While the regulatory debate progresses, artificial intelligence already operates within companies, often without control, without traceability and without supervision. It is this mismatch between the real use of technology and the companies’ ability to govern it that lies the main risk at the moment. The processing of the PL 2338/2023 It does not create this scenario, but it exposes something that was already happening and that will soon be regulated.
From regulatory construction to operational reality
The evolution of PL 2338/2023 definitively changes the way Brazil starts to treat artificial intelligence. The country stops discussing whether it should regulate and starts dealing with a more real, and more difficult, challenge: how to govern a technology that is already in operation within companies.
Inspired by models such as the AI Act, the project adopts a risk-based model, classifying systems according to their impact potential, with more stringent requirements for those considered high risk.
Continues after advertising
What, in practice, the law requires
The structure of PL 2338/2023 is not extensive by chance. It consolidates requirements that, in practice, demand structural changes in companies.
More than the number of articles, what matters is the type of obligation that comes into existence: identifying and classifying AI systems by risk level, carrying out impact assessments for critical uses, ensuring transparency and explainability of automated decisions, defining responsibilities throughout the chain and structuring continuous governance practices.
In practice, this means that the use of AI is no longer isolated and begins to require coordination, control and accountability.
Continues after advertising
What the market is still underestimating
The point that the market makes the most mistakes today is treating this advance as something distant.
Artificial intelligence is already spread throughout companies, often without inventory, without governance and without structured supervision. This is the phenomenon that is starting to gain a name: shadow AI.
In this context, the law does not create the problem, it reveals a problem that already exists. The risk stops being technological and becomes decision-making, reputational and fiduciary.
Continues after advertising
This scenario is not hypothetical. It can already be observed in areas such as customer service, marketing, credit analysis and operational decisions, where AI tools are being adopted without any formal governance structure.
What if the law came into force tomorrow?
The impact would not be on technology, but on how companies are not yet prepared to govern it. Most companies would discover that they do not have the minimum structure to meet basic governance requirements. The effects would be immediate.
Invisible exposure would become a formal risk. AI systems in use would not be mapped, automated decisions would not be traceable and there would be no clarity on internal responsibilities. At the same time, an operational disruption would emerge. Different areas would use AI without alignment, without common policies and without any standardization of controls.
Continues after advertising
Furthermore, companies would deal with different regulatory pressures at the same time, connecting the use of AI to existing regimes, such as data protection and consumer relations.
Brazil in the global context
Unlike Europe, with a more prescriptive model, and the United States, with a fragmented approach, Brazil is moving towards a hybrid model, based on principles and decentralized execution.
In practice, this transfers greater responsibility to companies and positions regulation as a mechanism for inducing corporate governance.
Continues after advertising
The real breaking point
For years, artificial intelligence was treated as a driver of efficiency. Now, it is becoming a new relevant source of risk. The breaking point is not in the technology, but in the ability of organizations to understand, map and govern their use of it.
Conclusion
The discussion about AI in Brazil is no longer theoretical, it is practical and inevitable. Companies will not be charged for using artificial intelligence, but for not knowing how to use it. The truth is that the problem was never technology. The problem is that companies have advanced faster in terms of use than in their ability to govern.
And that’s exactly where companies’ attention needs to start.
