What should the GC of America's AI deployment in 2026 consider?

May 2026 AI agents Executive summary For many organizations, the question is no longer whetherto adopt an AI governance program. Most organizationsalready have one (or at least the beginnings of one) in theform of AI use policies, intake processes, vendor diligencequestionnaires, data-use restrictions, employee training and 1. Agentic AI has arrived. So too have newcompliance challenges: •AI agents, or agentic AI, refers to AI systems thatautonomously execute multiple steps with minimal human •They represent a shift in AI use from “answer generators”to workflow actors that can analyze contracts, triagecustomer service requests, update records, prepare firstdrafts, engage in commerce and execute similar multi- In 2026, AI governance is becoming less about whether andhow employees may use generative AI tools, and more abouthow organizations manage AI that is embedded acrossthe enterprise: in software as a service (SaaS) platforms,customer-facing products, developer tools, HR systems, •Agents can use tools, access data and take actions onbehalf of employees or customers. Unlike stand-alonechatbots, agents may connect to email, calendars,customer relationship management (CRM), HR informationsystems (HRIS), ticketing, procurement, code repositoriesand document systems, creating legal risk around access This update highlights some key issues that general counselsand legal departments should be revisiting now as part oftheir AI governance. These include the rise of agentic AI, theexpansion of third-party and SaaS vendor AI risk, topicalupdates regarding AI and IP (including open source andlicensing of training data), AI litigation risk, and a rapidly •Agentic systems create a new governance challenge:delegation without clear accountability. As AI agentsbecome capable of making recommendations, initiatingcommunications, negotiating terms, escalating issues or The core takeaway is simple: AI governance should not be It should be a living legal, compliance, privacy, securityand product governance framework that evolves with thetechnology. But AI governance can build on existing policies, Major insurers are moving to exclude losses caused byAI agents from coverage. Organizations should considerconsulting with their insurance brokers to understand the For GCs, 2026 is the year to pressure-test whether existingAI governance fits the ways in which AI is procured, deployed, 3.Pricing for SaaS and AI vendors is changingfrom seat-based to a usage- and/or outcome-based model (or a hybrid model). Legal andprocurement teams need to be aware of AI vendors and third-party risk 2.AI vendor contracting requires new intake,assessments and contract templates: •Treat AI as a standard vendor-risk issue, not a special-case add-on– Most SaaS vendors are embedding AIinto existing products, copilots, analytics, support tools,personalization features and workflow automation, so •Usage-based pricing– This one was inevitable given theadoption of AI by SaaS providers and the proliferation of •Update diligence questions to capture both obviousand hidden AI uses– Intake forms should ask whether thevendor uses AI to process customer data, train or fine- •Outcome-based pricing– Providers charging based onhow many tasks are successfully completed by agents.What is a task? What is success and who defines/decides it?These and other issues need to be understood by business •Refresh contract templates for AI-specific rights andrestrictions– Contracts for AI systems should addresstraining use, fine-tuning, model improvement, ownershipof outputs and derivatives, confidentiality, data retention,security controls, audit rights, explainability, human review,prohibited uses, incident notice and liability for AI-enabled •Hybrid– Some providers are charging based on a hybridapproach of seat-, usage- and outcome-based. •These details are often found on a dashboard that legaland procurement teams will never see or access, or in thefine print of online documents that have been updatedautomatically, long after a master service agreement 4.Certain SaaS and AI vendors are more prone todisruption and obsolescence than ever before.This needs to be incorporated into your third- •Do not rely on legacy data processing agreement (DPA)/security-review processes alone– Traditional privacy andsecurity reviews may miss AI-specific risks, including modelmemorization, prompt injection, data leakage through Performance of general-purpose models is improving bymultiple factors on an annual basis, while the cost of runningthem is decreasing. There are numerous consequences ofthis, including that general purpose models can now competewith, and are already competing with, specialized SaaS andAI applications. This is especially true for certain wrapperapplications that are built on top of frontier models like thoseoffered by OpenAI or Anthropic. Meanwhile, coding agentsoffered by Anthropic and OpenAI, and others like Cursor •Build a repeatable AI vendor c