What is California SB 253 and who does it apply to?

SB 253 is California's Climate Corporate Data Accountability Act, requiring companies with $1 billion or more in annual revenue that do business in California to publicly disclose Scope 1 and Scope 2 greenhouse gas emissions. The law uses the GHG Protocol as its required methodology. First reports are due August 10 of this year for Scope 1 and 2 data, with Scope 3 reporting requirements following in subsequent years.

What does GHG Protocol-aligned reporting mean for SB 253?

GHG Protocol is the internationally recognized standard for measuring and reporting greenhouse gas emissions. For SB 253, companies must calculate their Scope 1 and Scope 2 emissions using either the financial control or operational control consolidation approach defined by GHG Protocol. Choosing the right boundary for your organization is one of the first and most consequential decisions in building a compliant emissions inventory.

Does the rescission of the federal climate disclosure rule affect SB 253?

No. SB 253 is California state law and operates independently of any federal rulemaking. Companies that paused their sustainability reporting programs in anticipation of federal relief still face the California deadline. CARB has indicated enforcement discretion for good-faith first-year filers, but the August 10 deadline is not affected by federal action.

How does Europe's simplified ESRS connect to what U.S. companies need to do?

The finalized ESRS uses GHG Protocol-aligned methodology for emissions reporting — the same standard SB 253 requires. Companies building their carbon accounting infrastructure around GHG Protocol today are simultaneously positioning themselves for CSRD readiness if they have European operations or EU-headquartered customers. The frameworks are not identical, but the foundational data layer is shared.

What are the Scope 3 implications of the failed IMO shipping carbon framework?

Without a global maritime carbon standard, companies importing by sea face a growing patchwork of regional carbon pricing rules. EU ETS already covers international shipping; the UK is expanding coverage. This increases both the cost and complexity of Scope 3 Category 4 upstream transportation calculations. Companies should document their transport emissions methodology now, before regional rules create additional reporting obligations.

What is clean tech investment growth telling us about the energy transition?

Global energy transition investment reached $2.3 trillion in 2025, up 8% year over year, with solar, EVs, and grid spending leading. Combined with IRENA's confirmation that solar-plus-storage is now cost-competitive with fossil fuels on a 24/7 basis, the data signals that renewable energy is no longer a sustainability-premium decision — it's an increasingly standard capital allocation choice.

How should mid-market companies think about multi-jurisdictional sustainability reporting?

The most durable approach is to build your emissions inventory against the GHG Protocol standard first, then map it to the frameworks that apply to your specific jurisdictions and customer requirements. A GHG Protocol-aligned footprint can serve SB 253, inform CSRD readiness, and support CDP reporting, EcoVadis assessments, and SBTi target-setting — reducing the need to recollect and reformat data for each new requirement.

Trust Desk | AI governance is becoming table stakes for law firms

AI governance is becoming table stakes for law firms

Most law firms started using AI before they built any rules around it. Associates draft and summarize with it, litigation teams run document sets through it, and marketing and business development lean on it daily. The adoption moved faster than the governance, and that gap is now where the risk sits. The firms getting ahead of it are treating AI governance the way they already treat security and confidentiality, as part of the trust they ask clients to place in them.

THE EXPOSURE

Why is AI risk different for a law firm?

The most sensitive asset a firm holds is client matter data, and confidentiality and privilege attach to it. When that data goes into an AI tool, the questions that matter are basic and often unanswered: where does the data go, is it retained, is it used to train a model, who at the vendor can see it. A consumer chatbot and an enterprise tool with the right contractual terms are very different things, and plenty of firms have people using both without knowing which is which. For a professional services firm, that uncertainty sits directly on top of its core obligation to protect client information.

CLIENT DILIGENCE

Why are a firm’s own clients now asking about its AI use?

The pressure is increasingly coming from clients. I see it most clearly in diligence. AI use and SOC 2 status have become standard line items on outside counsel questionnaires and LP due diligence requests, alongside questions about what the firm does with client data and whether there is a real program behind its AI use. Over the past year those questions have gotten more specific and more frequent. A firm that cannot answer them cleanly is at a disadvantage in exactly the diligence that wins and keeps work.

THE CREDIBILITY GAP

What happens when a firm advises clients on AI risk but has no program of its own?

Plenty of firms publish sharp thought leadership advising clients on AI risk, and some run board-level trust events for those same clients, while their own internal AI use has no formal program behind it. That gap becomes uncomfortable the moment a client asks the firm to describe its own controls. The credibility a firm earns by advising well on AI is the same credibility it puts at risk by not governing its own use.

CAPACITY

What if the firm does not have the headcount to run a program?

