By: Daniel Santos, Special Counsel

Two companies. Same AI tools. Same regulatory environment. Completely different risk profiles.

I’ve watched this unfold across healthcare and health tech organizations over the past year. From the outside, everything looks similar: same access to generative AI, same policies, same expectations. But inside the organization, the experience of AI risk feels completely opposite.

When AI Feels Dangerous

In one organization, AI feels dangerous:

• Employees experiment with tools no one has approved — the kind of behavior compliance training is meant to prevent, but rarely keeps pace with.
• Product teams build with “shadow AI” that legal learns about too late, often after a vendor contract has already been signed.
• Vendors can’t explain what data trained their models — a recurring red flag we see in third-party risk reviews.
• Leadership worries they’re one prompt away from a regulatory incident or a government investigation.

When AI Is Controlled and Predictable

In the other, AI is controlled and predictable:

• Teams know what tools they can use and how.
• Product development has clear guardrails, often shaped by HIPAA counsel and privacy review before launch.
• Vendors are vetted for data provenance through structured contract management processes.
• Issues get surfaced early before they become problems.

The difference isn’t who uses AI. It’s how AI accountability is structured.

The Ownership Gap

When AI risk starts to feel unmanageable, I see the same pattern:

• Policies exist, but no one owns keeping them current.
• Employees use AI tools, but no one owns monitoring how they are used.
• Product teams adopt models, but ownership of due diligence is unclear — a gap that’s especially costly in transactional and corporate contexts.
• Responsibility is shared broadly… which often means it’s owned by no one. We unpack this dynamic in The Fastest Way to Break Compliance? Make Everyone Responsible.

Contrast that with organizations where AI governance actually works. There is clear ownership across the AI lifecycle:

• Who approves AI tools for employee use and oversees enforcement.
• Who monitors regulatory changes and updates the policy.
• Who evaluates vendor models and their training data.
• Who interprets requirements when the business hits a gray area — often a role for a Fractional Chief Compliance Officer or Fractional General Counsel.
• Who ensures those decisions translate into product and operations.

Clarity as an Operating Model

This is where clarity becomes essential — not as a formality, but as an operating model. Because AI risk doesn’t break at the point of technology. It breaks in the gap between policy and behavior. And that gap is almost always an ownership problem — the same dynamic we see in healthcare investigations and FCPA matters, where the misconduct is rarely about the technology and almost always about who was supposed to be watching.

The New Board Question

Boards are now asking GCs a new question: “What’s our exposure to AI-driven misconduct?”

If you don’t define your AI posture, someone else will define it for you. For more on how legal teams are reframing these conversations, see Health Tech Founders Don’t Need More Legal Warnings — They Need Better Thinking and Navigating Regulatory Hurdles in the Health Tech Industry, or browse all Global Link Law Insights.

A Question for Your Team

How is AI accountability actually structured in your organization today?

If you want to talk through your AI governance or regulatory exposure with Daniel, the Global Link Law team offers a 30-minute discovery call — contact us to schedule. You can also explore our full Practice Areas or learn why companies choose Global Link Law.

This newsletter is for informational purposes only and does not constitute legal advice. Reading this post does not create an attorney-client relationship with the author or their firm. If you have questions about how these issues may affect your organization, you should consult qualified legal counsel.

The information provided on this website is for general informational purposes only and should not be considered legal advice. No attorney-client relationship is created by accessing or using this website. Please consult with a qualified attorney before making any legal decisions. Global Link Law is not liable for any reliance on the information provided. Prior results do not guarantee a similar outcome.