I completed my law degree at a working-class London university. In my first year, I was 18 years old, and I was often the youngest person in the room: almost everyone else was a paralegal, clerk or caseworker with years of live files behind them, studying part-time to qualify for the job they pretty much already did.
But all four years, he same scene played out over and over:
The more it happened, the more I understood why people would tell me “nothing in practice happens how they teach it in school”.
One term, a practising barrister covered for a teacher. He was in court every morning, and teaching in the afternoons.
The first thing he did was telling us to get the practitioner’s handbook he used instead, and taught is using examples from his real cases.
When the regular teacher returned, they were horrified. The barrister was reprimanded with a “none of that will be in the exam, and the students will be marked down if they don’t answer per the curriculum”.
Nobody said the barrister was wrong about anything he taught us: Even if, eventually, our manuals would be replaced by practice notes (written by people like him), “theory was theory and practice was practice”.
Little did I know, this was the first lesson about Policy I ever got.
The implementation side needs people who are academically literate enough to read the research as it actually is, and close enough to practice to know where the gaps are and how people will exploit them.
This requires roaming around rooms: the room where policymakers sit, the room where legal & best practice standards get written, and the room where people who are “in charge of implementing the law”, are trained on how to do so.
People with legal backgrounds who are technically literate enough to follow AI Safety conversations, are already scarce. I am lucky to have met a few of those rare hybrids.
And, almost unavoidably, they end up in the first or the second room.
That is not a bad thing: it just means not enough people are at the other side.
The side that’s currently “someone else’s problem” in the field.
The side with the people in charge of hearing cases about AI psychosis unaliving someone, approving mass deployments of AI Agents under the guise of “low risk” without understanding the technical implications, wearing the “AI Governance hat” in the market.
In case you’re not familiar with the General Data Protection Regulation, it is that European law that almost every “Privacy Policy” quotes, regardless of where you are in the world.
Its reach and impact (in terms of having influenced business operations across the globe, not only in Europe) is one of the typical examples you’ll hear about “the Brussels effect”.
Something interesting about this law is that it mandated the existence of the very function responsible for implementing it.
Well, how do you make sure that companies follow the law? With enforcement actions, and by making Guidelines available to those who bother to read them.
Luckily for us, with the GDPR, we thought about the problem of “what happens once I finished drafting the perfect law”.
We decided to create the “Data Protection Officer”: an individual with enough “professional qualities” to be able to make companies comply.
Articles 37 to 39 mandated this role to report to the highest level of direction, to remain totally independent and without conflicts that would stop them from excercising their judgment.
On paper, this looks like a massive policy victory, right? We mandated the existence of the gatekeeper.
And, while arguably it really was a great feat, it does not seem as straight-forward when we look at what practice returned.
In 2023, the European Data Protection Body (EDPB) ran a coordinated enforcement action across 25 supervisory authorities, analysing more than 17,000 responses on the position of DPOs.
Sadly, the findings read like a checklist of everything Article 38 was supposed to prevent: insufficient resources, insufficient expert knowledge, DPOs not entrusted with the tasks the law assigns them, conflicts of interest, lack of independence, no reporting line to top management.
Noyb’s survey of more than 1,000 data protection professionals found that And the enforcement side that was supposed to back these practitioners up? Not so great, either.
Noyb’s five-year review of its own 800+ complaints found that 85.9% were undecided, with more than 58% waiting over eighteen months for an answer.
Per FOI data released in January 2026, over six years the DPC levied roughly €4.04 billion in fines, of which €4.02 billion remained uncollected and only about €20 million had been paid…
How was this possible, when the policy-makers even thought about putting someone in the room to prevent this from happening?
What if I told you that these same people are pretty much in charge of AI Risk in corporations?
The **IAPP’s ** Privacy and AI Governance Report shows AI governance is being built directly on top of privacy infrastructure: more than 50% of respondents designing AI governance approaches are building on top of privacy programs, and
This is not only the case in the EU:
The AI Governance in Practice Report 2025, drawing on North American and European firms alike (Mastercard, TELUS, BCG, Kroll, IBM, Randstad, Cohere), found that when it broke down where AI governance sits organizationally, privacy and legal each hold 22% of the seats, IT 17%, data 10%, ethics 6%, and security 5%, and crucially that privacy ownership yields 67% EU AI Act confidence versus IT's 36%, and ethics 74%.
And another thing: the “AI Governance Practitioner Certification” that the International Association of Privacy Professionals offers, is one of the best-known “AI Governance Certifications”. This is the path that a large majority of people in Data Protection go through when they realise they have to “upskil in AI”.
As someone who’s been there: personally, I am scared of having the majority of the people on the other side, the legal implementation side, the “what happens after we pass the perfect law and companies just “have to comply” side… pretty much unaware of AI Safety fundamentals.
But if pretty much anyone engaging with AI Safety, with a legal background, gets pushed towards the first pillar (Traditional Policy and Policy Research), who’ll be left to hold the fort and train the other?
As critical as I am of my own, I need to say that GCs, Privacy & Compliance, DPOs and the current “AI Governance” frontline in corporate, tend to bring a lot of valuable experience and fresh data to the table.
If your job is to anticipate non-compliance, you need people who have watched non-compliance being manufactured from the inside. And if you are the person who needs to help someone seek justice from AI-enabled harms, I’d hope you’re both experienced in legal action *and *aware of the technical concepts that influenced the behaviour that led to the harm.
That’s why I also do not believe that the answer to this is just “recruit people from universities that are mission aligned to implement the law in companies”: Practice takes… practice.
And, if we really anticipate timelines to be short, I think training the people who are already fluent in implementation to understand AI Safety, is worthwhile.
I know that it’s important that mission-aligned people dedicate themselves to policy activism and policy for stronger AI regulation. I 100% support this.
But we already have a lot of tech law that is poorly implemented- being used as the “starting point” for the implementation of new one.
From practice (mine and that of others tremendously more experience), I believe that not training the people whose jobs will be to implement it on how to do so, is a big cause of that. Sometimes, it starts will inviting such people in!
I know it’s challenging, but this field is young enough to choose differently, and there are some easy enough ways to start doing this.
Part of my contribution to this was organising trainings on AI Safety basics for highly motivated, corporate AI Governance professionals on AI Safety.
I am now assisting ML4Good, with the first iteration of The European Seminar on Frontier AI and Law. The idea is to bring the people who are in practice, lawyers, DPOs, compliance officers, privacy teams, in-house counsel, product counsel, GCs, into contact with AI safety fundamentals, adapted to the concepts they already use so that the knowledge is consolidated.
To readers who happen to know anyone that may be a good fit: Feel free to invite them.
To organisations running programs (fellowships or trainings) specifically aimed at bringing more people into policy: help me make sure that both sides talk.
Disclosure: I am Head of Legal at EquiStamp, an AI safety evaluations company. This post reflects *** my personal opinion** only.*