WEBVTT

00:00:09.680 --> 00:00:17.540
Welcome to Legal Prompting, the podcast dedicated to legal methods in the age of AI.

00:00:17.899 --> 00:00:21.520
I'm Nicola Fabiano and this is episode 7.

00:00:22.120 --> 00:00:29.079
In the previous episode, we saw how to use AI to analyze contracts and clauses, spot

00:00:29.079 --> 00:00:31.100
weaknesses, and compare versions.

00:00:31.899 --> 00:00:33.400
Now we take a step further.

00:00:34.159 --> 00:00:41.459
Those prompts do not live in isolation, they live inside business processes, inside compliance

00:00:41.459 --> 00:00:46.840
workflows that involve people, documents, deadlines, and responsibilities.

00:00:47.520 --> 00:00:52.380
Today we talk about Legal Prompting in Corporate Compliance Workflows.

00:00:52.900 --> 00:00:54.659
Compliance is a broad word.

00:00:55.099 --> 00:01:02.419
It includes privacy, anti-corruption, anti-money laundering, information security, organizational

00:01:02.419 --> 00:01:05.680
liability models, and internal controls.

00:01:06.440 --> 00:01:13.639
In each of these areas, AI can help, but it can also introduce new risks if it is added

00:01:13.639 --> 00:01:14.940
without criteria.

00:01:15.099 --> 00:01:17.059
Let's start from a principle.

00:01:18.059 --> 00:01:22.360
AI is not a neutral tool that adds to an existing process.

00:01:23.180 --> 00:01:24.940
AI changes the process.

00:01:25.639 --> 00:01:32.540
It changes who does what, how decisions are documented, and who is responsible for outcomes.

00:01:33.199 --> 00:01:39.319
Before writing a prompt, we need to ask where it fits into the workflow and what changes

00:01:39.319 --> 00:01:42.879
it entails compared to the way things were done before.

00:01:43.739 --> 00:01:45.860
Let's see three concrete applications.

00:01:46.739 --> 00:01:54.980
First application, handling data subject requests under the GDPR, a controller receives requests

00:01:55.019 --> 00:01:58.620
for access, erasure, and portability.

00:01:59.800 --> 00:02:05.099
AI can help with the first classification of the request, the extraction of relevant

00:02:05.099 --> 00:02:08.899
information, and the preliminary check of deadlines.

00:02:09.899 --> 00:02:17.039
The prompt must specify the legal framework, the requester's role, and the type of request.

00:02:17.339 --> 00:02:24.240
The AI's response is a technical draft, the decision remains with the responsible person.

00:02:24.679 --> 00:02:32.259
Second application, the periodic review of corporate policies, codes of conduct, privacy

00:02:32.259 --> 00:02:34.960
policies, and internal procedures.

00:02:34.960 --> 00:02:42.360
AI can compare the current version with updated legal references and flag inconsistencies,

00:02:43.360 --> 00:02:45.300
gaps, and obsolete references.

00:02:46.220 --> 00:02:51.399
The prompt must indicate the reference standards and the scope of the review.

00:02:52.220 --> 00:02:57.460
The output is a map of issues, not a new version of the document.

00:02:58.000 --> 00:03:02.740
Third application, monitoring of internal reports and whistleblowing.

00:03:02.740 --> 00:03:09.220
AI can help with initial triage of reports and categorization by risk type.

00:03:10.059 --> 00:03:12.320
Here, caution is at its highest.

00:03:13.279 --> 00:03:19.440
Reports contain sensitive data, protected identities, and facts that may become the

00:03:19.440 --> 00:03:20.860
subject of investigations.

00:03:21.380 --> 00:03:27.199
The infrastructure must guarantee confidentiality, traceability, and data segregation.

00:03:27.199 --> 00:03:32.220
It is not a question of prompt, it is a question of governance.

00:03:32.940 --> 00:03:36.380
From these applications, a working rule emerges.

00:03:37.479 --> 00:03:40.960
Every use of AI in compliance must be documented.

00:03:41.660 --> 00:03:47.100
Which prompt was used, on which model, by which operator, with which outcome.

00:03:47.800 --> 00:03:51.479
Without this documentation, compliance cannot be verified.

00:03:51.479 --> 00:03:58.080
And a process that cannot be verified is not compliant whatever the apparent result.

00:03:58.440 --> 00:03:59.860
There is another point.

00:04:00.820 --> 00:04:06.020
AI introduces a new operational risk, the risk of automating error.

00:04:06.880 --> 00:04:13.419
If a prompt is imprecise, every use of that prompt will produce an imprecise outcome.

00:04:14.259 --> 00:04:17.559
The scale of the error grows with the scale of use.

00:04:17.559 --> 00:04:23.079
That is why corporate prompts must be treated as operational tools.

00:04:23.859 --> 00:04:29.579
They must be versioned, tested, validated, and updated as we do with any procedure.

00:04:29.760 --> 00:04:32.220
And then there is responsibility.

00:04:32.980 --> 00:04:35.940
AI is not accountable for anything.

00:04:36.279 --> 00:04:41.619
The controller, the employer, the professional, and the consultant are accountable.

00:04:42.339 --> 00:04:45.619
Human oversight is not a formal detail.

00:04:45.619 --> 00:04:51.880
It is the only way to bring decisions back to actors who can answer for them.

00:04:52.579 --> 00:04:55.880
In the next episode, we will enter a delicate territory.

00:04:56.880 --> 00:05:00.000
Professional secrecy and the choice of AI infrastructure.

00:05:01.040 --> 00:05:07.600
Which models can be used, which cannot, and why the choice of infrastructure is already a compliance decision.

00:05:08.100 --> 00:05:14.100
To stay updated, subscribe to the newsletter at nickfab.eu

00:05:14.100 --> 00:05:16.760
Thank you for listening. See you next time.