Search
Contact
12.06.2025 | KPMG Law Insights

From AI tool to AI framework – a workshop report

It started with a few questions about Microsoft Copilot – and ended with a company-wide AI framework. We were able to provide the company, a global consulting firm, with legal and strategic support along the way. The example shows why well thought-out AI governance requires far more than just investing in licenses.

The trigger: “We are introducing MS Copilot – can you help us?”

It all began with a phone call that we often encounter in practice. Driven by the promise of generative AI, a leading international consulting firm had decided relatively spontaneously to introduce Microsoft Copilot company-wide. The expectations were clear: to increase efficiency, promote innovation and use the latest technologies in order to stay ahead of the competition. The original request to us was to support this roll-out, particularly from a data protection perspective, and to identify the “biggest pitfalls”.

The realization: A tool is not yet a strategy

Even in the initial discussions and workshops, it became clear what we often experience: There is great enthusiasm for the technological possibilities of AI tools such as Copilot, but awareness of the associated legal and organizational implications is often less pronounced initially. Those responsible on the client side quickly realized in our collaboration that an isolated view of the introduction of Copilot falls short of the mark.

The following questions arose:

  • How do we ensure that the use of Copilot and future AI applications complies with the strict requirements of the GDPR and other relevant laws, such as the AI Act?
  • What data may be fed into the system at all? How do we handle sensitive client information or employees’ personal data?
  • Who is responsible for the results generated by AI?
  • How do we create transparency for our employees and clients regarding the use of AI?
  • How do we establish a process that enables us to evaluate future AI solutions in a structured manner and implement them safely?

It became clear that the desire for Copilot was just the tip of the iceberg. What the company really needed was a solid foundation – a comprehensive AI framework that would regulate and control the use of artificial intelligence throughout the company.

 

A global company needs global standards with local adaptability

The development of such a framework for a global consulting company with various business units and a large number of employees presented a number of challenges:

  • Legal complexity: International data protection standards and AI legislation, which was still developing at the time, had to be taken into account.
  • Organizational integration: AI governance should be seamlessly embedded in existing compliance structures and company processes.
  • Change management: Employees had to be sensitized and trained in order to promote acceptance and responsible use of AI.
  • Practicability: The guidelines and processes to be developed should not only be theoretically sound, but also practicable in day-to-day business.

 

Our solution: a customized AI framework

Together with the client, we have developed a multi-level AI framework based on the following core components:

The AI policy – the basic law for AI in the company

The first component we formulated was the AI policy. It was important that

  • the directive defines clear principles and rules for the responsible and legally compliant use of AI.
  • it addresses ethical aspects, data protection, data security, transparency obligations and responsibilities.
  • the guideline classifies the risks of AI applications and derives protective measures from this.

Information and training materials for the roll-out

To bring the AI policy to life, we developed easy-to-understand guidelines, FAQs and training documents for various target groups within the company.
The aim was not only to impart knowledge, but also to raise awareness of the opportunities and risks of AI and establish a positive error culture when dealing with new technologies.

An agile AI governance process

At the heart of the framework is a clearly defined process that enables the company to evaluate new AI projects in a structured manner, identify risks and make approval decisions on a solid basis. This process includes, among other things

  • A central point of contact for AI initiatives
  • A standardized evaluation procedure (incl. data protection impact assessment where necessary)
  • The involvement of relevant stakeholders (data protection, IT security, legal department, works council)
  • Regular review and adaptation of the AI solutions used

The result: legal certainty, transparency and professional AI management

By implementing this AI framework, our client has not only put the introduction of MS Copilot on a secure footing, but is now generally in a position to manage the potential of AI solutions in a professional, transparent and legally compliant manner.

The advantages of an AI framework are manifold

Minimization of legal risks: The AI framework ensures that the company complies with data protection regulations. It is therefore also well prepared for future AI regulations.

  • Strengthened trust: Transparency towards employees and customers creates trust in the use of AI.
  • Clear responsibilities: Defined roles and processes ensure clarity and traceability.
  • Promoting innovation with guard rails: employees can test and use new AI tools within the framework of clear guidelines.
  • Future viability: The company is well equipped to shape future AI developments proactively and responsibly.

 

Conclusion: AI implementation needs more than technology – it needs governance

The case of this global consulting firm is a good example of how the mere acquisition of AI technology is not enough to leverage its benefits sustainably and securely. It requires strategic anchoring in the company, supported by clear AI governance that combines legal requirements, ethical considerations and practical feasibility. The initial, focused inquiry regarding MS Copilot thus developed into a fundamental project that now enables the client to fully exploit the opportunities offered by artificial intelligence – and to do so with the necessary security and professionalism.

 

We would be happy to discuss with you how your company can also shape the path to customized and future-proof AI governance.

 

Dr. Jyn Schultze-Melling is also part of the League of Lawour new series. You can find out more about him and his work in Episode 2 “Big Data, Big Business”.

Explore #more

25.09.2025 | KPMG Law Insights

MaGo update – roadmap for implementing the new requirements

On 14 July 2025, BaFin revised the circular “Minimum requirements for the business organization of insurance companies under Solvency II” (MaGo for SII-VU) and published…

25.09.2025 | KPMG Law Insights

Foundation register – launch to be postponed from 2026 to 2028

The reform of foundation law, which came into force in July 2023, created a nationwide foundation register based on the commercial register. This was actually

24.09.2025 | In the media

KPMG Law Statement in In-house Counsel: Leveraging potential

The role of the legal department in the company has changed significantly in recent years. Its importance is high. However, it is also increasingly becoming…

24.09.2025 | In the media

Article by KPMG Law in CCZ: The guide for compliance management systems in small and medium-sized enterprises

Compliance in SMEs is challenging: the legal responsibility for compliance is undisputed, but the specific tasks are unclear and depend on the specific situation of…

17.09.2025 | KPMG Law Insights

Circular economy: the construction sector needs a new legal framework

The construction sector is ready for the circular economy, but without a practicable legal framework, its commitment remains at a standstill. What is missing are…

15.09.2025 | KPMG Law Insights

Bundestag adopts new battery law

On September 11, 2025, the German Bundestag passed the Batterierecht-EU-Anpassungsgesetz (Battery Law Adaptation Act) to adapt German battery law to the EU Battery Regulation 2023/1542.…

15.09.2025 | In the media

Guest article in AssCompact: Embedded insurance: prospects, obligations, potentials

Embedded insurance is on the rise. Although it offers great potential for the insurance industry, it also poses challenges. KPMG Law expert Ulrich Keunecke explains…

12.09.2025 | Deal Notifications

KPMG Law advises managing partners of Deutsche Werkstätten Beteiligungs GmbH on sale to Ateliers de France

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the managing partner of Deutsche Werkstätten Beteiligungs GmbH, Mr. Fritz Straub, on the sale of a majority stake…

12.09.2025 | KPMG Law Insights, KPMG Law Insights

Key Facts about the new draft of the “Data Act

On February 23, 2022, the EU Commission presented the new draft of the so-called Data Act, the “Regulation on harmonized rules for fair access to…

09.09.2025 | Deal Notifications

KPMG Law and Tax advise Adiuva Capital GmbH with Fact Books on the sale of KONZMANN Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Adiuva Capital GmbH, a Hamburg-based private equity firm (Adiuva), in connection with the…

Contact

Dr. Jyn Schultze-Melling, LL.M.

Partner

Heidestraße 58
10557 Berlin

Tel.: +49 30 530199 410
jschultzemelling@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll