Compliance with safety regulations is the floor for enterprises, says Scott DeBow of Avetta. A strong safety culture is the ceiling, which is reached by creating processes to constantly evaluate and promote workers’ well-being on the job.

Shifting federal policies, evolving state laws and expanding international requirements, all unfolding among other constraints, are creating uncertainty around the future of workplace safety regulation. Changing levels of enforcement of existing regulations, as well as proposals for new legislation, are creating additional uncertainty for organizations to navigate. In July 2025 alone, OSHA issued more than two dozen proposed rules along with one final rule-taking action, underscoring both the pace of regulatory activity and the challenge organizations face in keeping up with rapid operational, technological and workforce change.

The year ahead is poised to bring further shifts on the health and safety front. Some states are starting to decline adjusting informal citations, instead forcing every citation to be contested in court. At the same time, in federal OSHA states, legislatures are enacting regulations through various state agencies and expecting them to be enforced at the state level.

For global organizations, compliance has evolved from a clearly defined set of standards into an ever-expanding web of additional corporate policies overlapping with federal, state and international frameworks. This increasing “defensive posture” directly impacts workforce availability, productivity, vendor relationships and even the ability to operate or expand in certain markets. This begs the question: Is more policy and regulation actually what’s needed? As we evaluate what’s moving the needle in safety performance, we’re seeing how closely related downstream safety outcomes are to upstream business strategy that decisively leverages improving systems capability, prevention and mitigation as an intentional method of leadership.  

This sobering reality reveals the need for baseline fundamentals, which regulations establish and support, while realizing their limitations in terms of the performance and outcomes business leaders and industry expect.

Leveling up our perspective on regulations

There’s a noticeable movement by business leaders to recognize the difference between managing risk only to the level of compliance versus viewing compliance as a foundation to launch performance improvement. 

Before understanding basic elements of a safety management system, it’s important to recognize safety leadership. Anyone who is in a position to advocate for, improve and advance the creation of safety on the behalf of another person is a safety leader. This is an important aspect for business leaders to embrace, as it elevates their views and value from a reactive, compliance-based level of maturity toward one that is proactive. 

This is where we see leading organizations make a noticeable shift from, “What are the workers doing to avoid a regulatory violation or safety incident?” to “What are we doing together to ensure success?” Think of a football coach talking to the kicker moments before a potential game winning field goal. Should the leader in that moment say, “Don’t screw this up for me” or “I believe in you. This is what we’ve worked on together. You can make this happen.” Safety leadership matters greatly, and as Thomas Krause and Kristen Bell notes in their book, “7 Insights into Safety Leadership,” safety leadership sets improvement in motion across the entire organization. 

Ultimately, organizations are realizing the best line of defense is to strengthen their posture of offense when it comes to identifying, prioritizing and reducing serious incident and fatality (SIF) risk and realizing the methodology and system implementation for success in these areas requires a maturing culture that goes beyond compliance.

A safety program beyond reactive compliance

Because regulations often lag behind the realities of the current workplace, one of the best ways to stay ahead is to build a safety program that extends beyond current policy requirements. Rather than reacting to rules as they’re issued, organizations should build a robust safety program that anticipates and manages risk as it evolves.

One of the practical starting points I’ve found helpful for leaders is to begin incorporating three simple but core questions that get to the heart of what they really need to know.

First, is work happening the way we think it is?

This question helps uncover gaps between planned procedures and on-the-ground conditions, challenging assumptions. It also helps encourage deeper engagement with frontline teams and fosters more accurate situational awareness. It zeroes in on the current challenge: the assumption that because you have a written program and are compliant with regulations, work is happening as stipulated per corporate or regulatory policy. You must ask this question and be prepared to engage in basic discovery.

Second, what tells us that risk is at an acceptable level?

The absence of incidents alone is no longer a reliable indicator of safety. Following up on question No. 1, safety leaders must intentionally set out to discover when and where work goes from normal to abnormal, while recognizing that when this change occurs the presence of SIF risk multiplies. Leader-and-worker engagement through a dedicated SIF risk assessment process drives prevention, alongside tuning the organization to know what they really want to know: Where does work exceed our risk tolerance through unacceptable risk?

Third, how are we improving?

Safety leadership drives an intentional commitment to improvement and supports the application of lessons learned from leader-worker engagement and ongoing discovery. Safety improvements alongside adjacent business benefits surface new opportunities and strengthen momentum. Organizations must be able to answer the question, “Are we good or are we lucky?” Knowing where unacceptable risk surfaces — per question No. 2 — enables leaders to better answer this, while directly addressing the myth that a low incident frequency rate equates to acceptable levels of risk. This must be based on an intentional system of monitoring and assessing risk.

Together, the answers to these three questions point to a structured, repeatable approach to safety management that emphasizes planning, action, reflection and improvement.

Compliance

Measles Is on the Rise. Have You Reviewed Your Vaccine Policies Since Covid?

by Shardé Skahan, Dawn Solowey, Mackenzie Mullin and Melissa Ortega

March 23, 2026

14 new outbreaks reported so far in 2026

Read moreDetails

Plan-do-check-act (PDCA)

It’s been said that without planning, nothing happens on purpose. Not risk assessment. Not worker feedback. Not contractor evaluation and follow up. And certainly not organizational learning. The PDCA system is a model of continual improvement, serving as a bridge from basic due diligence and regulatory compliance to a systematic approach for organizational engagement. The PDCA is also strongly referenced in regions like the UK and Australia. It helps teams establish a simple method (plan) to move from required, basic regulatory initiatives into a proactive practice for monitoring and observing risk (do), verifying its effectiveness (check) and learning from the process and incorporating improvement (act). The process is cyclical and repeatable on a macro and micro scale, across organizations and within specific sites, teams and activities.  

Applying the PDCA framework is especially important in today’s modern workforce, where labor strategy increasingly depends on third parties, such as contractors, subcontractors and temporary workers. Across multiple management systems, the PDCA process integrates a complex environment into a dynamic focus on safety. In the face of regulatory uncertainty, this model is a proven and important step toward elevating expectations, improving performance, ensuring an organization is ready to work and creating resilience for safety programs.

Resilience beyond the checklist

I think of what it would be like to compete in a Formula 1 (F1) race against modern F1 cars and technology, but I’m strapped into a racecar from 1971. I simply wouldn’t be able to compete, and, in fact, could endanger those around me as I would lack modern safety features and controls. Yet, this is exactly how so many organizations are operating — locked into a compliance-based mindset and approach from the 1970s. I should point out, however, the enormous positive impact these regulations have had over the past more than 50 years. That said, we’ve reached an observable limit to what compliance can achieve. Regulatory compliance must now serve as the launch pad toward system management. 

Anyone who can advocate for, improve and advance the creation of safety on the behalf of another person is a safety leader. That’s all of us: procurement, risk management, human resources, operations, finance, engineering, IT and product development. It doesn’t require a title. It simply demands a commitment to drive meaningful change and safety for the benefit of those closest to the risk: the workers.

Safety leadership drives the difference for organizations, even within an uncertain regulatory environment. Leading with intention, committing to continuous improvement and building systems that monitor and assess risk beyond compliance serve as the pathway to resilience. 

The post Building a Safety Culture Means Going Beyond Compliance appeared first on Corporate Compliance Insights.

Chairman Paul Atkins signaled that the SEC is on the verge of changing disclosure rules and liability shields for securities issuers. Lauren A. Ormsbee, Jesse L. Jensen and Jessica N. Goudreault of Labaton Keller Sucharow argue that if the SEC changes the rules, it must balance streamlining disclosures and protecting investors.

In his first year as the 34th chairman of the SEC, Paul Atkins has focused on a primary goal: “Make IPOs Great Again” by encouraging companies to enter the public capital markets. As Atkins has suggested, the first pillar of this project involves simplifying and “scaling” the SEC’s mandatory disclosure requirements contained within Regulation S-K, a set of rules prescribing required content in non-financial statements, periodic reports and other filings made by public companies. In January, Atkins invited the public to provide views on amending Regulation S-K to avoid disclosure of immaterial information. The SEC appears ready to act after the closure of a general comment period, which was expected to end in mid-April. Atkins instructed the SEC’s Division of Corporation Finance to engage in a comprehensive review of Regulation S-K, and recent reporting reveals that the SEC is hiring additional staff to effectuate and implement the new rules.

