Sergio Michelsen Jaramillo
Brigard Urrutia, Bogotá
smichelsen@bu.com.co

Nicolás Albornoz
Brigard Urrutia, Bogotá
nalbornoz@bu.com.co

Introduction

The rapid proliferation of artificial intelligence (AI) presents both unprecedented opportunities and complex challenges for businesses across all sectors. For legal professionals, understanding and advising on the governance of AI is becoming increasingly crucial as organisations navigate the intricate web of legal, ethical and societal implications. This article aims to demystify AI governance, exploring its definition, key components and practical implementation. It will delve into the critical considerations surrounding data protection, intellectual property, compliance and AI ethics, providing insights relevant to an international legal audience. Furthermore, this article will shed light on the emerging AI regulatory landscape in Colombia, with a specific focus on Circular 002 of 2024 issued by the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio or SIC) and CONPES 4144 of 2025, offering a case study on national-level AI governance.

Demystifying AI governance

Defining AI governance and its core components

AI governance is a comprehensive system of principles, policies and practices guiding the development, deployment and management of AI within an organisation. It aims to harness AI’s potential, while mitigating risks and ensuring ethical and regulatory compliance. ^[1] This oversight ensures AI operates responsibly and ethically, aligning with organisational values and societal norms. ^[2]

The key components of AI governance frameworks are multifaceted. Accountability and oversight are crucial for assigning responsibility for AI systems.^[3] This involves defining roles across the AI lifecycle.^[4] Formal governance structures formalise accountability through boards or committees.^[5] People, skills, values and culture are vital for establishing responsible AI practices.^[6] Clear principles and policies communicate the organisation’s approach to AI development and use.^[7] These are translated into practices guiding AI procurement, design, development and deployment.^[8] A robust supporting infrastructure, including data and technology platforms, is essential.^[9] Continuous monitoring, reporting and evaluation ensure ongoing compliance and address any unintended consequences.^[10] Fairness and bias mitigation, transparency and explainability, data quality management, privacy and security, stakeholder engagement, regulatory compliance and AI for data management are also crucial.

Exploring typical implementation frameworks and the allocation of responsibilities

Effective AI governance requires documented processes for data quality, data protection, model development, deployment, monitoring, transparency and explainability. Organisations increasingly establish roles like chief AI officer or AI ethics officer to oversee ethical AI use, create policies, ensure regulatory compliance and manage risks.^[11] These roles manage data privacy, evaluate the impact of AI and foster collaboration.^[12]

Effective frameworks encourage responsible innovation with clear guidelines.^[13] A tiered approach, applying stricter controls to high-risk AI, is often recommended.^[14] Collaboration between industry, academia and regulators is crucial for developing informed frameworks.^[15] Promoting transparency builds public trust.^[16] AI governance systems monitor AI operations against policies related to regulation, privacy, safety and risk. Best practices include a focus on data quality, robust privacy and security, stakeholder engagement, staying updated on regulations and leveraging AI for data management.

The table below outlines some key roles and responsibilities commonly found in organisations implementing AI governance frameworks.

Navigating the legal and ethical maze related to AI

Data protection

AI systems often process vast amounts of personal data, making data privacy a key concern. This introduces challenges like unauthorised data use, biometric data concerns, covert data collection and algorithmic bias. The risks include collecting sensitive data without consent, using data beyond its original purpose, unchecked surveillance, bias exacerbation, data exfiltration and unintentional leakage.

Compliance with applicable data protection regulation is a legal imperative.^[17] These rules require the establishment of principles like purpose limitation, restricted access and storage limitation. Best practices for AI and data protection compliance include developing robust data governance policies, implementing privacy by design, enhancing transparency, data minimisation, robust security measures, anonymisation and continuous monitoring. A failure to comply can lead to significant legal liabilities, including fines from data protection authorities^[18] and lawsuits.

Intellectual property

AI poses a challenge to intellectual property (IP) laws, particularly regarding authorship and ownership of AI-generated content. Current IP laws primarily protect human-created works, creating ambiguity when AI is involved. There is no universal legal framework granting IP rights to AI as an inventor or author. The Colombian and US copyright offices, for example, require human authorship for work registration. This lack of clarity can lead to disputes over ownership and infringement of the rules.

Training AI models often involves copyrighted material, posing infringement risks and instigating legal debates. Businesses using AI to generate content must be aware of potential third-party IP infringement. Navigating this requires monitoring global regulations on AI-generated content and ownership.^[19] Establishing internal policies on AI-generated content is also essential.^[20] Some jurisdictions, like the UK, have provisions for computer-generated works, but the requirement for human input in terms of originality remains a challenge. The World Intellectual Property Organisation has initiated consultations on adapting IP laws to AI.

