What does it take to turn AI-powered regulatory monitoring into reliable legal intelligence your business can actually use?

Larissa Hamilton
Director | HAVN Law
AI
/

I recently built an AI-powered regulatory monitoring tool that could offer a General Counsel or board more than a high-level overview of applicable privacy laws.
I wanted to create something that would take the existing and upcoming legislation and tell my client, in plain terms, what it meant for their business, not everyone else’s.
The tool I developed scans privacy and data protection laws across the jurisdictions my client operates in, it maps developments to their specific products and legal entities, and produces structured briefings sourced directly from regulators, with a hierarchy of urgency, proposed impacts and suggested next actions. The goal is to ensure compliance and preparedness, and to potentially uncover new opportunities.
I learned some surprising lessons during this process that I wanted to highlight as real examples of why governing AI is crucial to getting the most out of it:
1. The client’s own business context is the only place to begin. Start there before the technology, otherwise AI will work from a general premise and hedge, without knowing what is truly relevant. Without it, any scanning tool produces authoritative-looking output about things that do not matter, and misses the things that do.
2. It took significantly longer than expected. The instructions, the source hierarchy, the quality checks, the exposure map went through more than fifteen rounds of revision. Each revision required human and legal judgment to catch errors and question assumptions. This is the work required, and is not a limitation of the technology.
3. The AI tool confidently stated that New Zealand does not hold EU GDPR adequacy status, when it does. That error was embedded in the tool’s background content and would have reproduced in every output until I flagged it. What I learned is to ask why the error occurred and to encode the correction as a permanent quality rule at source. The tool improves because the human with the right context and knowledge keeps correcting it. Ongoing evaluation is not optional, it is a key part of the AI governance lifecycle.
4. Polished does not equal accurate. The linked sources looked right, but two links returned 404 errors, because the last letter of the URL was omitted. That tiny AI error could have raised questions in my client’s mind about the tool’s effectiveness and my thoroughness.
5. This is not a one-time exercise, as the business will change and new laws emerge. The instructions need to be treated as a living document, with ongoing review and analysis a necessary part of the monitoring work.
6. Multi-jurisdictional regulatory intelligence used to be accessible only to those with large budgets or specialist legal teams. This is changing, but the opportunity is conditional on the tool being built around the specific business, on human oversight and the ability to question, and the judgment and expertise to know when AI is wrong.