The SEC should take care to ensure that any new rules are carefully considered and tailored in a manner consistent with the SEC’s ultimate objective, articulated by the SEC’s third chairman, William O. Douglas, in 1937: “We have got brokers’ advocates; we have got exchange advocates; we have got investment banker advocates; and we are the investors’ advocate,” Douglas told a group of Washington, D.C., reporters at his first press conference, according to the New York Times.

The evolution of Regulation S-K risk disclosures

In 1964, the SEC first published guidance that advised offerors of “speculative” securities to include in their prospectuses “a carefully organized series of short, concise paragraphs summarizing the principal factors which make the offering speculative.” In 1982, the SEC formalized this guidance as a regulatory requirement for all offerings in Item 503 of Regulation S‑K.

In 2005, when Atkins was one of five SEC commissioners, the SEC amended Regulation S-K to expand mandated risk-factor disclosures, including obligating their inclusion in annual and quarterly reports required to be filed by public companies. Risk-factor statements are now governed by Item 105 of Regulation S-K, which directs issuers to provide “a discussion of the material factors that make an investment in the registrant or offering speculative or risky” in a plain-English presentation that facially discourages the “presentation of risks that could apply generically to any registrant or any offering.”

Another 20 years on, now-Chairman Atkins has expressed a desire to amend these rules yet again, by contracting those required risk disclosures that he helped implement. In public remarks in February, Atkins said he believed risk-factor disclosures should contain a “concise discussion” of “what keeps management up at night” and indicated his belief that the 2005 changes had contributed to overly voluminous disclosures. Atkins also floated during his comments two potential changes to address these issues, though neither Atkins nor the SEC has yet posted any formal rule changes

First, he raised the “novel idea” that “an entity — perhaps the SEC or the company itself” — could create a separately published set of risks that broadly apply to most companies across most industries and that would “serve as a form of ‘general terms and conditions’ associated with any investment in securities.” Second, he suggested the creation of a safe harbor from liability through “a rule stating that failure to disclose impacts from publicized events that are reasonably likely to affect most companies will not constitute material omissions for purposes of some or all of the federal securities laws’ anti-fraud rules.”

When would general terms and conditions require additional, company-specific disclosures?

First, Atkins mused in his February public remarks that the SEC could draft a “set of risks, which could be published separately outside of the annual report, that broadly apply to most companies across most industries.” This would function as a form of “general terms and conditions” associated with any investment in securities, with the goal of shortening and streamlining the length of the risk disclosures section. However, Atkins shed no light on what constitutes risks that “broadly apply to most companies across most regions,” and did not provide any guidance as to the extent of a company’s disclosure obligation when a broadly applicable risk is likely to impact a company in a unique or imminent manner. These vagaries invite confusion.

Any attempt to separately define broad risks may not, in practice, change companies’ desire to include an exhaustive list of risk-factor disclosures. This may be because detailed risk-factor disclosures are often relied on by issuers in their defense of securities fraud claims. As a result, companies may fear that any paring back of risk-factor disclosures in their SEC filings could deprive them from asserting that defense in court. It is noteworthy that, for these sorts of reasons, most companies have continued to provide extensive risk disclosures even after a 2020 amendment to Regulation S-K attempted to lessen general disclosure requirements.

Compliance

A Busy Month at the SEC: What Compliance Teams Need to Do Now

by Jennifer L. Gaskin

March 25, 2026

Read moreDetails

Do issuers and executives need an additional safe harbor from liability?

Second, Atkins’ remarks also speculated on a new safe harbor that would foreclose liability for issuers, executives and related parties from “fail[ing] to disclose impacts from publicized events that are reasonably likely to affect most companies” in their risk disclosures, through a determination by the SEC that such a failure “will not constitute material omissions for purposes of some or all of the federal securities laws’ anti-fraud rules.” This proposal raises several red flags for investors.

At the outset, extending any additional safe harbors from liability by design encourages companies to withhold increasingly more information from investors. Thus, any new safe-harbor rule would need a robust justification showing it is, as US law mandates, “necessary or appropriate in the public interest or for the protection of investors,” a standard that seems to be lacking at present, particularly given the securities laws already afford issuers many defenses. Those include an existing safe harbor from liability in connection with forward-looking statements, so long as a statement is “identified and accompanied by meaningful cautionary language” as the Second Circuit Court of Appeals found in 2016.

Further, as commentators have noted, Atkins “sketched only the broad contours of a potential safe harbor, leaving open critical questions about its boundaries, operational details, and specific protections for issuers.” Atkins provided no clarity on what a publicized event is or what set of issuers most companies encompasses. Is a publicized event any macro-level, broadly known event that affects most or all public companies in some manner, such as data security breaches, Covid-19, major weather events, trade wars or global financial crises? If so, when, if at all, does a company have a duty to disclose how a broadly applicable risk poses a non-typical risk to a company? Any new safe-harbor rule must provide answers to these questions to avoid both issuer and investor confusion.

Finally, a serious cause for concern is the fact that Atkins’ contemplated new safe harbor turns the established disclosure framework in securities law on its head by focusing on materiality from an issuer’s viewpoint and not a reasonable investor’s viewpoint. Fifty years ago, the Supreme Court ruled that an omitted fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote. Atkins has left the reasonable shareholder out of his public comments on this issue, focusing instead on what “keeps management up at night.” Any rule that tests materiality through the lens of the issuer rather than a reasonable investor would present a major shift in the securities space and would no doubt cause rather than curb new litigation.

Public and private actions could be curtailed

Broadly phrased amendments and new rules pose serious threats to the integrity of the capital markets and public and private enforcement of the securities laws if they are unnecessary or not in the investing public’s best interests. A look at one of the most notable securities cases in the past decade reveals how a new rule could harm investors. 

In 2017 and for years thereafter, Facebook (now Meta) contained risk-factor disclosures in its SEC filings such as “security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business.” Both regulatory and private enforcement actions ensued following the revelation of Cambridge Analytica’s misuse of Facebook users’ data. In sustaining the sufficiency of the complaint in the private securities class action, the Ninth Circuit Court of Appeals held that the complaint adequately alleged that Facebook misleadingly suggested that this risk was merely hypothetical when, in reality, Cambridge Analytica had already misused user data. Revelation of the truth led to substantial adverse impacts to the company, including a significant drop in Facebook’s stock price. In connection with the same misstatement and underlying conduct, in 2019, Facebook settled with the SEC for $100 million and the Federal Trade Commission imposed a $5 billion penalty on Facebook.

Considered in light of this example, Atkins’ proposals raise important questions: Would these same risk-factor disclosures made by Facebook be classified as a broadly applicable risk for which Facebook had no reporting obligation, and would Facebook and its executives have broad immunity for their failure to identify this risk in their filings under a new safe harbor? If so, would that result protect investors or just protect issuers?

The post SEC Risk-Disclosure Rule Changes Seem Certain & Are Certainly Troubling appeared first on Corporate Compliance Insights.

Data is one of an organization’s most valuable assets, yet it is one of its most vulnerable, and AI is introducing more risk. One principle remains clear, Greg Campanella and Ken Feinstein of consultancy J.S. Held say: Data authenticity and integrity are foundational for AI deployment and long-term value. 

Structured data has become highly valued in the digital world, and accordingly, the risk of data manipulation and related fraud has increased. AI has enabled threat actors like terrorist groups and cybercriminals to create deepfakes and more easily gain access to environments that hold sensitive personal information. While methods existed to make fake data appear authentic before the advent of AI, new technologies have made it harder to distinguish between real and deceptive data.

Business email scams, BYOD (bring your own device) policies and falsified electronic documents, for example, are big risks to businesses. The consequences of data integrity failures can be severe: costly investigations, litigation, reputational damage and operational disruptions.

Compliance challenges in a fragmented regulatory landscape

GDPR must be considered by all organizations that do business in Europe. Since its implementation in 2018, the primary goal of the GDPR has been to protect the personal data and privacy of individuals within the European Union.

However, the European Commission (EC) recently voted favorably on a digital omnibus that would streamline rules on AI, cybersecurity and data. The package rewrites EU privacy laws and simplifies compliance, which will lower administrative costs. Companies will save an estimated €5 billion, nearly $6 billion, by 2029, according to projections. While details surrounding rules and timelines are still being fleshed out, most provisions are due to take effect by early August.

For the GDPR, the EC says the omnibus package proposes to modernize cookie rules. It also aims to simplify certain obligations for businesses and organizations “by clarifying when they must conduct data protection impact assessments and when and how to notify data breaches to supervisory authorities.”