Compliance

AI compliance ensures adherence to legal, ethical and security standards.^[21] While related to AI governance, compliance focuses on external requirements.^[22] The global regulatory landscape is evolving rapidly.^[23] Examples include the EU’s AI Act, which includes a risk-based classification system^[24], and Brazil’s proposed AI Bill.^[25] The US also has emerging initiatives.^[26]

Beyond AI-specific regulations, industry standards like ISO/IEC 42001 and the NIST AI Risk Management Framework (AI RMF)^[27] are important. Compliance requires robust risk management strategies. These include starting with pilot projects, ensuring data governance, fostering continuous learning, cross-departmental collaboration, implementing explainable AI, monitoring and mitigating biases and investing in cybersecurity. Specific sectors like finance and healthcare have additional regulations like Basel III, HIPAA.

AI ethics

Ethical considerations are fundamental to responsible AI development and deployment, encompassing fairness, transparency, accountability, privacy and human safety. Fairness aims to achieve impartiality and equity, thus preventing bias. Transparency requires understandable and scrutable AI systems. Accountability ensures organisations own the outcomes of their AI systems.

Integrating AI ethics into AI governance frameworks is essential. This starts with a framework incorporating ethical principles. Fostering an ethical culture is paramount. Regular ethical assessments should identify and mitigate biases, evaluate privacy impacts and analyse the risks. Transparency and explainability through documentation and explainable AI (also known as XAI) tools are vital. Proactive bias elimination using diverse data and fairness audits is necessary. Strengthening privacy and security measures is critical. Continuous monitoring ensures ethical compliance. Stakeholder engagement provides valuable input. Operationalising AI ethics translates principles into actionable guidelines.

Spotlight on Colombia

AI regulation in Colombia: Analysis of Circular 002 of 2024 (SIC)

Circular 002 of 2024, issued by the SIC in Colombia, provides guidelines for personal data processing by AI systems. While not legally binding like statutes, the SIC considers them important interpretative guidelines for compliance.^[28] The circular aims to establish general requirements for personal data controllers involved in AI systems and assure data subjects about the use of their data.^[29]

The SIC emphasises the need to balance the adequacy, necessity, reasonableness and proportionality of personal data processing involving AI against principles in Statutory Laws 1266 of 2008 and 1581 of 2012.^[30] In cases of uncertainty about potential harm, personal data controllers should refrain from data processing or implement robust precautionary measures.^[31] Accountability requires risk identification, classification and mitigation proportional to potential damages. Privacy impact studies are mandated for high-risk AI systems before their design and development.^[32] Data processed by AI must be truthful, complete, accurate, updated, verifiable and understandable, prohibiting the use of partial or misleading data.^[33] Differential privacy is suggested for privacy by design and default purposes.^[34] Data subjects’ rights to information about their data processing must be upheld.^[35] Finally, publicly accessible personal information is not inherently public and requires explicit consent for unrestricted data processing.^[36]

CONPES 4144 of 2025: impact on AI governance and adoption in Colombia

CONPES 4144, approved on 14 February 2025, is Colombia’s National Artificial Intelligence Policy, a strategic roadmap for AI research, development, adoption and ethical use until 2030. This policy involves significant public investment to enhance productivity and foster socio-economic transformation. The main objective is to cultivate national capacity for AI research, development, adoption and ethical application to drive Colombia’s technological and economic progress.

The policy outlines six strategic objectives: strengthening AI governance and ethics; enhancing technological infrastructure and data availability; promoting AI research, development and innovation; developing AI skills and digital talent; defining measures to mitigate AI risks and undesired effects; and promoting AI adoption in public entities and businesses. Regarding IP, CONPES 4144 aims to update the regulatory framework by 2030, strengthen IP protection capacity and promote technology transfer.^[37] It also acknowledges the need to analyse IP risks related to AI and develop clear legislation.^[38] The policy aims to promote equitable investment, benefiting small and mid-sized enterprises (SMEs) and rural areas, and encourages foreign investment through tax incentives. It also emphasises digital skills development in regard to AI. The policy recognises challenges like network interoperability and the shortage of AI specialists.

Conclusion

AI governance is crucial for businesses in an AI-driven world. Navigating the legal and ethical complexities requires understanding data protection, IP rights, compliance and ethics. Organisations must be proactive, establishing governance frameworks, defining roles, managing risks and fostering an ethical AI culture. The evolving regulatory landscape, as exemplified by Colombia’s Circular 002 and CONPES 4144, highlights the need to stay informed. Legal professionals advising on AI adoption must understand these issues to ensure responsible innovation and mitigate the risks. AI adoption is a continuous process, and a strong governance strategy is essential for a responsible and successful future.