DOJ Compliance Program Guidance: AI Risks & Corporate Use Companies are deploying AI faster than their governance frameworks can keep up — and the DOJ has now made that gap a prosecutorial issue.

On September 23, 2024, the DOJ Criminal Division released an updated Evaluation of Corporate Compliance Programs (ECCP), formally adding AI and emerging technology as a standalone compliance risk category. This wasn't a minor revision. Federal prosecutors now have explicit guidance to scrutinize how boards and executives govern AI — not just whether legal and compliance teams have reviewed it.

The audience here is specific: boards, audit and risk committees, CEOs, COOs, and General Counsel at organizations using AI in commercial operations or compliance functions. That covers most mid-market and enterprise companies at this point. According to McKinsey's 2024 research, 72% of organizations have adopted AI — yet only 18% have an enterprise-wide governance body with authority to make responsible-AI decisions. That gap is now visible to prosecutors.

TLDR: Key Takeaways for Executives

  • The September 2024 ECCP update treats AI as a source of compliance risk, not just a tool for managing it
  • Prosecutors will now ask specific questions about AI governance, human oversight, and board-level accountability
  • A new proportionate resource allocation test benchmarks compliance technology spend against business technology investment
  • Whistleblower training must extend to external reporting programs — not just internal hotlines
  • No documented AI governance framework means measurably higher exposure in a criminal investigation

What the September 2024 ECCP Update Actually Changed

The ECCP is the roadmap DOJ prosecutors use when evaluating whether a corporate compliance program is well-designed, properly resourced, and working in practice. It directly influences charging decisions, financial penalties, and whether an external monitor gets imposed after a criminal investigation. This isn't a voluntary framework — it's the lens through which federal prosecutors assess corporate culpability.

The September 2024 revision was the fourth update since the document's introduction in 2017, following prior revisions in 2019, 2020, and March 2023.

It's the first to formally treat AI and emerging technology as a standalone compliance risk category, adding an entirely new subsection: "Management of Emerging Risks to Ensure Compliance with Applicable Law."

The Three Areas That Matter Most

Principal Deputy Assistant Attorney General Nicole Argentieri announced the update at the Society of Corporate Compliance and Ethics conference, identifying three primary areas of revision:

  1. AI and emerging technology governance — how companies assess and manage AI risk in both business operations and compliance programs
  2. Whistleblower protections — whether company practices encourage or chill employee reporting
  3. Data analytics access — whether compliance functions have adequate data access to assess their own effectiveness

Three key areas of DOJ ECCP September 2024 update compliance framework

All three carry direct implications for board and executive oversight structure.

A Conceptual Shift Worth Understanding

Prior ECCP guidance asked how companies use technology to reduce compliance risk. The updated ECCP now also asks how companies govern technology that itself creates compliance risk. That reframe reflects a governance design change, not just a compliance program update.

The DOJ adopted the OMB Memo M-24-10 definition of AI, which is intentionally broad. It covers :

  • Machine learning models
  • Generative AI
  • Autonomous and semi-autonomous systems
  • AI operating with or without human oversight

Most enterprise AI deployments fall within scope.

AI as a Source of Compliance Risk: The Questions Prosecutors Will Ask

These questions are already written into the ECCP and will surface in criminal investigations. If your organization uses AI in commercial operations or within the compliance function itself, prosecutors will evaluate your governance posture against these specific criteria.

Governance and ERM Integration

The ECCP lays out three direct questions on this topic:

  • Does the company assess how AI could impact its ability to comply with criminal laws?
  • Is AI risk management integrated into the broader enterprise risk management (ERM) strategy?
  • What is the company's governance approach for AI used in commercial operations and in the compliance program?

The framing matters. AI governance that lives inside IT or sits in a standalone technology policy does not satisfy this standard. Prosecutors are looking for AI risk in the ERM strategy — the same framework used for financial, operational, legal, and reputational risk.

Human Oversight and Accountability

On oversight, the ECCP asks:

  • What baseline of human decision-making is used to assess AI outputs?
  • How is accountability over AI use monitored and enforced?
  • How quickly can the company detect and correct AI decisions inconsistent with its code of conduct?

These questions require defined decision rights — not just the assumption that someone in IT is watching. Executive teams need documented thresholds that trigger human review and a clear chain of accountability when AI outputs cause compliance failures.

Insider Misuse and Controls

One area boards may not anticipate: the ECCP explicitly addresses insider misuse. Prosecutors will ask how the company is mitigating deliberate or reckless misuse of AI by company insiders — not just external threats. This has direct implications for access controls, audit logging, and documented use policies.

The ECCP also requires that AI be monitored and tested to confirm it functions as intended and remains consistent with the company's code of conduct. That means a defined testing cadence, documented results, and a process for acting when gaps are found.

Employee Training

The update asks directly: "How does the company train its employees on the use of emerging technologies such as AI?" Prosecutors will look for:

  • Training records tied to specific AI tools or use cases
  • Documented acceptable-use policies employees have reviewed
  • Evidence of ongoing education — not a single policy acknowledgment at onboarding

The Data Analytics and Resource Proportionality Requirements

The New Proportionality Test

The September 2024 update introduced a provision that should get board-level attention. Prosecutors are now directed to ask:

"Is there an imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks?"

