You Cannot Blame the AI: What a Federal Court's Ruling Tells Us About Corporate AI Governance

A May 2026 federal court decision from the Southern District of New York arrived at a principle that is obvious in theory but widely ignored in practice: when an AI system produces a harmful outcome, the organization that deployed it is responsible. Blaming the tool — what the court called the "the devil made me do it" defense — does not work.

The case, American Council of Learned Societies v. National Endowment for the Humanities, involved the U.S. government's use of ChatGPT to screen a large number of federal grants for DEI-related content. Government personnel entered grant descriptions into the model with a simple prompt and acted on the outputs without meaningful review. The court found that the government could not escape liability by attributing the problematic outputs to ChatGPT, because the government chose the tool, designed the process, and failed to build in sufficient human oversight at any stage.

Why This Extends to Every Organization Using AI

The case arose in a government context, but the court's reasoning applies broadly to any organization using large language models in operational, compliance, or legal workflows. The analysis does not depend on which tool was used, or who the user was. It depends on whether the organization established adequate governance, oversight, and human involvement at each stage of the AI-assisted process.

Companies deploying AI in compliance review, financial analysis, legal document preparation, or regulatory filing support face the same analytical framework. The question is whether the governance structure is capable of withstanding scrutiny — in litigation, in an enforcement action, or in a regulatory examination.

Three Governance Failures the Court Identified

1. Prompt design was treated as a technical detail, not a governance decision

The court found that personnel did not define key terms for the model and did not understand how the model interpreted them. As a result, the undefined concept became the operative criterion for downstream decisions, and the outputs reflected that ambiguity — including classifying a study on whaling as DEI-related. The opinion treats prompt formulation as a substantive governance act, not a technical task.

2. Human oversight was nominal rather than meaningful

There was not a single documented example where a human reviewer disagreed with an AI-generated output and chose a different course of action. The court treated this as evidence that oversight existed in name only. This standard — that review must be capable of identifying and correcting errors, not merely present in organizational charts — applies equally to private companies using AI in compliance or legal workflows.

3. The AI workflow became central to the evidentiary record

The court relied on the prompts used and the outputs generated to reconstruct how decisions were made. The AI workflow was not a background technical process — it was primary evidence about whether decision-making was rational. Prompts, outputs, and oversight gaps are discoverable. Organizations should design their AI governance accordingly.

What Sound AI Governance Requires

The opinion points toward concrete practices: documented prompt design with subject-matter expert involvement, meaningful human review with sign-off requirements, testing and validation protocols, and audit trails capturing both AI inputs and human review processes. These mirror the internal controls frameworks public companies already apply to financial reporting. The gap is that most organizations have not extended those same expectations to AI-assisted workflows.

The court's logic applies directly to any company using general-purpose AI tools to support SEC compliance. If a 10-K disclosure is shaped by an AI output that was not reviewed with substantive rigor — not just edited for grammar — the gap between what the tool produced and what the company understood becomes a litigation and regulatory exposure. Finiti's approach is purpose-built for this reason: a system designed specifically for SEC disclosure requirements, with outputs that are transparent about their basis, is materially different from a general-purpose LLM used with generic prompts. The accountability framework the court articulated demands tools built for the task, not adapted to it.