Legal at an AI Company
Legal/Compliance at Conversica (The Wins)
I had committed to 5 years, and even though I didn’t envision it taking as long as it did, we finally achieved most of what we originally set out to accomplish back in October 2019.
When I joined in October 2019, Conversica was aiming for growth—but with a compliance posture fit for an SMB, not a future enterprise leader. There was no SOC2, no ISO, no formal trust infrastructure. Just basic internal controls and good intentions. But I knew: if we were going to serve Fortune 500 companies, we had to earn their trust—not just with our tech, but with our governance.
So we got to work. Fast.
We partnered with an external consultant, Lisa Nicholson, also an expert that I trusted from my Janrain days, and we launched our SOC2 Type II initiative. We didn’t just check boxes—we built a security mindset into the culture. By the end of 2020, we were SOC2 certified. From there, momentum took hold.
Over the next few years, we self-certified for HIPAA/HITECH and PCI. We pushed forward with ISO 27001. We registered with CSA STAR. And most importantly, we launched trust.conversica.com—a public declaration of our standards and transparency.
We used our significant security posture as competitive differentiation.
By 2024, AI governance became a board-level concern. Enterprises established AI Counsels and Audit Committees, and “trust” moved from procurement checklists to executive scorecards. Conversica was ready. Our certifications, our transparency, our response readiness—it all became part of the pitch. In a space where many AI vendors fumbled governance, we led.
Compliance evolved from being a reactive support role to a strategic enabler. It helped win deals. It shortened sales cycles. It protected our customers and our roadmap. Legal, under Lewis Barr, became a key voice at the executive table—balancing innovation with accountability.
Cloud Operations, too, matured. Security reviews became routine. Incident response playbooks were defined, tested, refined. Contracts became faster, cleaner, tighter. The once-silent functions were now mission-critical.
Legal/Compliance – Strategic Headwinds (The Losses)
In 2019, compliance wasn’t a priority—because enterprise wasn’t the focus. The company had no certifications, minimal documentation, and little understanding of what “trust” meant to a Fortune 500 buyer. The legal function was transactional—focused on contracts, not strategy.
The cost? Opportunity. Deals stalled. RFPs lost. Security reviews turned into fire drills. Our value proposition in AI was often undermined by doubts around data integrity and governance.
It wasn’t that Legal lacked a seat at the table—it had one from day one under my tenure. But the role and perception of Legal needed a reset. At the time, it was often viewed by sales as “the department of no.” We changed that. Legal was restructured with a clear mandate: enable growth while managing risk. That included bringing in Lewis Barr—an experienced, business-savvy GC, from my past life as well, who transformed Legal from a contract bottleneck into a strategic partner. Under his leadership, Legal became a driver of velocity, trust, and enterprise readiness.
Advice From One CEO to Another – Operationalizing Trust
Don’t Bolt On Compliance—Bake It In.
If security is a department, you’re already behind. It needs to be a culture.
Hire Legal That Gets GTM.
The best legal leaders aren’t blockers—they’re accelerators. They understand how contracts, policies, and certifications directly tie to revenue velocity.
Certify Early, Signal Often.
SOC2, ISO, CSA—they’re not badges. They’re business enablers. Get them done early, then market the hell out of them.
Trust Is Earned in the Sales Cycle.
Your Trust Center isn’t just for customers—it’s for prospects. Make security and compliance your competitive edge, not your technical debt.
Treat Compliance Like a Product.
Roadmap it. Resource it. Measure adoption. Evolve it. It’s a living asset.
Conclusion
By 2025, Legal and Compliance at Conversica wasn’t just a function—it was a foundation. From the shadows of back-office ops, it became a differentiator in boardrooms and buyer evaluations. It enabled our pivot to mid-market and enterprise. It scaled with us, protected us, and helped win the trust we needed to lead.
When AI governance hit the enterprise radar in 2024 (aka when the AI Act came into force), most vendors scrambled. We didn’t. We had already long operationalized trust—years before the industry began to catch up.
We didn’t just get certified. We got serious. In the age of AI, trust is currency—and we minted ours one audit at a time.