{"slug": "ai-safety-policy-needs-to-train-legal-practitioners", "title": "AI Safety Policy Needs to train Legal Practitioners", "summary": "A legal professional recounts how law schools prioritize exam curricula over practical training, drawing parallels to AI safety policy implementation. The author argues that AI safety policy needs legal practitioners who are both technically literate and grounded in practice, warning that without such expertise, AI governance risks failure similar to GDPR's Data Protection Officer mandate.", "body_md": "I completed my law degree at a working-class London university. In my first year, I was 18 years old, and I was often the youngest person in the room: almost everyone else was a paralegal, clerk or caseworker with years of live files behind them, studying part-time to qualify for the job they pretty much already did.\n\nBut all four years, he same scene played out over and over:\n\nThe more it happened, the more I understood why people would tell me “nothing in practice happens how they teach it in school”.\n\nOne term, a practising barrister covered for a teacher. He was in court every morning, and teaching in the afternoons.\n\nThe first thing he did was telling us to get the practitioner’s handbook he used instead, and taught is using examples from his real cases.\n\nWhen the regular teacher returned, they were horrified. The barrister was reprimanded with a “none of that will be in the exam, and the students will be marked down if they don’t answer per the curriculum”.\n\nNobody said the barrister was wrong about anything he taught us: Even if, eventually, our manuals would be replaced by practice notes (written by people like him), “theory was theory and practice was practice”.\n\n**Little did I know, this was the first lesson about Policy I ever got.**\n\n**The implementation side needs people who are academically literate enough to read the research as it actually is, and close enough to practice to know where the gaps are and how people will exploit them.**\n\nThis requires roaming around rooms: the room where policymakers sit, the room where legal & best practice standards get written, and the room where people who are “in charge of implementing the law”, are **trained** on how to do so.\n\nPeople with legal backgrounds who are technically literate enough to follow AI Safety conversations, are already scarce. I am lucky to have met a few of those rare hybrids.\n\nAnd, almost unavoidably, they end up in the first or the second room.\n\nThat is not a bad thing: it just means not enough people are at the other side.\n\nThe side that’s currently “someone else’s problem” in the field.\n\nThe side with the people in charge of hearing cases about AI psychosis unaliving someone, approving mass deployments of AI Agents under the guise of “low risk” without understanding the technical implications, wearing the “AI Governance hat” in the market.\n\nIn case you’re not familiar with the [ General Data Protection Regulation](https://www.ibm.com/products/cloud/compliance/gdpr), it is that European law that almost every “Privacy Policy” quotes, regardless of where you are in the world.\n\nIts reach and impact (in terms of having influenced business operations across the globe, not only in Europe) is one of the typical examples you’ll hear about “[the Brussels effect](https://en.wikipedia.org/wiki/Brussels_effect)”.\n\nSomething interesting about this law is that it mandated the existence of the very function responsible for implementing it.\n\nWell, how do you make sure that companies follow the law? With enforcement actions, and by making Guidelines available to those who bother to read them.\n\nLuckily for us, with the GDPR, we thought about the problem of “what happens once I finished drafting the perfect law”.\n\nWe decided to create the “Data Protection Officer”: an individual with enough “professional qualities” to be able to make companies comply.\n\nArticles 37 to 39 mandated this role to report to the highest level of direction, to remain totally independent and without conflicts that would stop them from excercising their judgment.\n\nOn paper, this looks like a massive policy victory, right? We mandated the existence of the gatekeeper.\n\nAnd, while arguably it really was a great feat, it does not seem as straight-forward when we look at what practice returned.\n\nIn 2023, the European Data Protection Body (EDPB) ran a [coordinated enforcement action](https://www.edpb.europa.eu/our-work-tools/our-documents/other/coordinated-enforcement-action-designation-and-position-data_en) across 25 supervisory authorities, analysing more than 17,000 responses on the position of DPOs.\n\nSadly, the findings read like a checklist of everything Article 38 was supposed to prevent: insufficient resources, insufficient expert knowledge, DPOs not entrusted with the tasks the law assigns them, conflicts of interest, lack of independence, no reporting line to top management.\n\nNoyb’s [survey of more than 1,000 data protection professionals](https://noyb.eu/en/data-protection-day-74-insiders-see-relevant-violations-most-companies) found that\n\nAnd the enforcement side that was supposed to back these practitioners up? Not so great, either.\n\nNoyb’s [five-year review](https://noyb.eu/en/5-years-gdpr-national-authorities-let-down-european-legislator) of its own 800+ complaints found that 85.9% were undecided, with more than 58% waiting over eighteen months for an answer.\n\nPer FOI data released in January 2026, over six years the DPC levied roughly €4.04 billion in fines, of which €4.02 billion remained uncollected and **only about €20 million had been paid**…\n\nHow was this possible, when the policy-makers even thought about putting someone in the room to prevent this from happening?