Ensuring data is encrypted and secure is critical, but companies should note GDPR enforcement varies across countries and should develop data policies based on local and regional laws.

Furthermore, the EC is proposing amendments to the EU’s AI Act. Those amendments will include simplified technical documentation requirements for small and medium-sized enterprises. A proposed amendment would also ease compliance measures, allowing innovators to use regulatory sandboxes. The EC also notes that the omnibus package will introduce “a single-entry point where companies can meet all incident-reporting obligations.” Currently, companies must report cybersecurity incidents under several laws.

In contrast, the US has not enacted a comprehensive federal data privacy law. Instead, state-level and sector-specific laws on the federal level.

However, the Trump Administration is moving to block the patchwork of state laws regulating AI. In late 2025, the administration announced an executive order that directs the US attorney general to establish an AI litigation task force to challenge state AI laws that it deems harmful to innovation and create costly compliance requirements. The order specifically calls out Colorado’s law, highlighting its prohibition on “‘algorithmic discrimination’” as an example of harmful state overreach, arguing that such provisions compel companies to embed ideological bias and generate false results. California will arguably feel the greatest impact of the order, as it is home to 33 of the world’s highest-grossing privately held AI companies and has enacted more AI laws than any other state. The order targets California laws that require creators of AI to offer tools to help users identify AI-generated content and mandate high-level transparency regarding the data used to train models. 

As AI plays a growing role in data storage and management, the US Cybersecurity and Infrastructure Security Agency (CISA) issued guidance that recommends sourcing data from trusted providers, tracking its provenance, maintaining logs of origin and system flow and using cryptographically signed provenance databases and digital signatures to ensure integrity and prevent tampering.

Compliance

The EU AI Act’s ‘Wait and See’ Window Is Closing

by Naomi Grossman

April 6, 2026

AI literacy has survived attempts to water it down and remains a direct organizational obligation — not a policy aspiration

Read moreDetails

AI inaccuracies, corporate liability & why governance matters

Within this fragmented regulatory environment, the risks of improper AI use are far from theoretical. Consider a Canadian case in which a passenger used a chatbot on an airline’s website and received inaccurate information about pricing. In court, the airline contended that it bore no responsibility for information provided by its chatbot. The tribunal ordered the airline to issue a refund to the passenger.

This case underscores that AI‑enabled interactions are increasingly treated as formal corporate communications, creating exposure when automated outputs diverge from policies. These developments are prompting a closer internal focus on oversight, documentation and cross‑functional coordination, particularly as compliance teams evaluate the reliability of AI‑generated content and its implications across customer engagement, investigations and disputes.

Given these risks, authenticating electronically stored and transmitted information is crucial, particularly for companies with cross-border operations, complex supply chains or significant financial exposure. To mitigate these risks, companies can establish robust internal governance policies, implement proactive privacy and security protocols and ensure employees are aware of emerging threats and historical methods of information manipulation.

Protecting IP through AI governance

Data is often the most fundamental component of AI performance, offering unique opportunities for asset recognition, protection, valuation and monetization. This is especially relevant, given that data integrity directly supports the value of a company’s IP. For compliance teams and their outside counsel, the IP dimension of data handling and AI governance carries meaningful regulatory, contractual and litigation risk.

Weak provenance controls, unclear licensing rights and undocumented data flows can undermine internal controls, complicate regulatory responses and create issues in transactions and investigations where organizations must demonstrate that sensitive or proprietary data was collected, used and safeguarded appropriately. This includes ensuring that cross‑border data‑use and licensing agreements clearly define and restrict the use of proprietary or third‑party datasets in AI development, as improper use can trigger contractual violations and expose trade‑secret vulnerabilities. The data and computational resources that enable AI model training can themselves constitute protectable trade secrets, and the algorithms used for learning, prediction and generation may also be protected through trade secret, copyright or patent regimes. Because information used to train large language models loses confidentiality and exclusivity once processed, these risks extend to downstream enforcement and licensing. Strict access controls are therefore essential when handling finite or one‑time‑use data.

Proprietary data requires robust protection beyond watermarking for tracking purposes, starting with a clear understanding of the data room and continuous monitoring of when and how data exits that controlled environment. Emerging solutions include secure user-controlled environments that enable data owners to share and license access without transferring or duplicating the underlying asset. These environments enable third parties to perform analysis, validation or model training within a contained framework, preserving confidentiality and ensuring compliance with use and licensing terms.

This is especially critical during high-stakes transactions such as M&A, where sensitive data must be validated without direct exposure. In these scenarios, third-party validators can conduct due diligence within secure environments, maintaining data integrity while facilitating commercial engagement. By combining traceability, containment and controlled access, companies can protect proprietary data while unlocking its full economic potential.

Ultimately, companies that aim to derive value from their data assets must first understand what data they hold, how it is accessed and the obligations or restrictions attached to it, particularly where data‑use rights and licensing terms create compliance exposure. To balance opportunity with risk, companies must rely on secure environments that support data protection and controlled licensing.

Strengthening data authentication in the AI age

As AI reshapes how information is created and shared, the ability to verify data authenticity has become a cornerstone of reliance and compliance. Digital forensics plays a critical role in litigation, regulatory investigations and corporate transactions.

With AI tools creating digital images, documents and, in some instances, hallucinations, it is critical for those seeking to collect, evaluate and present data as evidence in litigation to authenticate the origin of the data they rely on. For compliance teams, the ability to authenticate data is increasingly tied to regulatory expectations, influencing how organizations document controls, substantiate reporting and demonstrate adherence to privacy and security requirements. Moreover, as AI-generated materials become harder to distinguish from authentic data, ensuring that systems handling sensitive information follow defensible, auditable procedures is becoming a core compliance concern.

Forensic computer images, for example, use hash verification to ensure that the information captured is not altered after imaging. The evolution of AI, resulting in more realistic documents and images, has outpaced early AI-generated content-detection tools. Organizations must therefore adopt a layered approach to authentication, combining forensic validation with corroboration from independent sources and third-party attestations. This is particularly vital during M&As, where companies inherit not only data but also governance frameworks or gaps. Assessing inherited privacy, security and compliance structures, eliminating redundancies, and aligning practices with global standards are critical steps to mitigate risk.

This material was adapted with permission from an article first published by J.S. Held.

The post Data Authenticity & Accountability Crucial in the AI Age appeared first on Corporate Compliance Insights.

Without a single federal standard governing what harmful use of AI looks like, courts are continuing to take up AI-related cases, establishing in real-time the bounds of AI liability. As Elizabeth A. Och of Hogan Lovells writes, two likely upshots are increased fragmentation and inconsistent approaches across jurisdictions.

Hardly a day passes without a headline about a new lawsuit tied to an AI chatbot or other AI-enabled system. In the absence of comprehensive federal legislation and a corresponding private right of action for AI harms, plaintiffs are increasingly turning to common-law tort theories to frame these claims. Negligence has emerged as an attractive vehicle for plaintiffs. It is flexible, broadly available, familiar to courts and can be asserted in virtually any court and adapted to a wide range of factual scenarios.

These cases are rarely “about” AI in the abstract. Instead, they focus on human judgment: how AI systems were designed, selected, governed, deployed, monitored and constrained, or in some cases, how they were not. As AI models grow more sophisticated and agentic systems move from experimental deployments into everyday use, negligence claims are likely to become more frequent and more consequential.

At the same time, courts move slowly. Cases are often resolved years after the events in question, during which the underlying technology and industry practices will evolve. Courts will be asked to assess what was “reasonable” or “foreseeable” at a particular moment in time, using doctrines developed for more stable technologies. Whether courts can adapt traditional negligence principles to this rapidly changing landscape — and do so consistently — will shape the contours of AI liability in the years ahead.

Who can be sued and for what duty?

Negligence claims can target human or corporate actors across the AI lifecycle. Plaintiffs may name developers, model providers, integrators, deployers, platforms or even end users, particularly in high‑stakes professional or commercial settings. Importantly, plaintiffs are not required to identify a single “responsible” actor at the outset. Instead, they can sue broadly and allow discovery to reveal where decision‑making authority and risk control resided.

Early complaints reflect an expansive view of potential duties. Plaintiffs may allege that a defendant (depending on its position in the AI lifecycle) had obligations to design and train systems responsibly; to use appropriate and representative data; to anticipate foreseeable misuse; to warn of known or reasonably knowable limitations; to implement safeguards against risks; to ensure meaningful human oversight; to conduct use-case-specific testing; to train downstream users; to enforce terms of use and safety policies; to select AI tools that were appropriate for the task at hand; and to avoid blind reliance on AI outputs in contexts requiring independent judgment. 

