Share with your CISO
Duane Morris attorneys argue that AI compliance programs fail not because companies miss individual rules, but because they lack a stable analytical structure to absorb new ones as they arrive. Their four-dimensional framework maps obligations along jurisdiction, industry, pipeline role (data owner, model developer, deployer, or end user), and risk category (bias, privacy, IP infringement, opacity, inaccuracy, deception, and complacency). California’s roughly 30 AI statutes effective since 2025 serve as the test case, and model deployers carry the largest share of those obligations, even for systems they didn’t build.
What this means for your business
The companies most exposed here aren’t necessarily the ones building AI models. They’re the ones deploying them into workflows, products, and customer-facing systems while assuming the vendor absorbed the compliance burden upstream. California’s framework makes that assumption legally untenable, and because California’s model tends to travel, deployers who treat AI governance as a procurement checkbox rather than a structural program are accumulating quiet liability. If your organization uses AI at any significant scale, the question isn’t whether obligations apply but which ones and to which internal function.
The framework’s most useful analytical move is separating risk categories that attract litigation (deception, privacy, IP) from the ones that don’t show up until enforcement or discovery (opacity, bias, complacency). Compliance programs naturally invest where the legal pressure is loudest, which means opacity and complacency, the systemic risks that compound silently across millions of AI decisions, tend to be underfunded until something goes wrong at scale. The authors, writing from a law firm that advises on exactly this exposure, have an obvious incentive to widen the compliance perimeter, but the underlying observation about asymmetric investment holds regardless of that tilt.
The falsification condition for this framework is federal preemption. If Congress passes a uniform AI statute that overrides state-by-state variation, much of the jurisdictional complexity the framework is designed to absorb disappears, and a simpler single-regulator model becomes more practical. Until that happens, and current legislative momentum suggests it won’t happen quickly, organizations building against the four dimensions described here are better positioned than those waiting for a settled federal standard that may not arrive before the next enforcement action does.
Concept deep-dive: AI pipeline roles
The AI pipeline describes the chain of actors who touch a system from training data through deployed output. Think of it like a supply chain: a manufacturer (model developer) builds from raw materials (training data owned by someone else), a retailer (deployer) puts the product in front of customers, and the customer (end user) operates it in the real world. Each hand-off transfers some risk but doesn’t erase the previous actor’s liability, which is why compliance obligations stack rather than substitute across roles.
Based on reporting from Duane Morris LLP – Companies Can Tackle AI Compliance by Using Multipart Framework, originally published 2026-06-18 03:00:00.

