The Documentation Paradox: AI and the Corporate Duty to Record

Much of the law governing corporate artificial intelligence rests on a single premise: that the protection from legal liability a company enjoys depends on the quality of the record it can produce. Directors defend oversight claims with minutes and charters. Issuers sustain the securities due-diligence defense with the documented trail of their investigation. Companies claim emerging safe harbors by documenting adherence to recognized standards. In each case the contemporaneous record is not merely evidence of diligence; it has become the condition of legal protection. Call it the documentation imperative.

That imperative now runs into an opposing force. The AI tools spreading through ordinary corporate workflows generate records of their own, automatically and at scale. A single meeting attended by an AI notetaker produces a recording, a transcript, a summary, an action list, a prompt history, and several drafts, where the older practice produced only one set of approved minutes. These machine records are discoverable, often inconsistent with the company’s formal account, and capable of waiving privilege and enlarging what the company must preserve. The law, in short, is pressing companies to document more at the very moment their tools have begun to produce records of their own, and that second, machine-made record, the one no one decided to create, can become a liability. That tension is a problem that has gone largely unexamined. The documentation duties are well understood, and the risks of AI-generated records are drawing growing notice, but the collision between the two has received little attention.

The Documentation Imperative

Consider how thoroughly the law conditions legal protection on the record. For boards, the Delaware duty of oversight, a duty of loyalty rather than of care, established in In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996), and sharpened in Marchand v. Barnhill, 212 A.3d 805 (Del. 2019), and In re Boeing Co. Derivative Litigation, 2021 WL 4059934 (Del. Ch. 2021), turns on whether the board built a monitoring system, a question answered by minutes, charters, and reporting, and one that plaintiffs increasingly probe through Section 220 books-and-records demands before filing suit. The same pattern holds outside corporate law. In securities regulation, the Section 11 due-diligence defense stands or falls on the documented record of the underwriters’ investigation, and the recent enforcement attention to “AI washing” (the SEC’s 2024 orders against the advisers Delphia and Global Predictions) turns on the accuracy of a company’s disclosure and the file that backs it.

Those regimes all punish the company that cannot produce a record. A newer set of rules does the opposite: It rewards the company that can, turning documentation from a compliance burden into an affirmative defense. The Texas Responsible AI Governance Act, effective January 2026, offers a safe harbor to companies that can show adherence to the NIST AI Risk Management Framework, a defense available only to the party that kept the paperwork to prove it. Whatever the source, whether fiduciary duty, securities disclosure, or liability defense, the record has become the currency of legal protection.

The Machine’s Record

Set that documentation imperative against what AI is doing to the supply of corporate records. Workplace tools now create documents as a routine byproduct, and what was once fleeting and bound to its context becomes persistent, searchable, and easily reproduced. It is also discoverable. AI prompts, outputs, transcripts, and logs are electronically stored information within ordinary discovery, and courts have begun to map what “AI discovery” means. Three exposures follow.

The first is contradiction. A verbatim transcript or machine summary preserves the aside a careful minute-taker would omit, and when the two accounts diverge, the gap becomes fodder for litigation, the very deliberation oversight law is meant to encourage recast, after the fact and stripped of context, as evidence of what the board knew. The second is privilege, where the courts have already split: in United States v. Heppner, No. 1:25-cr-00503-JSR (S.D.N.Y. 2026), a consumer tool used without attorney direction forfeited protection, while other courts, in Warner v. Gilbarco, Inc., 2026 WL 373043 (E.D. Mich. 2026), and Morgan v. V2X, Inc., No. 25-cv-01991 (D. Colo. 2026), have treated AI as an instrument that does not by itself waive work-product protection, the doctrine that shields materials a party prepares in anticipation of litigation (overview here). Put privileged material into a consumer AI tool, or leave a notetaker running through a meeting with counsel, and the company can lose a privilege it did not realize it was giving up. The third is preservation: Once these artifacts exist, they fall within the duty to preserve, and their routine deletion can become spoliation, the punishable destruction of evidence a party was required to keep.

It might be objected that none of this is new, that litigation has always reached drafts and candid emails. The difference is one of kind as much as degree. The older record was made by a person who chose to create it and could choose not to; the machine record is made by default, at a volume no one curates, attributing statements the speaker never adopted and multiplying the versions of a single event. Automatic creation, imprecise attribution, and scale are what turn a familiar litigation risk into a governance problem.

A Governance Response

The answer is not to document less; the incentives above are real, and some are legally mandatory. It is to treat the curation of records as a governance function in its own right, organized around a single principle: records minimization by design. A problem created by automation is best met with automation rather than added human labor, so the tools should be configured to create less durable record and to dispose of what they do create by default, within what the law requires the company to keep.

That qualification is the crucial part. Aggressive disposal is not a safe default. DOJ and FTC guidance expects business communications to remain amenable to preservation; unmonitored auto-deletion is what drew sanctions in Epic Games v. Google, part of In re Google Play Store Antitrust Litigation, No. 20-cv-05671-JD (N.D. Cal. 2023); and in regulated industries the securities recordkeeping rules and the off-channel enforcement sweep, more than t$2 billion in penalties since 2021, make clear that a business record cannot simply be purged. Minimization is defensible only for material the company is not required to keep, applied consistently, monitored, and suspended the moment a duty to preserve attaches. Information-governance practitioners call this defensible disposition. The aim is not to destroy more, but to decide, and to record the decision.

Four steps put the principle to work. None is novel on its own; each reflects guidance that regulators, courts, and the legal profession already give. The novelty of the proposal, however, lies in treating the steps as a single response, bounded by the duty to retain.

  1. Designate the record. For each AI-enabled workflow, decide in advance what counts as the official record and what is disposable and note the decision in the AI inventory the company already keeps. Then give it effect through configuration: Turn notetaking off by default in legal, board, and personnel settings, and purge transcripts and prompt logs on a fixed cycle unless a legal hold applies.
  2. Put AI records on the retention and legal-hold schedule. A retention schedule sets how long each kind of record is kept, and a legal hold suspends deletion once litigation is anticipated; both were written for email and say nothing about prompts, logs, or machine transcripts. Until they are updated, the company is exposed at both ends: to sanctions if it deletes carelessly, and to discovery if it keeps what it never needed.
  3. Govern privilege by configuration, not exhortation. Turn notetakers off in privileged and investigative meetings, now the ABA’s position and increasingly the standard advice of law firms; screen sensitive content from public tools with data-loss-prevention controls; and route genuine legal work through an enterprise tool used at counsel’s direction. A promise not to train on inputs is not a promise not to retain them, and only the second shrinks the discoverable record. Disabling notetakers has an independent basis too: recording without the consent of all participants can violate wiretap and two-party-consent laws, a theory advanced in a pending putative class action, Brewer v. Otter.ai, Inc., No. 5:25-cv-06911 (N.D. Cal. 2025).
  4. Let the board oversee the design, not the outputs. None of this asks a person to re-check the AI’s output, which would forfeit the productivity that justified the tool; the discipline is built in and runs by default. The board’s task, well within existing audit- and risk-committee remits, is to confirm the architecture exists and to be able to answer one question: when AI creates corporate records, who has decided what the record is, how long it is kept, and who stands behind it.

There is an alternative to the first step worth stating. Rather than keep the minutes as the record and discard the machine’s output, a company can make the AI output the record. A named person reviews and formally adopts one version, which is locked, while the raw substrate is allowed to expire. This applies the records-management idea of a single system of record to machine output, and its appeal is that it removes the divergence at the source, since there is no looser second account to contradict the first. Its discipline falls at adoption and expiry, and the substrate must expire on a consistent, hold-aware schedule, or it recreates the Epic problem. For routine meetings and work product, where the AI summary is already what people rely on, this may be the cleaner design.

AI governance has rightly concentrated on the performance of models and the harms they may cause. But much of the legal exposure will come from something more ordinary: the records these tools generate, and whether the company has decided which of them it is prepared to stand behind. The law has made the record the measure of diligence at the very moment corporate tools began producing records no one curates. Closing that gap is not a matter of documenting less, or more. It is a matter of deciding, in advance, what the company’s record is.

Patrick Meson is a lawyer in Société Générale’s Corporate and Investment Banking division. The views in this post are his alone and do not necessarily reflect those of the bank.

Leave a Reply

Your email address will not be published. Required fields are marked *