\n\nWhat if I told you that these same people are pretty much in charge of AI Risk in corporations?\n\nThe **IAPP’s **[ Privacy and AI Governance Report](https://iapp.org/resources/article/professionalizing-organizational-ai-governance-report-summary) shows AI governance is being built directly on top of privacy infrastructure: more than 50% of respondents designing AI governance approaches are building on top of privacy programs, and\n\nThis is not only the case in the EU:\n\nThe [ AI Governance in Practice Report 2025](https://captaincompliance.com/education/unveiling-the-future-of-ai-governance-a-deep-dive-into-the-iapp-report/), drawing on North American and European firms alike (Mastercard, TELUS, BCG, Kroll, IBM, Randstad, Cohere), found that when it broke down where AI governance sits organizationally, privacy and legal each hold 22% of the seats, IT 17%, data 10%, ethics 6%, and security 5%, and crucially that privacy ownership yields 67% EU AI Act confidence versus IT's 36%, and ethics 74%.\n\nAnd another thing: the “[AI Governance Practitioner Certification](https://iapp.org/certify/aigp)” that the International Association of Privacy Professionals offers, is one of the best-known “AI Governance Certifications”. This is the path that a large majority of people in Data Protection go through when they realise they have to “upskil in AI”.\n\nAs someone who’s been there: personally, I am scared of having the majority of the people on the other side, the legal implementation side, the “what happens after we pass the perfect law and companies just “have to comply” side… pretty much unaware of AI Safety fundamentals.\n\nBut if pretty much anyone engaging with AI Safety, with a legal background, gets pushed towards the first pillar (Traditional Policy and Policy Research), who’ll be left to hold the fort and train the other?\n\nAs critical as I am of my own, I need to say that GCs, Privacy & Compliance, DPOs and the current “AI Governance” frontline in corporate, tend to bring a lot of valuable experience and fresh data to the table.\n\nIf your job is to anticipate non-compliance, you need people who have watched non-compliance being manufactured from the inside.\n\nAnd if you are the person who needs to help someone seek justice from AI-enabled harms, I’d hope you’re both experienced in legal action *and *aware of the technical concepts that influenced the behaviour that led to the harm.\n\nThat’s why I also do not believe that the answer to this is just “recruit people from universities that are mission aligned to implement the law in companies”: Practice takes… practice.\n\nAnd, if we really anticipate timelines to be short, I think training the people who are already fluent in implementation to understand AI Safety, is worthwhile.\n\nI know that it’s important that mission-aligned people dedicate themselves to policy activism and policy for stronger AI regulation. I 100% support this.\n\nBut we already have a lot of tech law that is poorly implemented- being used as the “starting point” for the implementation of new one.\n\nFrom practice (mine and that of others tremendously more experience), I believe that **not training the people whose jobs will be to implement it** on how to do so, is a big cause of that.\n\nSometimes, it starts will [inviting such people](https://www.linkedin.com/posts/katalina-hernandez_the-ai-safety-law-a-thon-concluded-on-sunday-ugcPost-7388718169336569857-KI1C/?utm_source=share&utm_medium=member_desktop&rcm=ACoAACgoHkEBletCZ8ci-Tjr-IUV-z0LkavBgBs) in!\n\nI know it’s challenging, but this field is young enough to choose differently, and there are some easy enough ways to start doing this.\n\nPart of my contribution to this was organising trainings on AI Safety basics for highly motivated, corporate AI Governance professionals on AI Safety.\n\nI am now assisting [ML4Good](https://www.ml4good.org), with the first iteration of [ The European Seminar on Frontier AI and Law.](https://frontier-ai-law.org/) The idea is to bring the people who are in practice, lawyers, DPOs, compliance officers, privacy teams, in-house counsel, product counsel, GCs, into contact with AI safety fundamentals, adapted to the concepts they already use so that the knowledge is consolidated.\n\nTo readers who happen to know anyone that may be a good fit: Feel free to invite them.\n\nTo organisations running programs (fellowships or trainings) specifically aimed at bringing more people into policy: **help me make sure that both sides talk.**\n\n*Disclosure: I am Head of Legal at **EquiStamp**, an AI safety evaluations company. This post reflects *** my personal opinion*** only.*", "url": "https://wpnews.pro/news/ai-safety-policy-needs-to-train-legal-practitioners", "canonical_source": "https://www.lesswrong.com/posts/MaXtWhyArguty23Mi/ai-safety-policy-needs-to-train-legal-practitioners", "published_at": "2026-07-10 00:13:05+00:00", "updated_at": "2026-07-10 00:46:24.417110+00:00", "lang": "en", "topics": ["ai-safety", "ai-policy", "ai-ethics"], "entities": ["European Data Protection Board", "General Data Protection Regulation"], "alternates": {"html": "https://wpnews.pro/news/ai-safety-policy-needs-to-train-legal-practitioners", "markdown": "https://wpnews.pro/news/ai-safety-policy-needs-to-train-legal-practitioners.md", "text": "https://wpnews.pro/news/ai-safety-policy-needs-to-train-legal-practitioners.txt", "jsonld": "https://wpnews.pro/news/ai-safety-policy-needs-to-train-legal-practitioners.jsonld"}}