8 TheSciTechLawyer SPRING 2025
AI Now Requires Its
Own Risk Management
Policies and Processes
By Charles Cresson Wood
A
more serious approach to risk
management is now prudent
for all those organizations
that are oering articial intelligence
(AI) foundation models, oering AI-
enhanced products and services, and/
or using these AI-enhanced products
and services to accomplish business
goals. Traditional approaches to IT risk
management in many cases do not work
with AI because AI is so dierent from
traditional IT systems. is article dis-
cusses some of those notable dierences
and the related new risks. It covers a
new and uniquely AI-related regulatory
remedy (algorithmic disgorgement).
e article furthermore walks through
a few examples of recent legislation,
as well as several recent high-visibility
AI-related court cases and regulatory
actions. ese AI-related legal devel-
opments emphasize that the AI risk
management area is getting a lot of regu-
latory and legislative scrutiny these days.
Additionally provided is a brief outline
recommending the way forward, in
terms of determining what an appro-
priate and customized more serious AI
risk management approach should be
at a particular rm.
WHY AI CANNOT EMPLOY
TRADITIONAL IT RISK
MANAGEMENT APPROACHES
In an eort to contain costs, many man-
agers and executives have erroneously
believed that the same approach to
traditional IT risk management is appli-
cable to AI risk management. While
certain things—such as governance-
risk-and-compliance (GRC) systems
(centralized systems to track enterprise-
wide risks and the related governance,
risk management, and legal compliance
eorts)—can work for both domains,
there are other controls that will only
work for one of these two domains. For
example, the traditional systems devel-
opment life cycle (SDLC), with testing
and release at the end of the process, will
not work for AI systems, unless those
AI systems are locked down until the
next ocial update (an approach used
for certain medical devices but other-
wise rarely encountered). Instead, an
AI life cycle is needed that embraces
Illustration by CoreDesignKEY via Getty Images
Published in The SciTech Lawyer, Volume 21, Number 3, Spring 2025 © 2025 American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof
may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
