May 18,2026

Roles and Responsibilities: Threshold Questions in Enterprise AI Adoption

As companies rapidly move artificial intelligence out of the pilot sandbox and into their ordinary operating architecture, boards and executives must confront new questions about the roles AI may assume in corporate processes that long have depended on human judgment, deliberative documentation, and clear lines of authority and accountability. These traditionally human roles, which implicate how corporations create, protect, and take responsibility for their information, are now being presented to companies bedecked in AI raiments: AI that takes notes; AI that synthesizes internal work product; AI that triages HR or compliance matters; AI that monitors internal controls; and even AI that communicates with customers, counterparties, and employees as an executive’s ‘digital twin.’

Much has been written about the imperative to pressure-test the utility, security, and accuracy of AI tools. But profound uncertainty remains about the roles and responsibilities to be assigned when AI becomes part of ordinary corporate workflows previously performed, decided, or articulated by humans. How does the insertion of AI affect the legal and institutional character of the information created, recorded, or authorized by the corporation? Companies must consider whether the deployment of AI affects: the protection of information as privileged or even confidential; the creation and use of records; and the attribution and accountability attached to such information. The purpose of this memorandum is not to resolve these questions; they are not susceptible to a single ‘right’ answer across companies and circumstances. Instead, this memorandum spotlights for executives and boards involved in the next phase of enterprise AI adoption four threshold considerations:

• What role is AI being asked to play? The controls a company may wish to impose on a specific AI tool will vary based on the functions involved. The suite of “assistant” tools that AI chatbots provide individuals differs from AI used as a record-maker, analyst, work-product engine, compliance or HR process operator, or proxy for an internal manager or outward-facing representative. As companies seize opportunities to embed AI in diverse daily operations, the implications should be considered accordingly: summarizing emails or documents raises different issues from generating meeting notes, transcripts, or action items, and different issues still from deploying AI in customer-service bots, investor-relations tools, or management avatars. Companies should define where in that spectrum a particular AI deployment falls.

• Does this use of AI affect the protection of corporate information? Courts are just beginning to address how the use of AI may affect privilege, work-product, or confidentiality. And even these early decisions have addressed highly fact-specific circumstances, turning on considerations such as whether the tool is public or enterprise-grade, whether inputs/outputs are used for training, and whether legal counsel directed the use. But it is already clear that choices about confidentiality and access, the legal or business purpose of an AI engagement, the public or enterprise character of an AI tool, and the scale of retained data all may bear on whether confidentiality, privilege, or work-product protections apply when AI is inserted into traditionally human workflows. For example, the prospects of maintaining those protections may be affected by whether AI prompts and their source material or AI outputs like transcripts (or vendor logs) are retained, used to ‘train’ a model, accessible broadly to personnel, or implicate legal advice or work product. That can be especially consequential in providing legal advice, conducting investigations, preparing board materials, and working with regulated or other sensitive information.

• Does this use of AI affect the creation and use of corporate records? The efficiency of automating tasks like notetaking, transcribing, or summarizing a meeting, or even generating ‘boilerplate’ company work product, may seem tantalizing. But AI tools may also compress nuance or attribute statements imprecisely. And at scale, such AI can convert formerly transient or context-specific practices into persistent, searchable, and replicable documents that may be treated as ‘records’ by others. A meeting once memorialized only in approved minutes may now generate a transcript, draft summary, prompt history, action list, metadata trail, and revised versions — all of which may be newly sought in discovery or considered by courts in assessing competing narratives or even healthy internal deliberations across a company’s information channels. In assessing the value proposition of such automation, companies should carefully consider what information is created by the AI tool; how it is retained, quality-controlled, relied upon, and treated as an official company record; and who is responsible for that purported memorialization’s accuracy and completeness.

• Does this use of AI affect attribution and accountability, both within and outside the company? An AI tool is an instrument, not a decision-maker — but it is an instrument that can speak, decide, or act in ways once reserved for humans. That capability bears the attendant urgency to establish clear lines of human responsibility for the result. Who is speaking or deciding, who may rely on it, and who is responsible for correcting and explaining it? Customers, employees, regulators, counterparties, and courts may not be privy to, or care about, whether a particular statement or decision was machine-generated. For example, in weighing the efficiencies of deploying an executive’s digital twin throughout the enterprise, leadership must consider the range of implications for the corporation’s potential liability exposure, its confidentiality, privilege, and work-product protections, and here again potential record creation. Clear labels to distinguish draft or nonauthoritative statements from official corporate representations might help, but for any particular AI tool it is also important to identify, in advance, specific human responsibility for monitoring, correcting, escalating, and incident response.

In confronting these considerations, a word specific to boards of directors is in order. As we have advised, directors themselves need not necessarily develop individual expertise or approve every AI tool, but boards should maintain clear visibility into the core technological tools in use by their company and its competitors, the critical workflows that could be materially affected by technology, and the management processes for reporting, escalation, and control. In carrying out this oversight charge, directors are entitled to rely on appropriate repositories of such information in management and qualified experts.

* * *

As companies move from assessing whether to use AI to deciding how to deploy it, the integration of this technology into core corporate functions demands tailored consideration of these critical questions. AI tools offer companies efficiencies and opportunities, but may also reshape the legal calculus of information protection, record creation, and accountability for statements or decisions of the company and its leadership. The first step toward wisdom in this nascent landscape involves each corporation’s deliberate consideration of the roles and responsibilities implicated when enterprise AI takes its place in workflows that have always depended on human judgment.