Artificial Intelligence: Governance, Compliance and Legal Risk Management

Artificial intelligence is making inroads into the most sensitive business processes: recruitment, risk assessment, pricing, the customer journey, internal control and strategic decision-making. In this context, compliance with the AI Act is not just about complying with regulatory requirements, it is also a choice of governance that impacts reputation, business continuity and the ability to grow sustainably.

To align with the European Artificial Intelligence Act (Reg.  EU 2024/1689), businesses are redefining how they design, procure and use AI systems.

Andersen partners with companies and international groups in building a practical, proportionate AI Governance & Compliance framework that can be integrated into existing processes. The goal is to support management in the responsible governance of AI, mitigating risk without slowing down innovation.

Our approach is business-driven: it starts with the actual use of AI systems within the company, identifies the most vulnerable areas and builds solutions that align with business goals, European regulatory requirements and industry best practices.

What we do: Our Artificial Intelligence services

  • First-level assessment of AI systems used within the company
  • Mapping of applicable obligations and high-risk use cases
  • Support in defining governance, policies and internal approval workflows
  • Review of contractual relationships with vendors, technology partners and outsourcers
  • Drafting of documentation, procedures and auditability controls
  • Assistance with AI literacy, training, remediation and risk management

[H2] The Value for the Business: Why Invest in Compliance

  • Reduce legal and reputational risk
  • Strengthen internal governance
  • Make decision-making processes more robust
  • Demonstrate reliability to stakeholders and the market
  • Innovate while structurally reducing legal, operational and reputational risks

Translating the AI Regulatory Framework into Operational Governance

The governance of AI goes beyond one-off compliance checks—it requires a continuous cycle of assessment, monitoring and review, documented and verifiable at every stage.

The applicable regulatory framework is multi-layered and includes, among others, the AI Act, GDPR, Italian legislation on artificial intelligence, Legislative Decree no. 231/2001, labour law, cybersecurity, intellectual property and contractual liability.

The AI Act introduces a risk-based model and imposes differentiated obligations depending on the company’s role and the type of AI system used, with particular emphasis on documentation, transparency, human oversight, data quality and auditability.

At the same time, GDPR continues to apply whenever AI systems involve the processing of personal data, while labour law, contractual, IP and 231 compliance matters require coordination with existing corporate safeguards.

Integrated Skills for AI Governance & Compliance

Andersen supports companies in establishing documented, sustainable AI Governance & Compliance frameworks that can be integrated into existing business processes.

The team integrates expertise in new technology law, compliance, data protection, risk management, contract law and intellectual property, with the objective of combining regulatory analysis, understanding of business processes and operational risk management.

Compliance with the AI Act

The team assists clients in mapping and classifying the AI systems they use, develop, procure, or integrate into their business processes, identifying the roles, responsibilities and obligations applicable under the AI Act.

Included in the scope are gap analysis, compliance assessments, compliance roadmaps, preparation of documentation frameworks and support in managing relationships with vendors, developers, integrators and AI solution providers.

AI Supplier Due Diligence

Andersen assists companies in conducting AI vendor assessments, with a particular focus on technical documentation, the allocation of responsibilities, risk levels, contractual guarantees and auditability controls.

This process translates technical information and provider documentation into clear assessments for management, as well as effective contractual mitigation clauses.

Policies, Procedures and Internal Controls

Andersen helps organizations develop AI governance frameworks that are proportionate to the size, sector and risk profile of their operations.

Our assistance includes the drafting of AI policies and procedures for the approval, use and monitoring of AI tools, criteria for reporting and managing key cases, information flows to corporate bodies and control functions, as well as AI literacy and training programs for the business units involved.

Where appropriate, the team supports the integration of AI risks into 231 models, internal control systems and risk management processes, including through the continuous updating of policies and procedures, the assessment of new use cases, the review of adopted safeguards and assistance in the event of regulatory inquiries, complaints, incidents or disputes.

Data, Contracts and Intellectual Property

The use of AI systems requires specific oversight regarding data governance, input data selection and the management of personal data protection profiles, cybersecurity, intellectual property, contractual liability and the protection of corporate know-how.

Andersen assists clients in managing datasets, information sources, prompts and corporate content, conducting GDPR assessments, reviewing contracts with vendors and developers, and analyzing rights related to inputs, outputs, models, software, generative content and confidential information.