There is significant opportunity in the legal field for AI to augment workflows and client success.
getty
The world of compliance and regulation has never been easy, especially in complex fields such as healthcare, financial services and many others. In fact, given just how nuanced this work is, many organizations often outsource compliance matters to professional law firms. With the boom of artificial intelligence, big data and an entirely new ecosystem of technology over the past decade, a myriad of regulations and laws have emerged with an unparalleled intensity which organizations just cannot keep up with.
The surge is not just noise, but rather, a signal that governments and regulators are racing to define how this ecosystem is built, deployed and governed. A 2023 report by Stanford University’s Human Centered AI (HAI) group found that mentions of AI in legislative proceedings almost doubled from 1,247 in 2022 to 2,175 in 2023, indicating a significant shift of attention to this topic globally. However, despite a plethora of soft mentions and pushes for regulation, in the US, there is no comprehensive federal regulation or legislation that singlehandedly restricts the development or use of AI.
A report by the Brookings Institution indicates that individual states are thus stepping into this role, with nearly 47 out of 50 states having introduced some sort of legislation on the topic in 2025 alone. For healthcare, the situation is even more complicated; a recent report by Manatt found that as of October of this year, 47 states have introduced more than 250 AI bills which touch the realm of healthcare, and nearly 23 of those states have already passed bills into law. The problem without one centralized source of authority, however, is that many of the regulations and rules often do not speak to each other and frequently overlap in complex ways; some are redundant, while others conflict with each other. This means that organizations and innovators are left in the dark without clarity on how to proceed with their work.
Law firms themselves are leveraging the best of artificial intelligence technology to navigate this increasingly complicated landscape. Take for example DLA Piper, one of the world’s largest law firms, which is investing significant capital to help its clients navigate the evolving regulatory and compliance landscape. In a white paper released last year, the firm describes a new framework called SAGE: “A systematic approach to data-driven AI governance.” The initiative’s goal is to help organizations navigate the “overabundance” of AI requirements, clarify potential overlaps and conflicts with competing regulations, and determine how best to comply. The framework leverages human SMEs alongside AI algorithms to “atomize” complex pieces of legislation or regulation, essentially breaking them down to their very fundamental, component parts. Further leveraging AI and legal experts, the process concludes with a distilled, non-duplicative set of requirements extracted from sources with a deeper understanding of how each of the atomized requirements overlap with one another across different sources.
Another novel and cutting-edge service the firm has developed is “proactive compliance as a service” or PCaaS; the platform entails traditional machine learning with proprietary small language models (trained by domain-specific expert lawyers) that are customized to client-specific data, policies and industry needs. The platform, which is hosted and run end-to-end by DLA (and hence affords clients legal privilege), can parse through unstructured data, documentation and real-world communications to proactively flag risk areas that may require further legal attention and may otherwise go unnoticed. This proactive approach is a massive boon for organizations, as reactive, post-incident investigations often lead to millions of dollars in compliance fines and legal settlements. Furthermore, in incredibly sensitive settings such as healthcare, proactive compliance as a concept can help protect patients as it mitigate problems before they become actual issues, such as patient privacy concerns, data leaks or other breaches into sensitive healthcare data.
Dr. Danny Tobey, M.D., J.D, partner and chair of the AI and Data Analytics practice at DLA Piper, comments that the real value in these services is to help organizations navigate a very complex new world and ecosystem, so that they can ultimately provide value to their stakeholders. He explains that PCaaS remains “risk domain agnostic,” meaning that a small language model can theoretically be built around any risk domain to help clients in a curated fashion; in parallel, SAGE is a tool for building and pressure testing AI governance programs, and enabling organizations to deal with overlapping and often inconsistent AI regulations.
Needless to say, competition in this arena is stiff, although it is being approached in unique ways by different players. Harvey, for example, has become a prominent name in the legal AI space, and is built to augment existing legal teams more generally and help with workflow efficiency, due diligence processes, and in reducing manual effort. Additionally, many professional services firms are increasingly realizing the need for support in this area. BakerTilly, for example, offers an entire risk advisory practice, with a specific vertical for artificial intelligence consulting. Consulting firms, although not traditional legal service shops, are expanding their line of work as well; for example, EY has dedicated services to help organizations “build confidence in AI, drive exponential value…and deliver positive human impact.” Despite all the new services emerging, the regulatory ecosystem is certainly expanding rapidly enough for multiple players to make a positive impact.
Why is all of this work important?
Services like these ultimately benefit consumers, and in healthcare, patients. A recent study by The HIPAA Journal found that there has been a clear upward trend in the number of HIPAA and sensitive data breaches over the past decade. The prevalence of cyber incidents has also escalated significantly in healthcare; a recent report found that in 2025 alone, healthcare ransomware attacks have surged 30%. Despite vulnerability to these external threats, organizations can still ensure their internal processes are “buttoned-up” and compliant to maximize patient security and privacy.
Undoubtedly, the landscape of AI law, regulation and compliance will only continue to expand. Organizations must invest in the right resources to navigate these uncertain waters so that they can ultimately ensure the best service, privacy and safety for their patients and customers.