The AI landscape doesn't move in one direction — it lurches. Some techniques leap from experiment to table stakes in a single quarter; others stall against regulatory walls, technical ceilings, or organisational inertia that no amount of hype can dislodge. Knowing which is which is the hard part. The State of Play cuts through the noise with a rigorously maintained index of AI techniques across every major business domain — classified by maturity, evidenced by real-world adoption, and updated daily so you always know where you stand relative to the field. Stop guessing. Start knowing.
A daily newsletter distilling the past two weeks of movement in a domain or two — delivered to your inbox while the index updates in the background.
Each dot marks the weighted maturity of practices within a domain — hover for a brief summary, click for more detail
AI for managing contracts, regulation, governance, and organisational risk. Contract review and e-discovery are good practice with proven ROI; regulatory monitoring and due diligence are advancing steadily. Most of the domain sits at leading-edge — adoption is constrained by liability concerns and the need for domain-expert validation rather than by tooling gaps.
The headline: The AI tools your lawyers and compliance teams want all work now. What stopped progress this fortnight is who carries the blame when they fail -- and regulators have decided it is you, not the software vendor.
Almost everyone is using AI in legal and compliance work: 92 percent of lawyers globally now use it daily, and 87 percent of general counsel report active deployment. But using a tool and trusting it with real decisions are different things. Most organizations are stuck at the first stage -- they bought the software, but only about a quarter have the oversight rules ("governance," the controls that decide who can use AI for what, and how its outputs get checked) to deploy it safely at scale. A small group, mostly large banks, is a generation ahead and running AI compliance systems in production. The rest face a closing window: the EU's AI law starts active enforcement on August 2, and US regulators have already started issuing fines. If you are using AI without documented controls, you are now accumulating risk faster than you are removing it.
The AI work that was advancing fastest just stalled. The three areas with the most momentum -- AI that drafts custom contracts, AI that monitors compliance on its own, and AI that scores contract risk -- all lost ground, not because the technology got worse but because the liability and payback problems got clearer. The lesson: the further AI moves toward acting on its own, the harder the wall it hits. Keep a person reviewing every output that carries legal or financial consequence.
Regulators stopped warning and started fining. The SEC brought $42 million in charges for companies overstating their AI ("AI-washing"), and New York City issued more than $2 million in penalties on the first day it enforced its AI hiring-bias audit rule. Enforcement is no longer a future risk -- confirm which of your AI uses now fall under active rules.
The lab is no longer your shield. The FTC, California, and the EU have all settled the same point: when an AI tool makes a mistake, the company that deployed it is liable, not the vendor that built it. Contracts that try to push that risk back to the software provider will not hold -- budget for your own review and audit layer accordingly.
The "everyone's doing it, no one's governing it" gap is now measured. New research found that companies running AI deeply are far more likely to have real controls (60 percent) than those dabbling (1 percent) -- and that adopting AI without those controls reliably predicts failure. Governance maturity, not tool choice, is what separates the organizations getting value from those quietly building exposure.
EU AI Act enforcement begins August 2. Penalties reach 35 million euros or 7 percent of global revenue, and litigation outcome prediction and most autonomous compliance monitoring are classed as "high-risk," requiring formal assessment. Most companies cannot yet produce a basic inventory of their own AI systems -- start that inventory now, because you cannot comply with what you cannot see.
One global compliance program no longer works. The US is deregulating, the EU is enforcing binding rules, and China requires state approval -- experts now say a single worldwide AI compliance approach is no longer feasible. If you operate across borders, plan for separate compliance tracks per region rather than one policy.
Banks are setting the bar everyone else will be measured against. Production AI systems at the largest banks cut manual investigation work by 90 percent -- and regulators are starting to treat that capability as the expected standard, not the exception. Watch whether your sector's regulator begins citing financial-services practice as the benchmark.
The tools work; your organization may not be ready. Across the board, the blocker is no longer whether the AI is capable -- it is whether you have the data quality, controls, and trained people to run it safely. Roughly 95 percent of corporate AI pilots deliver no measurable return, almost always for organizational rather than technical reasons.
AI confidently invents things, and courts now punish it. "Hallucination" -- when an AI confidently makes things up -- remains unsolved in legal work, with specialist legal tools fabricating case citations 17 to 34 percent of the time. Courts have suspended lawyers and now require written certification that cited cases are real; even an elite firm advising OpenAI filed a brief with around 40 fabricated citations despite full controls.
Spending is lopsided. Companies are spending roughly $735 on AI capability for every $1 on the controls that keep it safe -- and the bill comes due in production, where a large share of self-running AI deployments have been pulled offline after failures appeared only once they were live.
Go deeper: the full Legal, Compliance & Risk briefing -- the longer analytical write-up, plus every practice we track in this domain with its maturity rating, the tools to consider, and the evidence behind our assessment.