AI Governance Institute logo
AI Governance Institute

Intelligence for Compliance and GRC Teams

← News
Research2025-05-30

Harvard Law Review Finds OpenAI and Anthropic Governance Structures May Fail to Prevent Unsafe Incentives

Source

Amoral Drift in AI Corporate Governance

Harvard Law Review

Via Harvard Law Review

What happened

On May 30, 2025, the Harvard Law Review published Amoral Drift in AI Corporate Governance, a detailed legal analysis of the governance architectures at OpenAI and Anthropic, two of the most commercially significant frontier AI developers operating in the United States. The article examines OpenAI's capped-profit model and its reconstituted board following the November 2023 governance crisis, as well as Anthropic's public benefit corporation design and long-term benefit trust. The authors argue that while these mechanisms were designed to prioritize safety over shareholder returns, they may still leave boards with outsized and poorly constrained discretion, and may not create enforceable accountability when safety commitments conflict with commercial incentives. The analysis applies U.S. corporate law principles, focusing on fiduciary duties owed by directors and the degree to which stakeholder-oriented structures can be legally enforced against directors who favor growth-oriented decisions. The article connects to broader regulatory trends, including California SB 53 and the EU AI Act's GPAI provisions, which push for external accountability mechanisms in response to perceived structural unreliability in internal frontier model governance.

Why it matters

  • ·Regulatory exposure: Legislators and regulators behind frameworks such as the EU AI Act's GPAI provisions and California SB 53 may use findings like these to justify imposing external accountability requirements on frontier AI developers, which could affect enterprise obligations tied to those vendors.
  • ·Operational impact: Enterprise compliance teams that rely on vendor safety commitments from OpenAI or Anthropic as inputs to their own AI risk assessments may be overstating the durability of those commitments, given that the underlying board governance structures carry structural legal uncertainty.
  • ·Organizational risk: Boards at large enterprises with formal AI oversight responsibilities may face heightened scrutiny if they have not documented and escalated AI vendor governance risk, particularly where dependency on frontier model providers is material to high-risk applications.

Governance controls affected

What to do now

  • Revise third-party AI vendor due diligence questionnaires to include a governance tier that requests evidence of how safety-related board decisions are documented, escalated, and made enforceable at foundation model providers.
  • Update AI model registry entries for applications using OpenAI or Anthropic APIs in high-risk contexts to flag that vendor safety commitments carry structural legal uncertainty as identified by the Harvard Law Review analysis.
  • Escalate AI vendor governance risk to board-level review for enterprises with formal AI oversight responsibilities, and ensure the discussion and any conclusions are recorded in board minutes as part of audit-ready AI documentation.
  • Review existing AI vendor contracts with frontier model providers to assess whether contractual representations on safety and reliability are independently enforceable, independent of the vendor's internal board governance.
  • Identify and document the gap in current third-party AI risk frameworks regarding enterprise-level assessment of a foundation model vendor's internal board accountability and fiduciary enforceability, and assign ownership for closing that gap.

What to watch next

Compliance teams should monitor whether U.S. federal or state regulators cite academic analyses of this kind as justification for introducing mandatory external governance requirements for frontier AI developers, particularly in any forthcoming federal AI legislation or state-level rulemakings following California SB 53. Teams should also track whether OpenAI's ongoing corporate restructuring or Anthropic's public benefit corporation status attract formal regulatory scrutiny that could alter vendor risk profiles. Any enforcement actions or guidance from the FTC or state attorneys general regarding AI developer governance would serve as a significant signal that vendor due diligence standards need to be updated promptly.

AI Governance Weekly

Weekly intelligence on AI regulation, enforcement, and governance. Every Thursday.

Powered by Buttondown.

Related Coverage

Insight2026-06-27

Mythos 5 Partial Reinstatement Creates Government-Controlled AI Access Tiers With No Transparent Process

The US government on June 27 granted roughly 100 approved companies access to Claude Mythos 5, partially reversing a June 12 export control suspension, while Fable 5 and organizations outside the approved list remain locked out with no published selection criteria or recourse. The action is the first commercial enforcement under a new executive order framework requiring government pre-release review of frontier models, making tiered access structural rather than ad hoc.

Insight2026-07-16

Agentic Developer Tools Are the New Shadow IT, With a Larger Blast Radius

The Grok Build incident is not a data breach story. It is a category error story: organizations are applying shadow IT controls to a class of tools that bypasses those controls by design. Agentic coding assistants have codebase-level access, transmit code as part of their core function, and expose data in proportion to the developer's own privileges. The governance frameworks built for unauthorized SaaS subscriptions are not built for this.

news2026-07-16

xAI Grok Build CLI Silently Uploaded Full Repositories and Secrets Files Before Server-Side Fix; Opt-Out Did Not Block Transmission

An independent wire-level analysis of xAI's Grok Build CLI (version 0.2.93) found that the tool transmitted entire repository contents, including secrets files and git history, to xAI's servers regardless of what the AI agent was instructed to read. xAI has since disabled the upload server-side and added a privacy opt-out, though the researcher's testing found the opt-out controls data retention rather than blocking transmission. Elon Musk has publicly committed to deleting previously uploaded data, though that deletion has not yet been confirmed complete.