Whether any such duties exist is ultimately a question for the courts. The analysis turns on familiar negligence considerations, such as the nature of the relationship between the parties, the degree of control exercised by defendants and the context in which the conduct occurred. These inquiries often cut across corporate boundaries and contractual layers, complicating early attempts to narrow the case.

Risk

AI Insurance Exists. Getting It Is the Hard Part.

by Corey Gray and Jon Mills

April 13, 2026

Coverage is still catching up to AI risks, but companies need to get a jump on policies

Read moreDetails

Reasonable care without a federal benchmark

The success of a negligence claim frequently hinges on whether the defendant exercised “reasonable care.” In the AI context, that inquiry is complicated by the absence of a single, authoritative federal standard of care. Courts are likely to assemble the reasonable‑care benchmark from a patchwork of sources, including industry practices, internal policies, voluntary frameworks, expert testimony and post‑hoc assessments of what precautions could have been taken.

Defendants may point to this regulatory vacuum as a defense, arguing that no settled industry standards existed at the relevant time, that they followed prevailing practices and that plaintiffs are attempting to impose hindsight‑driven expectations. Evidence of compliance with existing regulatory regimes, such as consumer protection laws, professional standards or sector‑specific safety requirements, may be offered as proof of reasonableness.

Plaintiffs may use the same federal statutory void as a reason to look inward. Internal AI policies, governance frameworks and aspirational public statements may be cited as evidence of the applicable standard of care. Language intended to signal a commitment to best practices can be reframed as a self‑imposed duty that the organization failed to meet. The lesson is not that companies should avoid adopting AI policies but that such policies should be realistic, risk‑tiered and demonstrably implemented rather than purely aspirational.

Known risks, evolving systems

Negligence liability extends only to harms that are foreseeable. Plaintiffs can increasingly point to widely recognized categories of AI risk — such as bias, hallucinations, data drift, misuse and overreliance — as evidence that harm of the general type was foreseeable, even if the precise outcome was not.

For courts, the central question is often not whether a particular outcome could have been predicted in advance but whether reasonable actors should have anticipated the relevant risk category and taken proportionate steps to mitigate it. As a result, documentation matters. Risk assessments, testing protocols, monitoring practices and incident-response procedures may all play a critical role in evaluating foreseeability.

No negligence claim can succeed without proof of causation, and this element may prove the most challenging for plaintiffs in AI cases. Model behavior can be opaque, outputs may vary based on prompts and context, and multiple human actors often intervene between system output and the alleged harm. Model updates, retraining or version changes can further complicate efforts to identify which system caused a particular injury.

Defendants, for their part, may attempt to push liability upstream or downstream, emphasizing their own lack of control, the absence of a direct relationship with the plaintiff or intervening human decisions. Traceability becomes a strategic asset. Version control, audit trails, documentation of human review and records of incident detection and remediation can all influence whether causation arguments are resolved early or survive into costly discovery.

The role of courts & the risk of inconsistent outcomes

As AI systems continue to evolve, courts’ application of negligence principles will develop alongside them. Courts draw on the existing precedent in their jurisdiction (or suitable analogies from similar cases), which may take the law in different directions depending on the jurisdiction. Some may treat downstream misuse or overreliance as an intervening cause that breaks the causal chain; others may view such conduct as foreseeable, particularly where warnings or safeguards were inadequate. What was unforeseeable one year may be deemed foreseeable the next. 

Judicial philosophy and technical familiarity with AI systems will also play a role. Some courts may be reluctant to expand tort liability in the absence of legislative guidance, while others may view tort law as a necessary gap‑filler. At the same time, plaintiffs are unlikely to rely on negligence alone, instead pairing it with claims under state AI laws, consumer protection statutes, product liability theories or other available causes of action. The result will be increased fragmentation, forum shopping and inconsistent approaches across jurisdictions.

The post Negligence & AI: Can the Courts Keep Up? appeared first on Corporate Compliance Insights.

Securities regulators aren’t creating new rules to govern financial services firms’ use of AI — yet. But, as Hollie Mason and Ryan Murphy of consultancy Stout explain, history shows old rules can still apply to new technology.

The use of emerging AI technologies, such as generative AI, machine learning and large language models (LLMs), is becoming more commonplace in financial services, creating new compliance and operational considerations for both AI buyers and users in the US and abroad.

While adapting to AI has become somewhat of a necessity, securities industry regulators, such as FINRA and the SEC are not yet responding with targeted rulemaking but instead are reminding broker-dealers and other industry participants of the applicability and neutrality of current regulations.

Regulators’ current approach to governing AI activities is consistent with prior technological advancements in the industry and predictive of compliance and operational challenges to come.

The evolution of AI regulation

Rulemaking

In 2023, the SEC proposed a new rule addressing AI-induced conflicts of interest. To date, this has been the only attempt by securities industry-specific regulators to implement rules concerning firms’ uses of AI. This proposal has since been withdrawn, receiving mixed reviews by several SEC commissioners and industry commentary.

While the regulation is unlikely to resurface, an interesting takeaway might be that industry regulators and participants have since taken the position that current rules and regulations adequately address evolving AI compliance and operational advancements despite the SEC’s 2023 proposal seemingly projecting a bit of ambiguity.

State regulators, on the other hand, are taking it upon themselves to enact targeted and comprehensive laws governing AI usage. For example, California, Texas and Colorado have passed comprehensive AI legislation, similar to the European Union’s approach. Numerous other states have proposed or enacted more limited, AI-related legislation focused on consumer privacy, deceptive media, fair use of protected works and general disclosure requirements in instances where consumers interact with AI. While these laws are not specifically tailored to the financial services industry, many may have consumer rights implications in states in which firms do business.

Regulatory actions

A review of past regulatory actions showed a general focus on ensuring firms have accurately disclosed AI relationships, risks and usage and that firms using AI tools in place of more manual internal processes have adequate human intervention and supervision.

For example, in March 2025 in SEC vs. Rimar Capital USA, the SEC claimed the respondents raised funds via false promises about the firm’s use of AI for automated trading. This is one of only a handful of enforcement actions the SEC has brought against companies for what is being referred to as “AI washing.” Also, FINRA has taken some AI-centric disciplinary actions. In 2024, one FINRA action specifically mentioned AI, involving a broker-dealer’s implementation of a flawed machine learning program designed to assist in their compliance with AML requirements.

As firms continue to leverage AI technology, however, regulatory actions will likely broaden in scope and increase in frequency. In their most recent examination priorities, the SEC indicated an increased scrutiny concerning firm policies and procedures related to using and monitoring AI. Similarly, in its 2026 annual report, FINRA emphasized a focus on AI testing and monitoring. One may speculate as to what extent this will continue in the years ahead, but regulatory leadership — irrespective of party affiliation — has consistently committed to utilizing and overseeing AI, especially as it pertains to the detection and prevention of fraud.

As SEC Chairman Paul Atkins said at an AI roundtable in March, “In short, while the mechanisms of fraud may change, our obligation does not. The commission’s mandate to protect investors is technology neutral. And misconduct remains misconduct, regardless of the medium.”

In other words, AI is likely to remain a regular focus despite any shifting in priorities or a changing of the guards.

History reveals US securities industry’s approach

As with many other technological advancements in the securities industry, US regulators and trade associations suggest that relevant industry rules are technology-neutral and adequately govern AI activities. History suggests that this technology-neutral approach may create regulatory risks.

The financial services industry is no stranger to industry-changing advancements in technology being met with a technology-neutral approach by regulators inclusive of reminders and guidance about the application of existing rules. Anything from electronic trading, electronic communications with the public and cloud computing to high-frequency trading, alternative trading platforms and robo-advisers have resulted in a similar regulatory approach.

Consider the case of electronic communications with the public. When firms and customers began communicating via email, FINRA issued a notice reminding firms that recordkeeping rules were technology agnostic and governed changes in communications. Despite occasional regulatory notices issued throughout the latter half of the 1990s, real clarity concerning how these rules applied to electronic communications and technologies would not arrive until regulators began related examinations and enforcement proceedings.

