Artificial intelligence (AI) as a field encapsulates machine learning, deep learning and generative AI. As the impact of these technologies continues to grow, industry leaders and regulators have been grappling with how to define the technologies' contours, how to audit AI and whether these audits are protected under the attorney-client privilege.
The recent article "AI Audits: Initial Steps Toward Building User Trust and Maintaining International Norms," published in RAIL: The Journal of Robotics, Artificial Intelligence & Law, Volume 8, No. 4 (July-August 2025), also wrestles with these issues. In particular, the article considers several primary concepts:
- The regulatory landscape created by various agencies, and those agencies' detailed guidelines and advisories for AI use
- State and local legislation, and the current patchwork of initiatives developed to attract AI developers while protecting constituents
- International efforts embodied in legislation, various tools and compliance checklists
- How "soft law" (defined as rules or standards that set substantive expectations but are not enforceable by governments) can address gaps in legislation and regulation by utilizing industry standards as a support mechanism for compliance
- AI's "black box" nature and how that may require regular audits for bias and improved transparency
- Implications of AI audits for attorney-client privilege and factors that can impact that analysis, including jurisdiction, purpose of the audit and ownership of the audit by counsel
To assess these matters, the article reviews the history and growth of AI's ties to auditing. Specifically, as AI has grown more sophisticated and its use has increased, the boundary lines dictating its use have been a patchwork of rules stitched together by government authorities relying on prior statutes and regulations, past enforcement and, more recently, encompassing legislation attempted only in the past several years.
Assuming that AI will continue to adapt and evolve, the authors assert that the application of soft law is critical to pave the way for additional regulation and new industry standards. While not law per se, soft law guidance is often used when writing what entities anticipate will become enforceable in the future. Soft law may also influence industry standards and best practices.
The article notes one AI soft law of particular note: the NIST AI Risk Management Framework (AI RMF). The NIST AI RMF provides well-considered suggestions for an AI governance model that have also influenced other soft laws, regulations and proposed legislation. And particular to the article's focus, the NIST AI RMF suggests how an organization might audit its AI programs to support transparency.
The challenges of developing transparent AI have created an international need for identifying the biases programmed into the AI innovations that now permeate society. The article considers the purpose behind the current legal frameworks for AI and highlights various standards for AI system audits that purport to improve the transparency of this technology.
Finally, the article further explores those factors that can impact whether an audit can be protected under the attorney-client privilege. Some of these factors include but are not limited to the purpose of the audit, the jurisdiction one is in and whether counsel engaged a third-party auditor. Ultimately, whether an AI audit is protected by the attorney-client privilege will depend on the individual facts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
