Munir v SSHD: The Ruling That Changed What Governance Actually Means
A UK tribunal just ruled that organizations are liable for governance they cannot demonstrate. If your DPO exists but nobody can contact them, regulators will treat it as if you have no DPO. Here's what the ruling means.
The Ruling Nobody Expected
A UK tribunal case about legal privilege just set a precedent that changes everything about how organizations will be held liable for governance failure.
Munir v SSHD [2026] UKUT 81 is not a headline-grabbing ruling about AI replacing lawyers. It's a quiet, technical decision about one thing: what happens when an organization uses a tool it doesn't control.
And the implications are enormous.
The Case
A professional uploaded confidential documents to ChatGPT. The tribunal was asked: does this waive legal professional privilege?
The answer was immediate: yes, permanently.
Not because there was a policy against it. Not because the organization said "you can't do this."
Because the execution was uncontrolled. The document went into the public domain. Privilege, once waived, cannot be recovered.
The Principle That Changes Everything
Here's the part regulators are paying attention to:
The tribunal did not judge the person or the intent. It judged the control architecture.
The ruling establishes a precedent: You are liable for governance you cannot demonstrate.
It doesn't matter if you:
- •Wrote a policy saying "don't use public AI tools"
- •Appointed someone to oversee compliance
- •Created a governance framework
If the execution is uncontrolled—if you can't prove you stopped it—you are liable.
The lesson: Visible governance is the only governance that counts.
Why This Matters Right Now
The ruling came down in a legal privilege case, but the principle applies everywhere.
Organizations are adopting AI at breakneck speed. Boards are approving initiatives. Compliance officers are writing policies. Ethics committees are meeting.
But here's what auditors and regulators are finding:
The infrastructure exists. The visibility does not.
Companies have:
- •AI governance frameworks (on paper)
- •Named AI officers (somewhere in the org chart)
- •Approval processes (theoretically)
- •Audit trails (maybe)
But when asked:
- •"Show me who approved ChatGPT for your team" → "Someone did"
- •"Show me the decision log" → "We have one, somewhere"
- •"Show me who your AI governance lead is" → Silence
- •"Show me how your Data Protection Officer vetted this tool" → "We have a DPO. We're not sure who."
Under the Munir principle, invisible governance is liable governance.
The 59% Problem
A recent study found: 59% of UK fee-earners admit to using unapproved AI tools for client work.
And 68% of firm leaders believe they have zero risk.
That gap—between what leadership thinks is happening and what actually is—is exactly what Munir addresses.
You can't be liable for what you don't know is happening if you have reasonable controls. But if 59% of your team is using unapproved tools and leadership doesn't know about it, you don't have reasonable controls.
You have invisible governance. Which regulators will treat as no governance.
What Regulators Are Actually Looking For
When a regulator lands an audit based on the Munir principle, they don't ask: "Do you have an AI governance policy?"
They ask: "Reconstruct for me, in real time, every AI tool your organization used in the last 90 days."
If your answer is "we can try," you've already lost.
Because the Munir principle says: If you can't reconstruct your governance decisions with precision and speed, your governance is not real.
A real governance framework produces:
- •A named decision-maker
- •A decision log with dates and reasoning
- •A record of who was consulted
- •Evidence that the decision was communicated and understood
- •Proof that the decision is being enforced
If you can't produce all of these things in an audit, Munir suggests: you don't have the governance you claim to have.
What This Means for Your Organization
Organizations don't get fined because they have a bad governance framework.
They get fined because they had a governance framework and nobody knew it.
Because infrastructure existed but controls were non-operational.
Because when audited, they couldn't demonstrate that their governance was actually being executed.
If your organization has:
- •A DPO but employees can't name them
- •A compliance framework but it's not accessible
- •An AI governance policy but nobody knows who owns it
- •A governance committee that meets but decisions aren't logged
You don't have a governance problem.
You have a visibility problem.
And visibility problems are the ones regulators care about most.
The Next Step
The Munir ruling is already being cited in regulatory guidance from the ICO, the SRA, and the FCA.
Enforcement is not theoretical. It's happening now.
Organizations that close the visibility gap in the next 90 days will have plausible compliance in any audit. Organizations that wait will face audits where they cannot explain their own governance decisions.