In the early 2000s, in a joint initiative among the SEC, the National Association of Securities Dealers and the New York Stock Exchange, multiple firms were fined for an array of failures with respect to how they supervised and maintained records related to electronic communications. The SEC reported failures to preserve or maintain electronic communication records and establish procedures to ensure compliance with these requirements. For firms that preserved records, they reported a wide range of methodologies ranging from disaster recovery tapes to hard drives on personal computers, each of which presented additional risk management concerns involving inadvertent destruction, poor organization and inadequate policies to ensure records were kept in accordance with regulation. In addition to prior regulatory notices and reminders, the SEC’s enforcement activities brought clarity to how technology-neutral rules should be applied to technological advancements in communication activities.

This regulatory approach is familiar and understandable given technology often evolves faster than regulation. It is also predictive, acknowledging that new technologies are often not designed solely for or exclusively used by the securities industry and may be regulated by other industries or regulatory bodies, creating a measure of undefined space between regulatory jurisdiction and technology advancement, availability and usage. We are still somewhat early in the ramp-up phase of AI in the securities industry, particularly with public-facing capabilities, but if history is any indication of future risks, regulators will soon be identifying problematic behaviors taking place within undefined and unchartered spaces.

This “technology-neutral” stance by regulators has a long history of turning out rules by examination or enforcement activities. With the uptick in AI usage by firms and mentions of AI in recently released examination priorities, AI-focused regulatory enforcement will likely increase soon. For firms that prefer a more proactive approach to regulatory compliance, an increased focus should be placed on risk-based planning, particularly in instances where AI technology is driven by customers’ identity information or other confidential or restricted information.

Financial Services

Managing the AI Content Explosion in Financial Services

by Jamie Hoyle

March 13, 2026

AI tools have multiplied adviser output in financial services — and FINRA’s supervision framework was written for a different volume

Read moreDetails

Risk management and compliance considerations

Whether a firm is seeking to dip its toe into AI or expand and innovate using generative AI technology, firm processes should begin by seeking and obtaining input from key stakeholders in related business units, such as cybersecurity professionals, AML officers and data privacy officers. As true expertise on AI systems may be a limited resource, firms should ensure qualified individuals are in place to opine on implementation and serve in oversight capacities. One thing that securities regulators have been clear about when it comes to AI is that human escalation points are necessary for AI driven processes.

Other risk-based considerations could be applicable:

• Firms should specifically define what they mean by AI. What systems, processes and technology are included in your definition? Involve subject matter experts to ensure policies do not rely on overly broad and potentially incorrect definitions of AI and that policies do not haphazardly include non-AI technology without distinction.
• Consider identifying when any AI tools can be utilized by employees. Whether firms address employee use of AI by business unit in desktop procedures or written supervisory procedures or by developing an enterprise-wide AI policy document, they should provide specific guidance and examples of relevant systems and circumstances in which AI can or cannot be used.
• Firms should prioritize training and supervision so that employees are clear about what tools are authorized and for what purpose. Employees should also be clear about how to escalate or report unauthorized uses and be able to explain to regulators how AI tools facilitate their job responsibilities.
• Firms must consider a control framework that denies access to any AI technology found to be out of compliance with policy or deemed restricted given an employee’s role or function. If a firm deems use of a particular AI provider unacceptable, ensure steps are taken to deny employees access to it at their workstations.
• Firms should continually conduct and document targeted risk assessments and ensure emerging changes remain part of ongoing audit and compliance testing. This could include oversight and ongoing testing concerning employee access and ongoing utilization of AI, with interest in detecting unsupervised or unapproved use. Firms could also document decisions concerning which employees and teams are permitted access to specific AI tools and for what purpose. Like other systems or data access protocols, these decisions should be reviewed periodically. Records related to permitted users should be made available for inspection. 
• Firms should document determinations concerning the applicability of other countries’ AI policies in which they do business. Be sure to clearly address how the firm evaluates, tests and supervises any third-party AI technology. This includes understanding how new or existing technology works, what data is being targeted, used or stored and who has access to it. As existing vendors begin to incorporate AI solutions, ensure a firm’s vendor risk management program accounts for any such change to products or services.

The future of AI accountability

A time may come when regulators and customers start asking whether a firm’s lack of AI technology makes it more at risk for regulatory failures. This will be a time when AI technology evolves from a “nice to have” to a necessary expense firms must budget for to optimize compliance and remain viable.

Imagine a brokerage firm that customers could not electronically communicate with because the firm found the implementation costs of supervisory and archival systems intolerable. The premise of a firm refusing to incorporate electronic communications into their service model due to costs of compliance seems a bit absurd to 2026 eyes, but was it so absurd in 1995? Back then, under the same “technology-neutral” regulatory messaging, firms began seeking to facilitate communication and delivery of information electronically as opposed to through the postal service. Failure to onboard the necessary tools and incorporate supervisory and record-keeping solutions would have conceivably hindered a firm’s ability to permit electronic communications with their customers leading, in turn, to an outdated service model and ultimately dissatisfaction among customers. 

As advancements in technology occur, financial services firms may want to invest in maintaining operational awareness and be mindful about not only how AI could be useful but how not advancing may affect their ability to meet customers’ expectations, compete or avoid risk when such advancements make regulatory compliance more efficient and expansive.

AI technology will certainly change financial services regulation, but for the foreseeable future, it seems these changes will manifest as the result of securities industry regulators’ targeted reports, reminders about how existing rules may apply to AI activities and guidance via regulatory examinations, rather than proposing new AI targeted rules. Firms may want to take a proactive approach to integrating AI into their business models and involve AI specialists into compliance and risk processes.

The post Will AI Change FinServ Regulation? Here’s What History Tells Us. appeared first on Corporate Compliance Insights.

Massive gap appears between GCs and executives 

A gap is emerging between how general counsel (GCs) and executives at companies view the legal team’s contributions to business objectives, according to a Thomson Reuters Institute survey.

In the report, 86% of GCs said they believe legal departments significantly contribute to business goals. Only 17% of C-suite executives said the lawyers were significant contributors to those same goals, with 42% of executives saying legal “contributes little or nothing at all.”

Nearly 50% of GCs reported staffing constraints with the survey saying that this may be a primary factor hampering legal departments from helping to enact business goals.

The survey also revealed that GCs are expected to link risk prevention to wider business goals. Almost 70% of GCs rated talks with internal business units as their most valuable source on emerging risks.

Legal departments no longer see AI just as an efficiency tool, the survey also found. Instead, legal departments are strategically integrating AI across all aspects of their work, with nearly half of corporate legal teams having access to generative AI tools. Mentions of AI as a strategic priority by corporate legal teams have doubled in the past year, the survey said.

The survey report came from 2,300 interviews with corporate general counsel.

Less than 30% of corporate boards regularly talk about AI 

Only 26% of corporate boards talk about AI at every board meeting, according a Protiviti survey of board directors and senior leaders.

Some boards’ lack of discussion about AI is at odds with the return on investment enterprises can see if they regularly address AI at the board level, according to the survey, which included 772 board members and executives. In 63% of organizations reporting high ROI on AI, every board meeting agenda includes discussions of  the technology. Comparatively, 13% organizations reporting low ROI on AI have reliable board discussion about the topic.

“AI is fundamentally changing how organizations compete and create value,” said Joe Tarantino, president and CEO of Protiviti, a business consulting firm. “Boards that consistently challenge management on strategy, risk, measurement and governance are better positioned to ensure AI delivers value while operating within appropriate guardrails.”

CFOs mostly consider revenue, not culture in M&A deals

Corporate leaders are still determining M&A deal success through the finance lens despite growing acknowledgment that cultural factors are also relevant, according to a recent survey by professional services firm RGP, which found that 58% of financial leaders consider revenue growth a primary indicator of success.

The survey of more than 120 chief financial officers (CFOs) across sectors found that the top three metrics used to determine post-acquisition value realization were all financial — revenue growth, cost synergies (46%) and cash-flow improvement (33%).

However, while 81% of surveyed CFOs said intangible assets like talent, brand and IP are important, just 18% said their organizations were effective at protecting them.

The post Executive & GCs at Odds Over Legal’s Business Contributions appeared first on Corporate Compliance Insights.

New products & platforms

Adeptia announced Adeptia Automate 5.2, which makes enterprise’s data integrations directly accessible to AI and promises to accelerate troubleshooting and improve operational controls.

Magna Group with the UK Freelancer & Contractor Services Association’s Diligence Hub introduced the new Banking Risk & Compliance Dashboard to help financial services mitigate compliance and financial risk across recruitment portfolio supply chains.

