Why Your Company's AI Governance Plan Might Not Be Enough (Yet)
Enterprise AI governance is shifting from optional best practice to a regulatory baseline that courts and enforcement agencies will use to judge whether your organization took reasonable care. A new ten-step framework from Fisher Phillips, published in September 2025, outlines the governance structures that US-based companies should implement to stay ahead of proliferating state AI laws and avoid enforcement action from the Federal Trade Commission (FTC).
What Are Regulators Actually Looking For in AI Governance?
The Fisher Phillips framework addresses a critical gap: most organizations lack formal governance committees, documented AI use-case policies, or vendor audit processes that can demonstrate reasonable care if challenged under emerging state AI statutes like Colorado's AI Act SB205 or the FTC's AI Enforcement Policy. The guide does not cite a single regulatory trigger but is designed to help organizations align with best practices that regulators and plaintiffs' counsel are increasingly using as a benchmark for adequate oversight.
The timing matters. The framework coincides with growing regulatory activity across multiple jurisdictions, including the Colorado AI Act SB205 and the NIST Artificial Intelligence Risk Management Framework Playbook, both of which share structural overlap with several of the guide's recommended steps. Compliance teams should monitor whether state legislatures in Texas, Colorado, and other active jurisdictions incorporate governance committee and vendor audit requirements as affirmative defenses or safe harbor conditions in forthcoming AI legislation, which would elevate the Fisher Phillips framework from best practice to legal baseline.
How to Build an AI Governance Program That Regulators Will Recognize
- Establish a Formal Governance Committee: Create a cross-functional AI governance committee with documented decision rights, membership, and escalation paths. Organizations lacking a formally chartered committee may struggle to demonstrate reasonable care if challenged under state AI statutes or bias-related claims before the FTC.
- Document Approved and Prohibited Use Cases: Map your current AI inventory against a defined use-case policy that explicitly classifies approved, restricted, and prohibited applications. Obtain sign-off from legal and compliance on that classification before deployment.
- Implement Bias Detection and Fairness Audits: Establish a periodic audit cadence for AI systems in production, specifying audit scope, frequency, responsible function, and documentation standards so results can be used to demonstrate ongoing due diligence.
- Conduct Vendor Due Diligence: Review all AI vendor contracts to confirm they include a clause requiring vendors to provide evidence of diverse and representative training datasets. The guide's vendor audit requirements operationalize a due diligence standard that compliance teams must now build into procurement contracts and third-party risk assessments.
- Mandate Annual Employee Training: Schedule annual AI governance training for employees that includes scenario-based content for high-risk use cases and generates completion records that can be produced in an audit. Annual employee training mandates set an expectation benchmark that regulators and plaintiffs' counsel may reference when assessing whether an organization took adequate precautions.
The vendor audit requirement is particularly concrete. Organizations must now demand evidence that their AI vendors used diverse and representative training datasets, a standard that did not exist in most procurement templates two years ago. This creates a tangible gap for any organization without vendor-specific AI risk clauses already embedded in contracts.
What Happens If Your Organization Doesn't Have These Controls?
The stakes are rising. Annual employee training mandates described in the guide set an expectation benchmark that regulators and plaintiffs' counsel may reference when assessing whether an organization took adequate precautions, raising the organizational risk profile for firms that rely solely on informal or ad hoc AI awareness efforts. If your company is sued for algorithmic bias or faces FTC scrutiny, the absence of documented governance structures, bias audits, or vendor audit processes will be used as evidence that you failed to exercise reasonable care.
The Commerce Department is expected to produce findings on state AI laws that may influence federal preemption debates, and its conclusions could reset which state-level obligations enterprises must track. Enforcement patterns from the FTC and state attorneys general in employment discrimination and consumer protection matters involving AI will also serve as a proxy for how rigorously the committee-formation and bias-audit steps in guides like this one will be tested in adversarial proceedings.
Other organizations are already moving ahead. Diligent has published a practitioner-focused guide titled "AI Governance: A Guide for Boards, Risk and Audit Leaders" that outlines how organizations should structure board oversight of AI, apply a three-lines-of-defense model, conduct fairness and bias audits, and assess third-party AI risk, with explicit mapping to the EU AI Act, NIST AI Risk Management Framework, and OECD AI Principles. The AI Company Data Initiative published a case study report in March 2026 documenting how Banco Bradesco and TELUS implemented structured AI governance models featuring strategic steering committees, quarterly review cycles, and mandatory human-rights-based safeguards.
For compliance teams, the message is clear: governance committees, bias audits, and vendor due diligence are no longer optional. They are becoming the baseline expectation that regulators, courts, and boards will use to judge whether your organization took reasonable care with AI systems. The time to implement these controls is now, before they become mandatory requirements embedded in state law.