MEXICO Law and Practice Contributed by: Fernando Hernández G., Elvia Ríos Saldaña, Ana Karen Inzunza Sánchez and Luis Andrés Estrada Intriago, Vázquez Aldana, Hernández Gómez & Associates (VAHG)
that non-explainable decisions should not be auto - mated, and that AI governance should be collective and rights-based. Those principles are important as a federal policy signal, especially for public policy and institutional design, but they are not yet binding hard law. 8.2 AI Use-Related Risks As mentioned in 8.1 Board Oversight of AI , there is no AI governance act in force, so AI-use risks are addressed through a combination of constitutional rights, corporate governance duties, securities dis - closure rules, private- and public-sector data protec - tion laws, consumer protection, cybercrime rules, civil liability, and sector-specific regulation. Reputational risk does not operate as a legal category of enforce - ment, but it is legally relevant because it often results in misleading disclosures, consumer deception, dis - crimination, privacy violations, cyber incidents, securi - ties misstatements, or moral damages claims. During 2025, Mexico saw a clear acceleration of congressional AI initiatives and policy discussions, including proposals seeking risk-based AI regulation, transparency duties, governance standards, sanc - tions and ethical safeguards; however, none of those proposals matured into a comprehensive federal AI statute. In parallel, the transparency and data protec - tion framework was undergoing post-2025 transition, which matters for AI enforcement because many AI risks in Mexico are still channelled through data pro - tection law. In terms of who is typically responsible, Mexican law does not yet prescribe a mandatory AI governance map. From a corporate governance standpoint: • the board usually owns strategy and risk; • the audit or risk committee typically oversees internal controls, data governance, cybersecurity, incident reporting and assurance; • a technology, digital or innovation committee may exist in larger groups, but this is a matter of gov - ernance design rather than a statutory requirement; and • the management body usually carries day-to-day responsibility through legal, compliance, privacy, security, technology, product and HR functions.
An internal audit or a compliance-monitoring function commonly provides assurance. 8.3 Liability Exposures Arising From AI Use Misgoverned AI Use The principal liability exposure for boards and offic - ers in Mexico currently arises not from a dedicated AI statute, but from misgoverned AI use under existing laws as mentioned previously. The first and most obvi - ous exposure is data protection. In the private sector, controllers must maintain administrative, technical and physical security safeguards, notify significant security breaches, and allow ARCO (access, rectifi - cation, cancellation (erasure) and opposition) rights, including opposition to certain automated processing. Non-compliance can trigger administrative proceed - ings before the competent data-protection authorities under the post-2025 framework. Failure to Disclose A second major exposure is disclosure failure for listed issuers. Mexican securities law does not impose an AI-specific disclosure chapter, but it does require issu - ers to disclose relevant events immediately, to pro - vide full relevant information in connection with such events, and to include risk factors and contingencies in offering materials and annual reporting. If AI strat - egy, cyber-compromise, regulatory investigation or material dependence on AI is significant enough to affect the issuer’s operations, financial condition, legal position or market price, omission or under-disclosure can expose the issuer, directors and officers to regula - tory sanctions and civil claims. Unfair Practices A third exposure is consumer law and unfair prac - tices. The Federal Consumer Protection Law requires advertising and information to be truthful, verifiable and clear, and prohibits misleading or abusive con - tent. AI-enabled chatbots and marketing can therefore create liability if they mislead consumers, conceal the nature or limits of the system, or produce discrimina - tory or abusive outcomes. The consumer protection agency ( Procuraduría Federal del Consumidor – PRO - FECO) can investigate and impose sanctions.
503 CHAMBERS.COM
Powered by FlippingBook