Bitdefender launched GravityZone Extended Email Security, which unifies email and endpoint protection within a single platform to protect against cybersecurity threats in email.

LogicGate released Config Newton, an agentic AI GRC engineer that uses models and industry best practices to build, optimize and scale GRC programs in minutes. 

Diligent unveiled Diligent Stewardship Intelligence, an independent proxy and voting intelligence data solution that delivers governance, compensation and decision-supporting data directly into asset managers’ workflows. 

Other news

Brickken, a tokenization infrastructure provider, proved it met top industry standards for security and operation resilience after it gained ISO 27001 certification and achieved compliance with the EU’s Digital Operational Resilience Act.

Want to see your news included here? Email us.

The post GRC News Roundup: LogicGate, Diligent, Adeptia & More appeared first on Corporate Compliance Insights.

Corporate leaders can’t afford to wait for the regulatory dust to settle around apps like Kalshi and Polymarket, experts told CCI’s Jennifer L. Gaskin. Not only do they risk insiders potentially using their knowledge to make a quick buck on the side, but they may be ignoring ADA-related exposure from employees with gambling problems.

Prediction market platforms Polymarket and Kalshi seem to be racing toward arguments before the Supreme Court to decide who gets to regulate them: states or the federal government. Meanwhile, the platforms’ audience keeps growing and wagering on all manner of things, from who will win the 2026 FIFA World Cup men’s soccer tournament to whether the US government will confirm the existence of extraterrestrials before 2027.

And all the while, even for companies well outside of those traditionally in play for insider trading or market manipulation, risk is expanding. One need look no further than internet personality MrBeast, whose company recently fired a video producer who had made prediction market purchases tied to knowledge of the YouTube star’s upcoming posts, to see how far down the org chart prediction markets are pushing insider trading-type risk.

David I. Miller, director of the Commodity Futures Trading Commission (CFTC), which formally has regulatory authority over prediction markets, has signaled an aggressive stance against insider trading on the apps. However, a variety of state authorities have asserted that they should be the ones to regulate prediction markets because of their resemblance to sports betting. A Supreme Court showdown is likely, said Stephen Piepgrass, a partner in the Richmond, Va., office of Troutman Pepper Locke.

“There are just too many aspects of these cases that make them a quintessential case for the justices to decide: federalism versus state sovereignty, a circuit split, a new business model that doesn’t fit neatly into a current regulatory structure and of course, a great deal of public interest in the outcome.”

In the meantime, corporate leaders and compliance teams have their work cut out for them. Getting their arms around the scope of risk is a challenge for many organizations, whether because they are not aware of it in the first place or because they aren’t sure what they can do about it, legal observers told CCI.

“What I get are questions of, ‘Should we be doing something?’” Steve Silver, a shareholder in Littler’s Portland (Maine) office, told CCI. “Well, the answer is yes, but it also means you’re already behind.”

What can companies do?

The surging popularity of prediction markets (Kalshi’s user base has risen from about 600,000 to more than 5 million since 2025), combined with their unsettled regulatory situation, creates dual pressure on corporate leaders where companies need to monitor their employees’ legal use of the platforms and put in place new guardrails to prevent use that’s unethical or even illegal.

According to experts who spoke with CCI, that means looking at technology use policies, non-disclosure agreements, employment contracts, handbooks and codes of conduct. It also means asking whether the technology controls already in place to restrict access to gambling sites extend to prediction market platforms, which, as regulated derivatives exchanges, may not be captured by existing filtering software.

It could also mean taking a closer look at vendors or even employees’ family members, as well as reexamining what companies think of as the types of information for which they need to control access. Perhaps the old definitions of material non-public information need a refresh.

“All companies, particularly publicly traded companies, need to be developing policies to handle this, both in terms of their employees, their vendors, their contractors, even family members of employees,” Silver said. “It’s hard to police what happens once the information flows to a third party.”

As ever, such determinations need to be done by each individual organization. Some companies, Silver said, may be interested in courting the types of public awareness prediction markets offer and could take the position that all press is good press. Others may wish to assign employees to monitor the markets, not just for how their brands are mentioned but for signs of market manipulation.

Regardless of the specifics, companies must have policies in place if they want to avoid regulatory scrutiny, Piepgrass said.

“Now that the CFTC has clearly stated it believes insider trading rules apply to prediction market trades, [the] commission will expect companies to have updated policies in place,” Piepgrass said. “And if they don’t, we know that regulators often use enforcement actions and penalties to send a message to businesses about the importance of compliance.”

Featured

‘If It Quacks Like a Duck’: Prediction Markets, Sports Betting & Insider Trading

by Jennifer L. Gaskin

January 14, 2026

Read moreDetails

Broadening the risk lens

The democratized nature of prediction markets is forcing companies to rethink not just who has access to sensitive information but what even counts as sensitive information in the first place. Silver gave the example of a food company planning to launch a new flavor. The development and launch of the new flavor is a process that would be known by dozens of people in the company, from executive leadership to social media account managers. In the prediction market era, every one of those people could potentially make money off what they know.

“[T]hose are people that have probably traditionally never been bound by confidentiality or protected information agreements,” Silver said. “So it’s just a much broader universe that companies need to be thinking about.”

But this new risk vector is not discriminatory by industry, Silver warned, particularly for publicly traded companies. Earnings calls, for example, should make public companies take another look at what they consider material non-public information.

“What’s going to be said on [earnings calls]? That’s information that becomes public, right?” Silver said, “And it’s probably edited and workshopped for a long time leading up to it. Is that really the protected information? I don’t know that any existing policies would cover that.”

Policy questions vs. human ones

Outside of the risk of not having policies covering employees inappropriately using internal information to move prediction markets, Silver warned that the growing popularity of apps like Polymarket and Kalshi could generate risk vis-a-vis problem gambling.

Both Polymarket and Kalshi use the nomenclature of “event contract” to describe the activity people engage in on their platforms and have rejected assertions that they are gambling apps. Semantics aside, as we reported earlier this year, the lines are blurry to say the least. Through these apps, for individuals susceptible to the lure of gambling and who think they can make a quick buck, the world becomes one big casino.

The human toll is already playing out. Indiana teenager Nevin Burmeister told Fortune that he lost more than $2,000 in six months on Kalshi bets. Burmeister signed up for the app just after his 18th birthday in a state where, while some gambling is legal, it’s limited to those 21 and older. But apps like Polymarket and Kalshi are open to all adults in the markets where they are permitted to operate. Even those younger than 18 are at risk. Silver, who is also a member of Maine’s state gaming commission, said the board recently had to add an under-18 category to its monthly reports covering calls to the state’s gambling helpline. 

A recent survey by the National Council on Problem Gambling found that among those 21 to 44 years old, one-third had placed a sports bet before the age of 21; for those 55 and older, that figure was just 11%.

For Americans of all ages, gambling-esque behavior is becoming increasingly normalized. Sports betting apps are advertised during sporting events, sports news and pregame shows. Video games, too, have expanded exposure to similar activities through things like loot crates.

Reputation risk and insider trading aside, employers also need to be mindful of the Americans with Disabilities Act (ADA), Silver said. That’s because, though the law does not provide protections for those with gambling addiction in the way it might for other addictions, Silver said, people with gambling addictions often also have other issues that may qualify them for accommodation under the ADA.

“Gambling addiction can be linked to a covered mental illness or a covered other addiction, [such as] substance abuse or alcohol,” Silver said. “And so if somebody needs, let’s say, a shortened work period so that they can attend therapy or a meeting, or they need time off to go into inpatient rehab, all of that could be covered, even though by the letter of the ADA [gambling addiction is] not in there.”

The post Prediction Market Risk Is Hiding in Your Organization Whether You Know It or Not appeared first on Corporate Compliance Insights.

Entering the US market can be a minefield when it comes to choosing an entity structure that will support visa needs. As Hector A. Chichoni and Puneet Bhullar of Greenspoon Marder explain, the structure can be conducive to visas or ensnare companies in a “compliance trap.”

For compliance officers overseeing corporate non-immigrant visa programs, the intersection of entity structure and visa strategy represents one of the highest-risk areas in regulatory exposure. A company’s legal structure is not merely a tax or corporate governance decision; it is also important for purposes of your immigration petition. An audit of the corporate non-immigrant visa program must begin with a structural review: Does the entity support the visa categories being used? Are reporting obligations being met? Is the “employer-employee” relationship legally defensible?

