AI Oversight: New Lawsuit Puts Boards on the Hook for Unauthorized Practice of Regulated Work
A groundbreaking lawsuit against OpenAI for the unauthorized practice of law highlights a critical shift in AI risk: liability now extends to third parties, not just direct users. This case underscores that boards are already accountable for AI governance, even without specific regulations, as AI systems increasingly perform functions traditionally reserved for licensed professionals. Internal audit and assurance professionals must recognize this expanded risk landscape and ensure their organizations have robust AI governance frameworks in place to protect against legal, financial, and reputational damage.
The Shifting Landscape of AI Liability
A recent lawsuit against OpenAI by Nippon Life Insurance Company of America marks a significant turning point in AI liability. Unlike previous cases focusing on AI-generated falsehoods or data breaches, this suit alleges the unauthorized practice of law. ChatGPT, an AI system, allegedly provided legal advice and drafted legal documents for a user, leading to substantial costs for Nippon Life. This case is pivotal because the plaintiff, Nippon Life, was a third party not directly using the AI, demonstrating that AI risk is no longer confined to the immediate user but extends to anyone impacted by its actions. This broadens the scope of potential plaintiffs and necessitates a re-evaluation of AI governance strategies.
Beyond Disclaimers: The Inadequacy of Current Controls
Many organizations rely on disclaimers and usage restrictions to mitigate AI risks. However, the Nippon Life lawsuit challenges the effectiveness of these measures. If an AI system is optimized to perform functions that its terms of service explicitly warn against, the disclaimer may not offer protection; instead, it could serve as evidence that the company was aware of the potential for misuse. This highlights a critical gap in current AI governance: the disconnect between stated policies and the actual capabilities and deployment of AI systems. Internal audit must scrutinize whether internal controls genuinely prevent AI from operating in regulated domains, rather than merely relying on policy statements.
The Board's Evolving Responsibility for AI Governance
The lawsuit underscores that AI is no longer merely a technology issue but a fundamental governance challenge. Boards are increasingly expected to demonstrate clear oversight of AI, including defining AI, assigning board-level responsibility, and distinguishing between internal and customer-facing AI uses. The insurance market is already reflecting this shift, with D&O policies introducing exclusions or higher premiums for AI-related claims. This indicates that the market perceives AI risk as a material concern, irrespective of formal regulations. Internal audit professionals should assess their organization's AI governance maturity, ensuring that accountability is clearly defined, boundaries are established, systems are accurately classified (e.g., read-only, recommend-and-confirm, autonomous), and robust incident response plans are in place.
Proactive Measures for Internal Audit
Given the accelerating enforcement landscape, internal audit must proactively address AI risks. This involves asking critical questions:
- Who is the named individual accountable for each customer-facing AI system?
- Are the actual boundaries of AI system capabilities clearly defined and enforced, beyond mere principles?
- Have AI systems been accurately classified by their mode of operation (e.g., Mode 1: read-only, Mode 2: recommend-and-confirm, Mode 3: autonomous), and does governance align with these classifications?
- What is the clear process for identifying, alerting, and responding when an AI system malfunctions or operates outside its intended scope?
The absence of a single federal AI rule does not equate to a lack of enforcement; rather, it signifies a fragmented and unpredictable regulatory environment where federal agencies, state attorneys general, and private plaintiffs are actively testing new legal theories. Internal audit's role is crucial in ensuring that the organization's AI oversight would withstand scrutiny from regulators, plaintiffs, and insurers, demonstrating that the board has taken concrete steps to manage this evolving risk.
Read more