A company that has invested heavily in AI-driven sales or operations tools while running compliance on outdated systems with limited data access has a documented enforcement risk — not a theoretical one. Debevoise flagged in their September 2024 analysis that companies should be prepared to show proportional investment in AI risk management relative to what they spend on commercial AI tools.

Compliance technology resource proportionality test commercial versus compliance investment comparison

Data Quality and Access Expectations

The ECCP asks three pointed questions: whether compliance personnel can access relevant data sources in a timely manner, whether the company uses data analytics tools to create efficiencies, and — notably — how the company measures the accuracy and reliability of its data analytics models. Access alone isn't sufficient. Compliance teams need documented data governance practices to answer that last question credibly.

Audit committees should ask management for a side-by-side comparison of technology and resources available to commercial functions versus compliance functions. A material gap there isn't a future budget conversation — it's a near-term priority with board visibility.

Whistleblower Protection: The Third Pillar Executives Can't Ignore

The ECCP's updated whistleblower questions go beyond asking whether a company has an anti-retaliation policy. Prosecutors will now ask:

  • Does the company train employees on external anti-retaliation laws and whistleblower programs — not just internal policies?
  • Does it train employees on external reporting channels alongside internal hotlines?
  • Are employees who reported internally treated differently from others involved in misconduct who did not report?

The last question is particularly pointed. It requires companies to audit outcomes from past investigations for patterns of differential treatment.

That audit requirement has a direct external counterpart. The DOJ launched its Corporate Whistleblower Awards Pilot Program on August 1, 2024 — the same month the ECCP revision was being finalized. The program offers awards of up to 30% of the first $100M in net proceeds forfeited, with submissions eligible within 120 days of internal reporting. The ECCP now reinforces that companies should actively cultivate a reporting culture, and training programs that steer employees exclusively toward internal hotlines, without acknowledging external channels, fall short of the standard.

What Boards and Executives Must Have in Place Now

These aren't legal checklists. They're the governance elements that distinguish a defensible compliance posture from a paper program. Prosecutors evaluate whether these controls exist, are resourced, are tested, and actually work.

AI Governance Documentation

Boards should confirm that management has produced an AI governance policy covering:

  • What AI systems the company uses and their intended purposes
  • Applicable controls for each deployment
  • How misuse is detected and escalated
  • Who owns accountability for AI decisions

Four-component AI governance documentation framework required by DOJ ECCP guidance

If no such document exists, that absence is visible to prosecutors. The ECCP doesn't specify a minimum format, but the questions it asks make clear what the documentation must address.

ERM Integration

AI risk must appear in the company's formal risk register and be reported to the board through the same ERM process used for other material risks. Boards should ask management specifically whether AI risks appear in the risk register — and if the answer is uncertain, that's the answer.

Human Oversight and Accountability Structure

Executive teams need to define:

  • Who is accountable for AI decisions within the organization
  • What thresholds trigger human review of AI outputs
  • How accountability is enforced when AI outputs cause compliance failures

This requires documented decision rights. "IT handles it" is not a governance structure.

Compliance Technology Parity

Request a side-by-side comparison of technology and resources available to commercial functions versus compliance functions. If there's a material imbalance, it should become a near-term investment priority with board visibility before an investigation makes it a liability.

Organizations in regulated industries — financial services, healthcare, retail — often bring in a board-level technology advisor to build the AI oversight framework, document decision rights, and produce compliance evidence that holds up under prosecutorial review. The work is practical and inspectable, not aspirational.

Frequently Asked Questions

What is the DOJ's ECCP and why does it matter for my company?

The ECCP is the framework DOJ prosecutors use to evaluate whether a corporate compliance program is effective. It directly influences charging decisions, financial penalties, and whether an external monitor is imposed following a criminal investigation. Few documents carry more weight in corporate criminal law.

How broadly does the DOJ define "artificial intelligence" in the updated ECCP?

The DOJ adopted the OMB Memo M-24-10 definition, which is intentionally broad. It covers machine learning, generative AI, autonomous and semi-autonomous systems, and AI used with or without human oversight. Most enterprise AI deployments fall within scope.

What happens if my company uses AI but doesn't have formal AI governance policies?

The absence of documented AI governance — including controls, use policies, accountability structures, and employee training — is itself something prosecutors will flag as evidence that the compliance program is not well-designed. The gap is visible and documentable.

Does the updated ECCP apply only to large corporations?

The ECCP applies to any company subject to DOJ criminal investigation, regardless of size. The DOJ does acknowledge that compliance programs should be proportionate to company size and risk profile — smaller organizations may use less formal structures — but the governance expectations apply across the board.

How should boards and audit committees exercise oversight of AI compliance under the new guidance?

Ask management for documented evidence of AI governance policies, ERM integration, compliance technology resource parity, and employee training records. These should be reviewed regularly — not only after an incident surfaces.

What is the difference between using AI for compliance versus managing AI as a compliance risk?

The updated ECCP addresses both. Companies are expected to use data analytics tools within their compliance programs. Separately, they must govern the AI deployed in business operations as a compliance risk in its own right — one requiring controls, testing, and clear accountability. Neither obligation covers the other.