Successful market entry requires the deliberate synchronization of corporate structure with immigration strategy. For foreign founders in 2026, the C-Corporation remains the gold standard for insulating the foreign parent from liability while unlocking “qualified small business stock” (QSBS) tax benefits, whereas the LLC has become a “compliance trap” due to aggressive IRS enforcement of Form 5472 penalties.

Having a framework for compliance officers to audit their corporate non-immigrant visa programs is crucial for companies. Officers must also identify structural risk vectors and implement proactive remediation strategies before government scrutiny arises.

Auditing entity structure for immigration compliance risk

The choice of legal entity is not merely a tax decision. It is the “evidentiary bedrock” of your immigration petition. A misalignment can trigger immediate tax liabilities or disqualify a founder from their preferred visa category.

C-Corp: The immigration shield

For most scalable startups, the Delaware C-Corporation is the mandatory structure.

• The liability firewall: It creates a distinct legal person, shielding the foreign parent company from direct IRS audits and US litigation.
• Visa compatibility: It naturally supports the “employer-employee” relationship required for L-1, O-1, H-1B and other visas. Restriction and problems could be created if a founder is “employed” by a sole proprietorship, and LLCs can complicate this distinction.
• Section 1202 (QSBS): Non-corporate taxpayers (founders) who hold qualified small business stock for five years may exclude up to 100% of capital gains (up to $10 million or 10x basis) from federal tax. This benefit is exclusive to C-Corps and is the primary driver for venture-backed formation. 

LLC: The ‘disregarded’ trap

While popular for domestic small businesses, the LLC could be problematic for foreign nationals.

• The Form 5472 dragnet: A single-member LLC owned by a foreign person is treated as a “disregarded entity” for tax purposes but a corporation for reporting purposes. It must file Form 5472 to report “related party transactions” even if just $1 of capital contribution. The penalty for failure to file is $25,000 per form, with no cap.
• Branch profits tax: If not carefully elected to be taxed as a corporation (check-the-box election), an LLC’s income may be subject to a 30% “branch profits tax” on top of regular income tax, effectively creating a punitive tax regime. 

HR Compliance

Latin American Employers Cannot Treat US Immigration as a Transactional Exercise Anymore

by Janine Guzmán and Xana Connelly

February 17, 2026

Strong recordkeeping requires complete petition files, wage evidence and change-management documentation when roles, duties or locations evolve

Read moreDetails

Visa program compliance: Audit checkpoints by category

The traditional choice between E-2 and L-1 non-immigrant visas has expanded. In 2026, the O-1A visa of “extraordinary ability” or “talent” alternative has emerged as a critical alternative for founders who cannot meet the strict capital requirements of the E-2 or the foreign employment duration of the L-1.

E-2 treaty investor: The ‘marginality’ barrier

The E-2 allows nationals from treaty countries to direct an enterprise in which they’re invested. However, adjudication has shifted toward strict financial scrutiny.

• The marginality test: A business is “marginal” if it only generates enough income to support the investor and their family. To overcome this, the adjudication standard demands a five-year business plan with concrete hiring milestones. You must show the business will create jobs for US workers (citizens, green card-holders and other specific categories) and originate revenue in the subsequent years after creation.
• Irrevocability: Funds must be “at risk” before the visa is approved. Placing funds in a generic business bank account is insufficient. They must be spent or committed to equipment purchases, signed leases, acquisition of inventory, contracts, escrow accounts, etc.

L-1A new office: The ‘physical’ mandate

The L-1A is for expanding companies and transferring executives to a new US branch.

• Physical premises: Unlike modern remote-first startups, the L-1 requires physical commercial office space. A virtual office, “hot desk” or residential address will result in a request for evidence (RFE) and even a possible denial. The new company must secure a lease sufficiently big in terms of footage to house the projected staff.
• The one-year cliff: “New office” L-1 (L-1A and/or L-1B) visas are granted for only one year. To renew, you must prove the US entity is operational and supports employment. If you are still the only employee after 12 months, the extension could be denied.

O-1A extraordinary ability: The founder’s bypass

The O-1A is a non-immigrant visa for individuals with “extraordinary ability.”

• No treaty or investment needed: Unlike the E-2, it applies to all nationalities, including Chinese and Indian, and requires no personal, financial investment.
• The criteria: Founders must meet specific criteria, such as receiving nationally recognized prizes or awards; being featured in professional or major trade publications; and holding a “critical role” in a distinguished organization. 
• Equity control: Recent guidance clarifies that founders can be sponsored by a company they own, provided there is a board of directors that can ostensibly “fire” them, establishing a valid employer-employee relationship. 

Regulatory updates affecting corporate non-immigrant visa programs

Compliance officers must account for three significant regulatory developments in 2026. A compliant structure is an active defense system against government audits. 

Corporate Transparency Act (CTA): Foreign entity reporting obligations

As of March 2026, FinCEN has exempted most domestic entities from beneficial ownership information (BOI) reporting. However, foreign entities registered to do business in the US remain fully subject to reporting requirements. Failure to report carries civil penalties of $500 per day.

Identify all foreign entities in the corporate structure registered in any US jurisdiction. Confirm BOI filings are current. Note that branch offices and foreign qualifications are particularly exposed under this framework.

IRS Form 5472 enforcement: Automatic penalties without warning

Foreign-owned US corporations (more 25% ownership) must file Form 5472 alongside their tax return. This form discloses transactions between the US entity and foreign owners. The IRS now assesses an automatic $25,000 penalty for late or incomplete filings, often without a warning letter.

Implement a pre-tax-season compliance checkpoint specifically for Form 5472. Do not delegate this solely to external accountants without a documented confirmation protocol. Maintain copies of all filed forms with the immigration compliance record for each sponsored individual.

Intellectual property assignment: Due diligence readiness

Investors demand a “clean chain of title.” Founders must execute a technology assignment agreement transferring all IP created before incorporation into the new US entity. Failure to do this is a primary reason for due diligence failure during Series A fundraising. 

Confirm that technology assignment agreements were executed at or near incorporation, transferring all pre-incorporation IP to the US entity. A “clean chain of title” protects both fundraising timelines and the stability of existing visa sponsorships.

Corporate governance as evidence

Immigration officers can audit corporate minute books to verify the business is “real.” That means you must document the election of officers and issuance of stock. Note that commingling personal and business funds could be very problematic. Maintain a distinct “capital account” to trace the source of funds for E-2 investment purposes. 

A compliance officer’s audit framework: annual checklist

The following checklist consolidates the audit actions identified above into an annual review protocol. Compliance officers should complete this review at least once per year and upon any material corporate event, such as restructuring, ownership change or new visa petition.

Conclusion: from reactive filing to proactive risk management

Corporate non-immigrant visa compliance is not a one-time filing exercise; it is a continuously evolving risk management discipline. The structural decisions made at entity formation — entity type, tax elections, ownership disclosures — echo through every subsequent visa petition, renewal and government audit.

The decision to form an LLC to “save on taxes” can trigger a $25,000 penalty and create problems with visa extensions. Conversely, a properly structured C-Corporation can shield the parent company, qualify for massive tax exclusions, such as QSBS, and support in some specific cases a robust immigration petition. 

By engaging counsel to treat tax, corporate and immigration law as a single unified strategy, founders can transform regulatory hurdles into a competitive moat. By treating corporate law, tax compliance and non-immigrant visas strategy as an integrated system, rather than siloed practice areas, compliance officers can transform a reactive filing function into a proactive risk management program.

The post Do Your Entity Structure & Immigration Strategy Play Well Together? appeared first on Corporate Compliance Insights.

The second-largest civil penalty in BIS history came with a detail compliance teams should remember: The internal emails and checklists that mapped an overseas routing strategy became the government’s evidence of conscious risk-taking. Bass, Berry & Sims attorneys Thad McBride and Faith Dibble use the settlement to map what BIS is actually looking for when it scrutinizes cross-border manufacturing models — and what export compliance programs need to account for as a result.

The US Department of Commerce’s Bureau of Industry and Security (BIS), the US government department with primary responsibility for administering controls on exports of US-origin commercial goods, software and technology (any of which is an “item”), has long reminded exporters that export controls follow the item.

The agency’s recent settlement with Applied Materials (AMAT) and Applied Materials Korea (AMK) drives that point home.

