Vol. III · No. 128 Independent LegalTech Analysis Wednesday, June 17, 2026

The Legal Stack

← Analysis Analysis · Legal Ops

Why Compliance Departments Are Quietly Building Parallel AI Stacks to What Legal Already Deployed — and Why That Should Worry the GC

The General Counsel finds out the same way they find out about most shadow IT problems: accidentally. A vendor renewal crosses the right desk, a data incident triggers an audit trail, or someone in IT mentions offhand that compliance has been running a separate contract...

Andy Armstrong
June 08, 2026 · 7 min read

The General Counsel finds out the same way they find out about most shadow IT problems: accidentally. A vendor renewal crosses the right desk, a data incident triggers an audit trail, or someone in IT mentions offhand that compliance has been running a separate contract with an AI vendor for eight months. By then, the parallel stack is load-bearing. People depend on it. And unwinding it is politically radioactive.

This is happening inside enterprises right now, and it is accelerating.

The Quiet Procurement Problem

Compliance functions — particularly financial crimes, regulatory affairs, trade controls, and privacy teams — have become aggressive AI buyers in their own right. They are procuring transaction monitoring overlays with machine learning flagging (think Behavox or NICE Actimize add-ons), sanctions screening enrichment tools, third-party risk management platforms with generative AI summarization layers, and, increasingly, large language model interfaces purpose-built for regulatory research and policy drafting.

These tools are not toys. A mid-size financial services firm might have compliance running an AI-assisted SAR drafting tool, a separate LLM environment for internal policy generation, and a third-party due diligence platform that ingests and summarizes adverse media — all while legal has deployed its own contract lifecycle management AI, a separate document review environment, and a legal research assistant. The two functions are operating essentially separate AI estates with no shared governance, no unified data architecture, and no coordinated vendor management.

The problem compounds when those tools are processing overlapping data. Customer due diligence files. Internal investigation documents. Board communications. Regulatory correspondence. When compliance's AI vendor and legal's AI vendor are both ingesting sensitive matter files — sometimes the same files — you have created a data residency and confidentiality risk that your outside counsel would have a field day explaining to a regulator.

Why It Is Happening

The reasons are structural and understandable, even if the outcome is dangerous.

First, budget ownership. Compliance in heavily regulated industries — banking, pharmaceuticals, energy — often controls its own OpEx lines and reports to a Chief Compliance Officer who sits outside the legal function. They do not need the GC's sign-off to run a software procurement. They need their own budget approver, and increasingly they have it.

Second, speed. Regulatory timelines do not wait for legal's vendor evaluation cycle. When the FCA issues new consumer duty guidance or FinCEN updates its AML priorities, compliance needs tooling that responds to those workflows now, not after a six-month enterprise procurement review. The compliance team leads saw what legal built, decided it did not serve their needs, and went and bought something that did. This is rational behavior. It is also how you end up with two AI stacks and zero governance.

Third, genuine workflow divergence. A contract AI assistant optimized for redlining and clause extraction is not the right tool for drafting a suspicious activity report or modeling regulatory capital treatment. Compliance has legitimate reasons to want purpose-built tooling. The mistake is treating that legitimate workflow need as a justification for ignoring enterprise governance entirely.

Where the Liability Exposure Gets Real

The jurisdictional overlap between legal and compliance is where AI fragmentation creates acute exposure.

Consider internal investigations. When a matter sits under privilege — outside counsel has been engaged, legal holds have issued — compliance's AI tools may not be configured with the same data handling constraints as legal's privileged matter infrastructure. If compliance staff are running investigation-related documents through a third-party AI platform that was procured without legal's involvement, you may have broken the chain of custody for privilege and handed opposing counsel exactly the argument they need. In re Grand Jury (9th Cir. 2022), while not an AI case, reinforced how aggressively courts scrutinize the privilege perimeter when information flows outside controlled legal channels.

Data residency is the other live wire. The EU AI Act, which entered phased application in 2025, imposes risk-classification obligations on AI systems used in regulated contexts. A compliance team deploying an AI tool that processes EU personal data for AML screening may be running a system that qualifies as high-risk under Annex III, with attendant conformity assessment obligations. If legal does not know the tool exists, legal cannot ensure those obligations are being met. When the supervisory authority comes knocking — and under the AI Act, they will — the GC is going to have a very uncomfortable conversation about a tool they approved no paperwork for.

What a Unified Governance Structure Actually Looks Like

The answer is not centralization for its own sake. Compliance should be able to buy purpose-built tools. The answer is a shared governance layer with federated procurement.

In practice, that means four things.

A unified AI registry. Every AI tool deployed across legal and compliance gets logged in a single inventory with data flow mapping, vendor contractual terms, and a designated data steward. This is not bureaucracy — it is the minimum viable audit trail.

Coordinated privilege and confidentiality protocols. Any AI tool that may touch matter files, investigation documents, or regulatory correspondence needs to go through a joint legal-compliance review before deployment. The privilege perimeter has to be defined in advance, not reconstructed after an incident.

A joint GC-CCO governance committee. Not a task force. A standing committee with a defined charter, meeting cadence, and escalation authority. The GC and CCO need to co-own AI governance, not run parallel fiefdoms.

Vendor contract harmonization. Legal and compliance should be negotiating data processing agreements, AI-specific liability carve-outs, and model transparency provisions with consistent terms. Running two separate vendor relationships with inconsistent data handling language is a due diligence failure waiting to be discovered.

The GC Cannot Afford to Find Out Late

The role of the General Counsel is not to control every tool procurement across the enterprise. But it is to ensure that the enterprise's legal exposure is understood, mapped, and managed. When compliance is running an AI estate the GC does not know about, that function is not being performed. The time to build the governance structure is before the regulator asks why two different AI vendors had access to the same investigation files under incompatible data agreements.

That conversation is coming. The GCs who have already built the joint governance layer will handle it fine. The ones who are still finding out about the parallel stack by accident will not.

More Analysis