AI adoption has crossed a threshold. According to the FTI Consulting/Relativity General Counsel Report 2026, 87% of General Counsel now use generative AI, up from 44% the year before. Legal and compliance teams are no longer debating whether to adopt AI. They are working out how to do it responsibly, and how to stay ahead of a regulatory environment that is moving fast.
In this interview, we spoke with Marie-Claire Jacob, Head of Legal and Data Protection Officer at DiliTrust, to get her perspective on AI’s real value, the risks that matter most, and what the evolving regulatory landscape means for organizations today.
QUESTION: What are your current thoughts on the role of artificial intelligence?
Artificial intelligence is currently the spark of many debates, whether for or against, particularly in the legal context. Personally, I often use artificial intelligence in my everyday work, and have recently discovered new gen AI tools that positively impact the way I work. I’m impressed by the level to which these tools can improve my writing; even though I’m bilingual I have learned some new words thanks to these tools.
I believe there is a real added value to using such tools and this bears witness to the transforming power it will have on our society and our work habits in numerous fields. However, this goes without saying that there are certain limits and risks to this, especially with genAI tools.
This could also interest you: Ensuring Sustainability in the Age of AI
QUESTION: Talking about risk, what are your concerns exactly?
There are some legal and ethical risks that need to be studied as well as guidelines set for use. While I appreciate the enthusiasm surrounding artificial intelligence, I believe that implementing regulations is crucial to mitigating its potential adverse effects on our societies. I’d like to draw a comparison with the cloud when it first emerged — it raised initial concern but has now become indispensable.
I believe we need to approach the issue in a way that allows us to understand how it works. AI functions by simulating human intelligence, acting as a computational brain that learns from, and analyzes copious amounts of data. But the collection, quantity and origin of these data raise privacy, consent and liability issues. The use of personal data raises concerns under regulations like GDPR, as models trained on web data may inadvertently include sensitive information. This is why there needs to be careful consideration of the legal frameworks around it, as this kind of innovation can clash with fundamental privacy principles.
QUESTION: Could you give us an insight as to how artificial intelligence is currently regulated, or will be regulated in the future?
The regulation of AI is an ongoing topic with various initiatives aiming to address its ethical and legal implications. There’s a division within the tech community regarding regulatory approaches, with academia emphasizing ethical considerations and industry players outlining principles of responsible AI.
International efforts, like the 2018 Declaration of Montreal and initiatives by organizations like UNESCO, reflect a global consensus for those needs. The EU’s AI Act is a pioneering step in regulating AI, as it classifies AI applications based on their risk levels and ensures compliance with fundamental values.
While some criticize these regulations, they help set a precedent and elevate standards, as was seen before with GDPR. Transparency and accountability in AI models do pose some challenges regarding trade secrets and competitive advantage. However, viewing legal compliance as a business advantage can foster trust among clients and set new global standards.
The EU AI Act: where things stand today
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. It is the world’s first comprehensive legal framework on AI, and its obligations are now actively in effect. Implementation follows a phased schedule:
| Milestone | Date |
|---|---|
| Act enters into force | 1 August 2024 |
| Prohibited AI practices apply | 2 February 2025 |
| General Purpose AI (GPAI) model obligations apply | 2 August 2025 |
| High-risk AI system obligations apply | 2 August 2026 |
| Remaining high-risk systems (Annex I) | 2 August 2027 |
As of mid-2026, organizations should already have addressed prohibited practices and GPAI compliance. High-risk system obligations are the immediate priority for most businesses.
