Harvard Law School Forum on Corporate Governance Outlines Critical Threshold Questions on Roles, Responsibilities, and Legal Risks in Enterprise AI Adoption

Kevin Schwartz

Partner, Wachtell, Lipton, Rosen & Katz

Schwartz's memorandum was published May 25, 2026 through the Harvard Law School Forum on Corporate Governance. Wachtell Lipton advises boards and executives at large public companies on corporate governance, M&A, and institutional oversight. This post covers GAIG's analysis of the memorandum's governance implications.

For most of the past three years, the enterprise AI governance conversation has stayed at the model level. Organizations wanted to know whether AI was accurate, whether it created reputational risk, whether it introduced security exposure. Those questions got serious attention, and a whole category of vendors grew up around them. What the conversation mostly skipped was a different class of question entirely: what happens legally and institutionally when AI takes on roles that humans previously performed in corporate workflows, where the character of information created, protected, and acted upon has always carried legal significance?

Schwartz's memorandum, published through the Harvard Law School Forum on Corporate Governance, addresses that gap with unusual directness. His argument is that as AI moves from advisory tools into daily operating architecture, organizations face four threshold questions that traditional governance programs weren't designed to answer. Companies are deploying AI to take meeting notes, synthesize internal work product, triage compliance matters, communicate with customers as an executive's digital twin, and in some cases make decisions previously reserved for named humans. Each of those deployments raises questions about privilege, records, and accountability that most governance teams haven't formally worked through.

What makes this memo worth covering for GAIG's audience is the practical specificity behind each question. Schwartz writes from an M&A and corporate governance background at a firm that counsels boards on director oversight obligations. The frame throughout the memo is not theoretical risk management; it's the question a board will face when a regulator, a court, or an auditor asks the company to produce evidence of how AI was used in a particular workflow. The time to answer these questions is before that ask arrives.

CONDITIONS DRIVING THIS

The first phase of enterprise AI adoption was mostly advisory. AI tools suggested language, surfaced relevant documents, generated drafts for humans to review. In that configuration, the legal character of the information didn't change much: a human reviewed the AI output, decided what to do with it, and the decision trail stayed intact. The governance questions that mattered were about accuracy and bias, and they could largely be managed with policy documentation and periodic audits.

The second phase, which is where most large enterprises sit right now, looks different. AI is generating the official transcript of executive meetings. AI is conducting first-pass review in compliance investigations. AI is communicating with regulators, customers, and employees in the name of senior management. AI agents are executing financial processes and monitoring internal controls under service accounts with broad permissions. In each of those deployments, AI has moved from producing inputs for human decisions to participating in the workflows that create, protect, and act on information that carries legal significance on its own terms.

• AI tools are generating content that qualifies as corporate records in regulated industries, often without organizations having decided how to treat it for retention and production purposes

• Privileged workflows in legal, compliance, and board preparation now routinely involve AI tools whose enterprise isolation status, training data practices, and log retention behaviors most organizations haven't audited

• Agentic deployments are acting on behalf of named executives and the organization itself without a defined human accountability structure that can answer "who was responsible for this" after the fact

• Courts are beginning to rule on how AI insertion affects attorney-client privilege and work product doctrine, producing early case law that turns on configuration details most organizations haven't thought through

• Regulators in financial services, healthcare, and securities markets are issuing guidance that makes AI accountability an examination-ready question, as NYDFS's May 21, 2026 advisory to regulated financial entities makes clear

• Board oversight obligations around AI are drawing scrutiny from courts and regulators as AI-related harms surface in litigation, creating personal liability exposure for directors who delegated without visibility

Against that backdrop, the four threshold questions in Schwartz's memo are less a new framework and more a checklist for catching the governance work that the first phase of deployment left undone. Organizations that answer them before a production AI deployment goes live are in a materially different position than those that answer them after the first discovery request, privilege dispute, or regulatory examination.

THE FOUR THRESHOLD QUESTIONS

(What Boards and Executives Must Work Through Before AI Enters Core Workflows)

What Role Is AI Being Asked to Play?

