of a cross-functional team of experts to evaluate acceptable and unacceptable uses of Generative AI?

${column1-large-text}

If yes:

Who are the members of the governance function that determine acceptable uses of GenAI?

AND

Does the governance function or COE outline:

  1. Low-risk uses versus high-risk uses?
    Low risk = Generally acceptable uses requiring little/no oversight
    High risk = Needs a higher, more intensive level of review

    OR
  2. That every decision is required to be evaluated by an AI task force/center of excellence/governing board?

${column2-large-text}

If no:

What mechanism will be used to determine acceptable uses of GenAI?

${column3-large-text}

${column3-title}

${column3-text}

${column4-large-text}

${column4-title}

${column4-text}

Does my organization have a formal Generative AI policy?

${column1-large-text}

If yes:

  • Is there a compliance framework in place to manage and provide guidance for acceptable uses?
  • Has the policy been communicated to business leaders?
  • Are the policy and compliance frameworks written in easy-to-understand terms?
  • Has the legal department or COE engaged in comprehensive training efforts to inform the enterprise how GenAI can and cannot be used?
  • Does the policy and/or compliance framework include consequences for violating the policy?

${column2-large-text}

If no:

And no policy planned:

  • How can my organization mitigate risks for employees who are using GenAI?

And policy is planned:

  • Who should help develop the organization’s GenAI policy?
  • Should policies apply to the entire business or just key areas most likely to use GenAI?
  • How will the policy be communicated to the business?
  • Will the policy include consequences for violating the policy?

${column3-large-text}

${column3-title}

${column3-text}

${column4-large-text}

${column4-title}

${column4-text}

This section is an infogram

This message and the space it occupies will not be displayed when viewing this page either in Live, Preview, or "View as published" modes

Resources

Other Generative AI topics to explore

Learn about other areas of GenAI and how it impacts CLOs and their teams. From the basics to the more complex challenges, these resources are designed to help you navigate GenAI’s legal implications and risks with ease. 

1 Chad Brooks, “With Little Employer Oversight, ChatGPT Usage Rates Rise Among American Workers,“ Business.com, September 6, 2023.

2 Shadow IT refers to hardware, software, and services utilized outside an organization’s centralized IT department sometimes without the knowledge or approval of the organization. 

3 Steve Mollman, “Wharton professor says employees are hiding A.I. use – and potentially transformative productivity gains – from employers.“ Fortune, June 18, 2023.

Get in touch

Lori Lorenzo profile image

Lori Lorenzo

Chief Legal Officer Program
Research and Insights Director
Managing Director | Deloitte Risk &
Financial Advisory
Deloitte Transactions and
Business Analytics LLP

lorilorenzo@deloitte.com

Erin Hess profile image

Erin Hess

Chief Legal Officer Program
Research and Insights Manager
Manager | Deloitte Risk &
Financial Advisory
Deloitte Transactions and
Business Analytics LLP

erhess@deloitte.com

Jon Foster profile image

Jon Foster

Managing Director | Deloitte Risk &
Financial Advisory
Deloitte Transactions and
Business Analytics LLP

jonfoster@deloitte.com

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

As used in this document, “Deloitte” means Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services, and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting. Deloitte does not provide legal services and will not provide any legal advice or address any questions of law.

Copyright © 2023 Deloitte Development LLC. All rights reserved.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Insert Custom CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.
+++ DO NOT USE THIS FRAGMENT WITHOUT EXPLICIT APPROVAL FROM THE CREATIVE STUDIO DEVELOPMENT TEAM +++