How the AI Act classifies AI systems
The Act uses a four-tier risk framework. Which tier your AI tools fall into determines what compliance obligations apply.
| Risk tier | Examples | What it means |
|---|---|---|
| Unacceptable (prohibited) | Social scoring by governments, subliminal manipulation, real-time public biometric surveillance | Banned outright since February 2025 |
| High risk | CV screening, AI in critical infrastructure, law enforcement, credit scoring, migration management | Strict requirements: risk management, data governance, human oversight, transparency, audit logging |
| Limited risk | Chatbots, deepfakes, emotion recognition tools | Transparency only: users must be told they are interacting with AI |
| Minimal/no risk | Spam filters, AI in video games, basic recommendation tools | No specific obligations |
A global picture
The EU AI Act is the strictest framework in force, but it is not the only one organizations need to track:
- United States: No single federal AI law. Executive Order 14179 (2025) took a deregulatory federal stance, but California, Colorado, and Texas have each passed AI legislation. Sector regulators (SEC, FDA, FTC) continue to enforce sector-specific AI standards.
- United Kingdom: A principles-based, pro-innovation approach. Existing regulators apply AI guidance within their sectors. A formal AI Bill is expected but not yet law.
- China: Specific regulations cover algorithms (2022), deepfakes (2022), and generative AI (2023), with strong state oversight and data localization requirements.
For any organization with EU operations or EU users, the AI Act sets the compliance floor, regardless of where the organization is headquartered.
QUESTION: What are, according to you, the key considerations when working with AI?
When working with AI, it’s crucial to prioritize trust and compliance. This involves defining clear use cases, ensuring privacy by design, and conducting thorough data protection assessments. Furthermore, addressing biases through fine-tuning and maintaining the ability to evolve in changing regulatory landscapes are crucial.
Collaborating with legal and data protection experts from the project’s outset adds value, ensuring compliance and minimizing risks. Ultimately, viewing legal compliance as a business partnership enhances project success and fosters a competitive edge in the evolving AI landscape.
Read also: Understanding the Digital Operational Resilience Act
What legal and compliance teams should do now
Marie-Claire’s guidance translates into a practical checklist for any organization currently deploying or evaluating AI:
- Audit your AI inventory. Map all AI tools in use. Classify each against the EU AI Act’s risk tiers before regulators ask.
- Run a DPIA for any AI processing personal data. A Data Protection Impact Assessment is required under GDPR and is the natural starting point for AI compliance.
- Apply privacy by design from the start. Retrofitting compliance is significantly more costly than building it in from the design phase.
- Document use cases and decision logic. Transparency obligations require you to explain how AI systems work and what data they use.
- Maintain human oversight for high-stakes decisions. Where AI informs employment, credit, legal, or healthcare outcomes, a human must remain accountable for the final call.
- Involve legal and data protection teams early. Bringing them in after a system is live limits options and raises remediation costs.
Lini, DiliTrust’s AI engine, was built with these principles in place. It operates within the client’s own data environment on sovereign servers, does not train on client data, and generates a full audit trail for every action. The DiliTrust Governance Suite applies the same security standards across all five modules: Board Portal, Contract Management, Entity Management, Matter Management, and Dataroom.
FAQ: AI ethics and regulation
The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive legal framework on AI. It entered into force on 1 August 2024. Prohibited practices applied from February 2025. GPAI model obligations applied from August 2025. High-risk system requirements apply from August 2026.
The Act prohibits AI that poses unacceptable risk. This includes government-operated social scoring systems, AI that manipulates people through subliminal techniques, and most real-time biometric surveillance in public spaces. These bans have been in effect since February 2025.
Both apply when AI processes personal data, and they are complementary. GDPR governs data collection, consent, and individual rights. The AI Act governs system design, risk management, and human oversight. A Data Protection Impact Assessment is the right starting point for compliance with both.
Yes. If an AI system affects people in the EU, the Act applies regardless of where the organization is based. This mirrors GDPR’s territorial scope. Non-EU providers offering AI tools to EU users are covered.
Disclaimer: The views and opinions expressed in this interview are those of the individual interviewee, Marie-Claire Jacob, and do not necessarily reflect the official stance or viewpoints of DiliTrust. While Marie-Claire Jacob holds the position of Head of Legal and Data Protection Officer within our organization, the perspectives shared in this interview represent her personal viewpoints and professional expertise. DiliTrust does not endorse or validate the opinions expressed herein, and readers are encouraged to interpret the content within the context of individual perspectives.