Firm size shapes how hard this is. A large firm may have a CISO, a privacy lead, and a risk function to share the load. Many firms do not. At a smaller or mid-size practice, the people who would run an AI governance program are the same people already running everything else, and there is rarely dedicated headcount for it. The work still has to happen. It just has to happen without pretending the firm has a team it does not have, which usually means being deliberate about scope and bringing in outside help for the parts that need specialist depth. This is where AI governance and SOC 2 readiness support tends to earn its place, by giving a lean team the structure and the expert guidance to stand up something defensible.

OWNERSHIP

Where should AI governance sit inside a firm?

AI use cuts across the whole firm, which means governance has to as well. It is tempting to hand the problem to IT or to the general counsel and consider it owned. Neither can carry it alone. IT understands the tools and the data flows. The GC understands privilege, confidentiality, and professional responsibility. The people actually using AI sit in practice groups, in marketing, in HR, and in operations, and each of them sees risks and use cases the others miss. The firms getting this right run it as a small cross-functional group with clear seats and a clear chair, so the people who own the policy are the people who understand how the firm actually works.

WHAT GOOD LOOKS LIKE

What does an AI governance program that holds up actually include?

A program that holds up starts with visibility. You cannot govern tools you cannot see, so knowing what is actually in use, including the unsanctioned tools, comes first. From there, use gets classified by risk, so that a marketing draft and a privileged matter document are not handled the same way. Accountability stays with a person, since the lawyer signs the work and answers for it regardless of what assisted in producing it. The AI vendors get the same diligence the firm would apply to any other processor of sensitive data, with real attention to retention and training use. And someone owns the whole thing, with a review cadence that keeps pace with how quickly the tools change. Frameworks like the NIST AI Risk Management Framework and ISO 42001 give useful structure for getting there. What matters most is building something the firm can actually run and stand behind.

WHAT THIS MEANS FOR YOUR FIRM

What to do next

If your firm is using AI, and it almost certainly is, the question a client will eventually ask is simple: how do you govern it. Being able to answer that cleanly is becoming part of the cost of doing business in legal services.

Get visibility into the AI tools actually in use across the firm, including the ones no one formally approved.
Name an owner and a small cross-functional group to carry the program, rather than leaving it to IT or the GC alone.

Get in touch to get a headstart

Frequently asked questions

What is AI governance for a law firm?

AI governance is the set of policies, controls, and ownership that determine how a firm’s people use AI tools and what happens to the data those tools touch. For a law firm it centers on protecting client confidentiality and privilege, classifying use by risk, and keeping a person accountable for any AI-assisted work product. Done well, it is a standing function rather than a one-time policy.

Why are law firm clients asking about AI use in diligence?

Corporate clients, financial sponsors, and regulated institutions run rigorous vendor diligence, and AI use and SOC 2 status are now routine line items in outside counsel questionnaires and LP due diligence requests. Clients want to know that the firm holding their most sensitive information has a defensible program behind its AI use. Firms that can answer these questions cleanly hold an advantage in winning and retaining work.

Does a small or mid-size firm really need an AI governance program?

Yes, and the need is often more acute because smaller firms rarely have dedicated security, privacy, or risk staff. The program does not have to be large, but it does have to be real, scoped to what the firm can actually run, and supported by outside expertise where specialist depth is required. The exposure from ungoverned AI use does not scale down with firm size.

Who should own AI governance at a law firm?

Ownership should not rest solely with IT or the general counsel. AI is used across practice groups, marketing, HR, and operations, and each function sees different risks. The most durable approach is a small cross-functional group with clear seats and a designated chair, so the people who set the policy understand how the firm actually operates.

What frameworks apply to law firm AI governance?

The NIST AI Risk Management Framework and ISO 42001 both provide useful structure for building and operating an AI governance program. They help a firm organize the work, but the value comes from building something the firm can run and stand behind rather than from adopting a standard on paper. Many firms pair AI governance with SOC 2 readiness so that one trust posture supports both.

How is AI governance different from a firm's existing cybersecurity program?

A cybersecurity program protects systems and data from unauthorized access, while AI governance addresses how approved people use AI tools and what those tools do with the firm’s information. The two overlap on vendor diligence and data handling, but AI governance adds questions about model training, data retention, and human accountability for AI-assisted output. The strongest firms treat them as connected parts of a single trust posture.

Amanda Grady is Solutions Lead for Trust Services at GreenPlaces. She brings over a decade of experience in the technology assurance space at a Big 4 accounting firm, where she helped organizations build and prove out their internal IT controls. She holds a degree in Information Systems Management. Whether the work is SOC 2 readiness, ISO 27001 certification, or AI governance, Amanda’s focus stays the same: building programs that hold up to real scrutiny.

Ready to streamline your emissions reporting and compliance readiness?

get in touch