On Feb. 11, BIS announced a $253 million penalty (the second highest civil penalty in its history), coupled with audit requirements and a suspended three‑year denial order, to resolve allegations that AMAT and AMK re-exported semiconductor manufacturing equipment from South Korea to China’s Semiconductor Manufacturing International Corp. (SMIC) and its affiliates without the required US government authorization.

While the size of the penalty is eye-catching, there are also several important lessons for exporters: Recognize that US export jurisdiction is expansive, especially when it comes to designated end‑users; and beware that complex supply chains do not negate the application of US law, and in fact may make compliance more challenging.

Background

AMAT is a US-headquartered provider of semiconductor manufacturing equipment. The company had a longstanding commercial relationship with SMIC.

In September 2020, BIS sent AMAT an “is‑informed” letter advising that a license was required for certain exports, re-exports and in‑country transfers to SMIC due to military end‑use risk. Not long thereafter, in December 2020, BIS added SMIC and multiple SMIC subsidiaries to the entity list, which is maintained by BIS and that lists parties subject to heightened US export licensing requirements, even in the case of relatively low-technology items.

Notwithstanding the September 2020 notice to AMAT and the subsequent designation, according to BIS, between November 2020 and July 2022, AMAT committed 56 violations by re-exporting or attempting to re-export US-origin semiconductor manufacturing equipment from South Korea to SMIC and its listed affiliates. The equipment value was roughly $126 million.

In the materials BIS has published, the agency alludes to a “dual‑build” approach where partially built US equipment and parts were shipped from the US to AMK in South Korea for additional assembly and testing before onward shipment to China. Internal communications reflected business urgency to operationalize the Korea pathway and concerns about delays, license denials and competitive displacement if SMIC turned to non‑US rivals.

AMAT appears to have believed that the finishing work in South Korea constituted “substantial transformation” such that the finished items were no longer subject to the jurisdiction of US export administration regulations (EAR). BIS rejected that view outright. As the agency emphasized, “substantial transformation” is not the test under the EAR; production began in the United States, the South Korea steps did not convert the equipment into a foreign‑made item, and thus the goods remained “subject to the EAR” for entity list purposes. Because the items were subject to the EAR, their re-export to SMIC required a license, even if routed through South Korea.

Big penalty, bigger message

Under the settlement, AMAT agreed to pay a $253 million civil penalty (twice the value of the illegal transactions and the maximum allowed by statute) and conduct two internal compliance audits with reports to BIS; those are due July 1, 2027, and July 1, 2028. BIS also imposed a three‑year denial of export privileges, though the denial order is suspended contingent on timely payment and audits. If AMAT misses a payment or audit deadline, BIS can activate the denial order and revoke licenses in which AMAT has an interest. During any active denial, AMAT and its representatives would be broadly barred from participating in transactions involving items subject to the EAR and third parties would face parallel prohibitions.

The architecture here mirrors other BIS resolutions in its reliance on conditional relief (suspended denial), independent auditing and significant monetary penalties, all of which are features that BIS increasingly deploys in settlements. In framing this as one of its largest settlements ever, BIS signaled both the sensitivity of semiconductor equipment and its willingness to scrutinize cross‑border manufacturing, assembly and testing models that intersect with China and listed parties.

Featured

After SCOTUS Tariff Ruling, the Hard Work Begins

by Jennifer L. Gaskin

February 25, 2026

Read moreDetails

The foundational importance of export jurisdiction

The most important legal takeaway is jurisdictional and the need to understand the broad scope of the EAR. An appropriate jurisdiction analysis must ask where the item was produced, what components and technology it includes, the value of US-origin content and whether the direct product rule applies. If the answer is “subject to the EAR,” the item remains subject to the EAR wherever it is shipped, including via in-country transfers.

This is not merely academic. Companies often organize their operations around process labels — “final assembly,” “foreign build,” “functional testing” — and then impute jurisdictional consequences to those labels. BIS’s treatment of AMAT’s “dual‑build” shows how risky that can be: A partially assembled tool exported from the United States and finished abroad did not become non‑US; it stayed subject to the EAR, so re-exporting to a listed end user without a license was prohibited.

We have seen versions of this story in other enforcement matters, too. Consider BIS’s January 2026 action against Exyte, a Germany‑based contractor whose China affiliate facilitated “in‑country” transfers of EAR‑controlled items to SMIC. The company treated local purchasing and distributor deliveries as if they were insulated from US licensing because there was no cross‑border export, yet the entity list requirement still applied to transfers within China. BIS imposed a civil penalty and highlighted the absence of robust end‑user screening for domestic transfers.

A second key lesson pertains to the importance of end‑to‑end entity list risk management. Once an end user (or party to the transaction) is on the entity list, any export, re-export or transfer (in‑country) to that party of an item subject to the EAR requires a license. And it does not matter if the item is high- or low-tech. In the Exyte matter, the items included flowmeters, pressure transmitters, logic controllers and voltage‑sag protectors, hardly cutting‑edge chips but still subject to the EAR and thus restricted as to SMIC.

Documentation cuts both ways

BIS’s narrative relies heavily on contemporaneous internal communications — emails and checklists that mapped the “dual‑build” pathway, characterized risks and captured the business rationale for moving quickly. That should not surprise anyone who has lived through an export investigation; agencies reconstruct not just what happened but why it happened, and they often place weight on process artifacts that show intent, risk awareness or a willingness to proceed amid legal uncertainty. In the AMAT matter, BIS emphasized that the company operationalized its transformation theory through internal checklists and shipment controls, which undercut later arguments about ambiguity.

There is a broader through‑line here to earlier compliance lessons. In a 2021 export case involving Keysight Technologies, the US State Department alleged that Keysight violated the International Traffic in Arms Regulations, the primary US regulations governing exports of defense articles, by relying on an export jurisdiction self‑classification while a commodity jurisdiction request was pending.

Penalty drivers

Several factors likely drove the size and structure of the AMAT penalty:

• End‑user sensitivity: SMIC is subject to heightened scrutiny given US national security concerns around advanced semiconductor manufacturing in China. Violations involving listed Chinese semiconductor entities have drawn outsized attention and penalties. 

• Transaction value and duration: BIS alleged 56 violations over roughly 20 months with total equipment value around $126 million. BIS ultimately assessed a penalty of twice that value consistent with agency appetite to make penalties more than a cost of doing business.

• Intent evidence: Internal documentation that shows deliberate structuring to navigate around perceived licensing obstacles can aggravate penalties, even absent classic “willfulness.” BIS drew on email traffic and other communications to tell a story of consciousness of risk and speed to execute.

• Deterrence objective: BIS framed this as a message case for companies using global build, assembly and testing models to serve restricted end users through third countries. By pairing a nine‑figure penalty with suspended denial and audits, BIS created ongoing leverage to verify remediation.

Practical takeaways for export compliance teams

The critical importance of understanding the item’s jurisdiction and classification

Only by knowing the jurisdiction and classification of an item can an exporter know what licensing requirements exist. This includes both any requirements for physical exports and sharing of technology internally. The government expects companies to self-classify items, but when in doubt, seek a formal determination (e.g., a jurisdiction and classification request from the State Department or a commodity classification request from BIS) before building a business process around a favorable assumption.

Treat entity list controls as following the item all the way to the end user

Whether the transaction is an export, a re-export through a partner’s facility or an in‑country delivery by a distributor, the entity list license requirement applies if the item is subject to the EAR and the listed party is a “party to the transaction.” Expand screening to all parties and all stages of the chain, not just the ship‑to address and not only cross‑border activities. The Exyte case shows how “in‑country” transfers can be just as risky as exports. And the compliance challenge related to entity list parties will only expand if the United States reintroduces the entity list 50% rule that was suspended by President Donald Trump in the fall of 2025.

Elevate ‘in‑country’ transfer controls

Many multinationals have robust screening for cross‑border exports but weaker processes for local procurement and distributor deliveries inside a single jurisdiction. BIS’s enforcement posture makes clear that is not sufficient. Treat domestic transfers in high‑risk countries as compliance events on par with exports: Screen the end user and document that screening and other diligence with support from the legal or compliance department.

Conclusion

BIS’ $253 million settlement with AMAT is not just a number; it is a blueprint for how the agency views jurisdiction, re-exports, end‑user controls and compliance overall in an era of globally distributed manufacturing. Any company that builds equipment across borders must ensure that its export compliance program reflects the challenging enforcement environment.

The post $253M Settlement Raises the Bar on Re-Exports, ‘Dual‑Build’ Models & Entity List Risk appeared first on Corporate Compliance Insights.