Schwartz draws a spectrum from AI that assists individual users to AI that functions as an institutional actor. An AI chatbot that helps an employee draft emails is at one end. An AI deployed as a customer-service agent communicating on behalf of the company, or as a digital twin representing a senior executive in communications with employees and counterparties, is at the other. Between those poles sit AI tools that generate official meeting transcripts, conduct compliance or HR process reviews, monitor internal controls, and prepare board materials. Each position on that spectrum carries different implications for what controls are required, who holds oversight, and what the liability exposure is if something goes wrong.

The governance failure Schwartz identifies is that most organizations haven't formally defined where a specific AI deployment falls on that spectrum before they put it into production. A deployment treated as an individual productivity tool when it's actually functioning as an institutional actor carrying the company's authority is a governance gap with legal consequences. Defining the role before deployment isn't procedural hygiene; it's the decision that determines everything else about the governance architecture.

This is the sanctioned purpose problem. The production database deletion incidents GAIG documented in April 2026 all involved agents acting without defined authorization boundaries. A sanctioned purpose document written before deployment specifies what the agent can decide autonomously and at what threshold it requires human escalation. Without that document, the organization has delegated authority without defining its scope, and the question of who is responsible for what the agent does has no clean answer.

Does This Use of AI Affect the Protection of Corporate Information?

Courts are just beginning to address how AI's insertion into legal and business workflows affects attorney-client privilege and work product protection, and the early cases turn on details that most governance teams haven't reviewed. Whether the AI tool is public or enterprise-grade matters. Whether prompts and their source material are used to train the model matters. Whether legal counsel directed the use matters. Whether AI-generated transcripts and logs are retained, accessible to broad personnel, or reach a vendor's servers matters. In workflows involving legal advice, internal investigations, board materials, and regulated information, choices about these details may determine whether privilege holds when a regulator or court asks for the underlying materials.

The exposure is particularly acute for organizations using general-purpose AI tools in privileged workflows without having verified enterprise isolation from training pipelines. Schwartz puts it plainly: the prospects of maintaining privilege protections may be affected by whether AI prompts and their source material, or AI outputs like transcripts and vendor logs, are retained, used to train a model, or broadly accessible to personnel. Those aren't abstract concerns. They're the specific questions that will be litigated when an opposing party or regulator subpoenas AI-assisted legal work product.

The Claude Compliance API launch that GAIG covered in May 2026 addressed the access question, giving compliance teams programmatic visibility into conversation content for the first time. What it doesn't resolve are the policy-level decisions about what gets retained, what's isolated from training, and which workflows are enterprise-grade versus general-purpose. Those decisions have to be made before the tool enters a privileged workflow, and they have to be documented so the organization can demonstrate them under examination.

Does This Use of AI Affect the Creation and Use of Corporate Records?

The efficiency case for AI-assisted notetaking and meeting transcription is straightforward. Where the calculus gets complicated is what Schwartz calls the conversion of formerly transient practices into persistent, searchable, and replicable documents that others may treat as records. A meeting once preserved only in approved minutes may now produce a transcript, a draft summary, a prompt history, an action list, a metadata trail, and multiple revised versions. Courts and regulators may seek all of those in discovery or regulatory examination, and they may treat each as evidence bearing on what the company knew, decided, and authorized. The board deliberation that was once protected by a carefully managed minutes process now exists in several AI-generated forms whose status as official records hasn't been determined.

For organizations in regulated industries, this question carries mandatory compliance weight. Financial services firms, healthcare organizations, and public companies operate under specific record retention and production requirements. AI entering the workflows that generate content subject to those requirements means the organization is responsible for ensuring that AI-generated content either meets the applicable standards or is clearly designated as outside them. Getting that designation to hold under examination requires more than a policy statement; it requires that the retention architecture reflect the designation in practice.

The Ponemon 2026 researchGAIG covered found that 63% of organizations have failed an audit because they couldn't produce clean access records for applications outside their identity governance programs. The Harvard framing points to a related failure: AI-generated content that becomes a de facto corporate record before the organization has decided what category it falls into and who's responsible for its accuracy. Both problems start with governance decisions deferred until after deployment makes them expensive to answer.

Does This Use of AI Affect Attribution and Accountability?

