When ChatGPT was released to the public on November 30, 2022, it marked a cultural and commercial inflection point for artificial intelligence (“AI”). Generative AI (“Gen AI”) became a mainstream tool almost overnight. Individuals and organizations across industries began experimenting with large language models and GenAI models, including customer service, content generation, analytics, and internal knowledge management. As we near the end of 2025, AI is no longer speculative; it is an important tool and, increasingly, a strategic differentiator.
In parallel, the legal landscape surrounding AI shifted sharply. What had been a largely unregulated innovation space quickly evolved into a fragmented mix of hard-law requirements, soft-law frameworks, agency guidance, and caselaw worldwide. For corporate counsel, the challenge now lies in navigating a fast-moving regulatory environment while AI adoption accelerates.
2025 was defined by major market shifts and dramatic additions to the global regulatory patchwork. This article summarizes where the year has left us, outlines practical steps for AI governance, and looks ahead to what to expect in 2026.
The state of play in 2025
The release of ChatGPT triggered an industry-wide race to develop and commercialize increasingly capable Gen AI models. Throughout 2023, competitors accelerated their own offerings, launching a period defined largely by model scaling, benchmark performance, and the pursuit of general-purpose capability. This “model-size arms race” dominated the narrative through 2024, resulting in numerous frontier-model releases and an unexpected disruption from DeepSeek, whose DeepSeek-R1 model demonstrated that highly efficient architecture could compete with compute-intensive approaches.
In 2025, these developments shifted focus toward the infrastructure required to sustain AI progress, including training data supply, synthetic-data strategies, energy-intensive data centers, and advanced-chip availability. Vertical integration has accelerated, with model developers, cloud providers, and governments aligning through long-term contracts, capital investment, and industrial policy.
At the same time, organizations are increasingly embracing smaller, task-specific models and fine-tuned variants that offer more predictable performance, cost-efficiency, and governance control. Interest in agentic AI has also grown, particularly where autonomous systems can be deployed within controlled enterprise environments. As a result, the ecosystem now resembles a bifurcated market: a few global platform providers at the top, and a growing set of domain-specific AI firms offering vertically targeted solutions.
Another development in 2025 is the rapid shift in organization attitudes. Initial resistance driven by concerns around privacy, confidentiality, hallucinations, and reputational risk has given way to widespread deployment. From a corporate governance perspective, this adoption curve has legal implications: new data flows, new diligence requirements, new vendor relationships, and an expanded risk surface that must be reflected in contracts, policies, and trainings.
Regulatory frameworks: A fragmented global landscape
In 2023 and into early 2024, regulators largely relied on guidance documents, voluntary commitments, and nonbinding risk frameworks (such as the OECD AI Principles and the NIST AI Risk Management Framework). By mid-2024, however, numerous jurisdictions began moving toward formal regulatory architectures, most notably the EU AI Act, the world’s first comprehensive horizontal AI regulation. The EU AI Act takes a risk-based approach, with stringent obligations for high-risk systems, transparency requirements for GenAI, and outright bans on certain uses. Its phased implementation will continue through 2026, with material compliance obligations taking effect during that period.
In the United States, the Biden Administration’s 2023 Executive Order on AI directed federal agencies to develop standards for safety testing, protections against bias, watermarking, cybersecurity, and procurement. In 2025, the Trump Administration reversed course, revoking the prior Executive Order and signaling a more deregulatory, innovation-focused federal posture. Most recently, the December 11, 2025, Executive Order Ensuring a National Policy Framework for Artificial Intelligence, has significantly restricted the ability of individual U.S. states to regulate AI development and use.
Across jurisdictions, AI policy continues to be shaped by perceived tension between risk mitigation and innovation. The result is a fragmented global landscape that requires organizations to navigate overlapping, and sometimes inconsistent, regulatory regimes.
Building an effective governance program
Practically, most organizations fall into one (or both) of two buckets: (1) organizations that build and develop AI systems; and (2) organizations that deploy third-party AI systems.
For organizations that build or develop AI systems, governance programs increasingly resemble formalized technology-risk frameworks. Key governance elements include model and data inventories, risk classification, and lifecycle controls spanning development through decommissioning.
For organizations that deploy third-party AI systems, effective governance centers on rigorous contractual and operational oversight of third-party providers rather than technical control. Key considerations include data-use restrictions, training and fine-tuning rights, confidentiality and IP protections, and AI-specific representations, warranties, and indemnities addressing hallucinations, data provenance, and misuse.
For both categories, data governance underpins nearly every legal, operational, and commercial risk. Training data provenance, enterprise data use, and downstream rights allocation remain central questions. In practice, governance often turns on a single issue: what the relevant contracts permit or prohibit with respect to data.
What to expect in 2026
On the regulatory front, 2026 will bring key compliance deadlines. The EU AI Act will continue its phased rollout, imposing additional obligations on high-risk systems and general-purpose model providers. In the United States, agencies are expected to clarify the status of rulemaking efforts initiated under the prior administration, while it remains to be seen whether states will continue advancing AI accountability and automated decision-making statutes. International commitments arising from multilateral AI safety dialogues are also slated for review, potentially leading to new testing standards or reporting expectations. Together, these developments point to a year of heightened enforcement readiness and compliance scrutiny.
AI-related litigation is also likely to intensify, as courts confront questions about data scraping, copyright, and model training practices. Ongoing cases will test the boundaries of fair use of copyright-protected content, the legality of training on publicly available data, and the extent to which AI developers may face product liability or negligence claims tied to model performance or misuse. These disputes will shape licensing markets, indemnity structures, and risk allocation between developers and enterprise customers.
Conclusion
AI regulation and risk governance have evolved from niche concerns to board-level priorities in under three years. The pace of technological and regulatory change shows no signs of slowing. For corporate attorneys, the imperative is clear: stay ahead of the evolving legal landscape, implement governance programs that can withstand scrutiny, and future-proof organizational practices and contracts.
In a space defined by rapid innovation and an expanding compliance perimeter, vigilance and adaptability will be essential. Organizations that succeed will be those that treat AI not only as an opportunity, but as a domain requiring disciplined legal, operational, and contractual stewardship.
