AI Governance & Policy · National Practice

AI governance built to hold up when tested.

Q: What makes your AI governance advice different from any other firm's?

Adam built and governs a production AI system — he is the architect of his own multi-agent AI operating system, not an attorney who has only read about governance. That operational experience is the difference between understanding what a framework says and knowing what it costs when it fails, and it shapes how every control and oversight step is designed.

Q: What does 'human in the loop' actually require?

Real oversight, not a rubber stamp. It means a human with genuine authority, information, and time to intervene at the decisions that matter — not someone nominally approving outputs they cannot realistically evaluate. Designing that correctly is the work; getting it wrong creates the appearance of oversight with none of the protection.

Q: What's the difference between 'defensible' and 'decorative' governance?

Defensible governance ties every control in the document to something real in the system, so that if an AI decision is challenged you can show what the control was, that it was followed, and who was accountable. Decorative governance is a policy adopted to look reassuring but never wired into operations — which can be worse than none, because it documents standards you aren't meeting.

By Adam Lysinski, Attorney · AIGP credential (IAPP) · Updated May 31, 2026

Most AI governance is decoration — a policy adopted to reassure a board, never built to function the day a system fails and someone asks who was accountable. This practice builds governance from the perspective of someone who runs a production AI system daily: clear accountability, documented human oversight, real controls, and an audit trail that survives scrutiny.

Hourly + Governance Retainer

Flat-fee scopes: policy drafts, framework build, governance assessment.

(773) 777-9888

Governance built by someone who actually governs AI

AI-governance advice is strongest when it connects legal frameworks to operational reality. This practice does that in a specific, verifiable way: Adam Lysinski is the architect of his own multi-agent AI system. He built and governs a production AI operating system that runs multiple agents daily, with a guardrails framework, governance documentation, and adversarial review protocols. He did not learn AI governance from a seminar — he runs it. That matters because the gap between advising from a textbook and advising from operational experience is the gap between understanding what an AI governance framework says and knowing what it costs when it fails. When a control is poorly designed, when a human-in-the-loop step is theater rather than real oversight, when an audit trail has a hole in it — those failures are obvious to someone who has had to configure and govern the guardrails of a live production system, and easy to miss for someone who has only read about them.

Defensible, not decorative

A great deal of what passes for AI governance is decoration: a policy adopted because a vendor or a board asked for one, filed away, and never wired into how the system actually operates. Decorative governance is worse than none, because it creates a paper record of standards the organization is not meeting. Defensible governance is the opposite — every control in the document corresponds to something real in the system: who reviews outputs, what the escalation path is when something goes wrong, how decisions are logged, where a human is genuinely in the loop with the authority and information to intervene. The test is simple and unforgiving: if an AI decision is challenged — by a regulator, a plaintiff, or a board — can you show what the control was, that it was followed, and that a human was actually accountable? Governance that cannot answer that question is decoration.

Human-in-the-loop framework design

“Human in the loop” is one of the most invoked and least understood ideas in AI governance. A human rubber-stamping outputs they cannot realistically review is not oversight; it is a liability waiting to be discovered. Real human-in-the-loop design asks harder questions: at which decisions does a human genuinely need authority to override the system, and do they have the information and time to exercise it? Where is automation appropriate, and where is it a risk the organization cannot defend? What gets logged so that oversight can be demonstrated later? This is design work Adam does in his own system every day, and it is the same work this practice does for clients — building oversight that functions under real conditions rather than oversight that exists only on paper.

What a governance program actually includes

A working AI governance program is more than a policy. It typically spans an inventory of where AI is actually used across the organization (often more places than leadership realizes), a risk classification of those uses, documented controls proportionate to risk, defined human oversight, vendor and data-flow review, an incident-response path for when something goes wrong, and a record-keeping discipline that makes all of it demonstrable. Recognized risk frameworks — such as the NIST AI Risk Management Framework — provide a structure for this, and translating that structure into something a specific organization can actually run is the practical work. Frameworks like NIST's are voluntary and are not a legal safe harbor: adopting one helps organize risk management but does not by itself establish compliance with any statute. The program also has to be maintained, because both the technology and the law underneath it move quickly.

Built for a multi-state footprint, in coordination with other counsel

AI governance pressure rarely comes from one place. A single deployment can sit under Illinois statutes, other states' AI and privacy laws, federal policy, sector regulators, and — for organizations with European users — the EU AI Act, whose obligations phase in on a timeline that should be confirmed against the current official text. As a practical risk posture, a governance framework for a publicly deployed system should generally be built to the most demanding standard it is plausibly exposed to across its footprint, rather than to the Illinois minimum — because predicting which jurisdiction's law a given dispute will be measured against is itself uncertain (which law actually governs is a fact-specific question, not a settled one). The firm provides AI-governance strategy and legal services where it is authorized to practice, and where a matter requires advising under another jurisdiction's law it associates local counsel admitted there, and brings in specialist counsel — intellectual property, securities, sector regulators — where the situation calls for it. The throughline stays constant: governance designed by someone who has to live inside a production AI system, built to hold up when it is tested, and delivered without overstating whose law the firm can speak to. Engagements are hourly, on a governance retainer, or flat-fee for defined deliverables like a policy draft, a vendor-clause review, or a governance assessment.

What usually goes wrong

The most common failure is the decorative policy — a governance document adopted to satisfy a board or a customer questionnaire, never connected to how the system actually runs, which becomes a record of unmet standards the moment anything goes wrong. A close second is human-in-the-loop theater: a human nominally “reviewing” outputs they have no realistic ability to evaluate, which provides the appearance of oversight and none of the substance. The third is the unmonitored program — governance built once and never updated, while the organization's AI footprint quietly expands and the law underneath shifts, so the framework slowly stops describing reality.

Frequently asked questions

What makes your AI governance advice different from any other firm's?

What does 'human in the loop' actually require?

What's the difference between 'defensible' and 'decorative' governance?

Do you use a recognized framework like NIST?

Yes — recognized frameworks such as the NIST AI Risk Management Framework provide structure, and the practical work is translating that structure into something your specific organization can actually run and maintain, rather than adopting a generic document that doesn't fit how you operate. These frameworks are voluntary and not a legal safe harbor — they help organize risk management but don't by themselves establish compliance with any statute.

Is AI governance work limited to Illinois?

No. AI governance pressure comes from many directions at once — Illinois statutes, other states' laws, federal policy, and frameworks like the EU AI Act for organizations with European exposure. The firm provides governance strategy and legal services where it is authorized to practice and associates local counsel where a matter requires advising under another jurisdiction's law. As a risk posture, a publicly deployed system is generally best built to the strictest standard it is realistically exposed to. Engagements are hourly, on a governance retainer, or flat-fee for defined deliverables.

This material is attorney advertising and general information, not legal advice, and does not create an attorney-client relationship. AI, technology, and privacy law changes rapidly; no statute, deadline, or obligation here should be relied on without confirming its current status. Engagements contemplate coordination with intellectual property counsel and with local or outside counsel in other jurisdictions as appropriate.

Last reviewed: May 31, 2026. AI statutes and regulations change rapidly; verify each against current law before relying on this page.

Ready to talk?

Schedule a scoping call to build an AI governance framework designed to hold up when it is tested.

(773) 777-9888

4418 N. Milwaukee Ave., Chicago, IL 60630