An AI tool is an instrument, not a decision-maker. Schwartz's point, which is more consequential than it sounds, is that it's an instrument that can speak, decide, and act in ways once reserved for humans, and customers, employees, regulators, counterparties, and courts may not know or care whether a particular statement or decision was machine-generated. In deploying an executive's digital twin to communicate throughout the enterprise, leadership has to reckon with D&O liability exposure, confidentiality and privilege implications, and the record creation questions from threshold three, all at the same time. Each of those runs upstream to the human who authorized the deployment and the organizational structure that permitted it to operate without defined accountability.

Schwartz's specific prescription is worth quoting directly: for any particular AI tool, it's important to identify in advance specific human responsibility for monitoring, correcting, escalating, and incident response. That assignment has to exist before the tool enters production. An accountability structure built after an incident is an explanation, not a governance program. The human who is nominally responsible for what an AI agent does, if no one can name them before the fact, is the organization itself, which is a materially worse position to be in when regulators and plaintiffs start asking questions.

This is the core of GAIG's accountability doctrine: a signal without a named owner is noise, and a policy that names no one is the same as no policy. The monitoring dashboard problem GAIG covered and the attribution problem Schwartz raises are the same structural failure. Organizations invest in governance infrastructure without building the human layer that makes the infrastructure function. The monitoring dashboard captures what happened. The attribution structure determines who was responsible for it. Without both, the governance program is incomplete by design.

"AI tools offer companies efficiencies and opportunities, but may also reshape the legal calculus of information protection, record creation, and accountability for statements or decisions of the company and its leadership."

Kevin Schwartz, Partner, Wachtell, Lipton, Rosen & Katz — Harvard Law School Forum on Corporate Governance, May 25, 2026

Four Pre-Deployment Requirements

That Change Based on Role, Industry, and Deployment Type

Schwartz closes the memo with a specific word for boards. Directors don't need individual AI expertise and don't need to approve every tool. What boards do need is clear visibility into the core technological tools in use, the critical workflows those tools affect, and the management processes for reporting, escalation, and control. The Wachtell Lipton director oversight guidance linked in the memorandum covers board-level AI oversight obligations in more detail and is worth reading alongside the memo itself.

For governance program managers and CISOs, the four questions translate into pre-deployment work that architecture-level governance has to complete before a production AI deployment goes live. The implications grid below maps each threshold question to the specific operational requirement it generates.

• ON ROLE CLARITY

  Define where the deployment falls on the spectrum from individual assistant to institutional actor before production. That definition sets which controls are required, who holds oversight responsibility, and what the escalation threshold is for consequential decisions.

• ON PRIVILEGE & CONFIDENTIALITY

  Audit whether the AI tool in question is enterprise-grade and isolated from training pipelines. Verify that prompts, outputs, and vendor logs involving privileged workflows aren't retained in configurations that create inadvertent waiver risk under the early case law now emerging.

• ON CORPORATE RECORDS

  Decide before deployment whether AI-generated content in regulated workflows qualifies as a corporate record, who is responsible for its accuracy and completeness, how it's retained and produced, and whether that treatment meets the standards applicable to the industry and workflow in question.

• ON ATTRIBUTION & ACCOUNTABILITY

  Name a specific human responsible for monitoring, correcting, escalating, and incident response for each consequential AI deployment before it goes live. That assignment is the governance control that makes every other element of the program function. Without it, the program has no closing mechanism when something goes wrong.

In agentic deployments, all four requirements become more urgent because the timeline between a governance failure and a material consequence is shorter. An AI agent executing financial processes or communicating with regulators on behalf of senior management compresses what would otherwise be a review cycle into autonomous action. The four questions Schwartz raises are a pre-failure signal framework for the legal and institutional layer, the checks that, if skipped, produce liabilities rather than incidents.

“The first step toward wisdom in this nascent landscape involves each corporation's deliberate consideration of the roles and responsibilities implicated when enterprise AI takes its place in workflows that have always depended on human judgment.”

Kevin Schwartz, Wachtell, Lipton, Rosen & Katz

Harvard Law School Forum on Corporate Governance

May 25, 2026