In working with LLMs, the software engineering industry is at an observation stage. AI does not require business as usual but a fundamental change in approach. This article is aimed at those who manage software engineers so that they are aware of the massive benefits and huge pitfalls and exposure that AI can bring.
What Tech Executives Need to Know About Working With LLMs
1. LLMs Are Not Deterministic Components
LLMs generate probabilistic outputs, not rule‑based results. Identical inputs can produce different outputs. This unpredictability must be managed with controls. It cannot be assumed away.
2. LLMs Introduce New Failure Modes
LLMs can hallucinate facts, invent sources, drift from schemas, or claim abilities they do not have. They can produce confident but incorrect reasoning. Traditional QA does not cover these risks.
3. RAG Changes Risk, It Does Not Remove It
RAG improves factual grounding but adds new dependencies. Retrieval quality, document governance, citation accuracy, and context integrity all affect system behaviour. The data pipeline becomes part of risk management.
4. Compliance Exposure Is Direct and Material
LLM outputs can violate data protection laws, sector regulations, copyright rules, safety standards, and consumer protection laws. Because outputs vary, violations can occur without warning. LLM output is regulated content.
LLM output is considered regulated output because, once it leaves the model and enters your organisation’s systems, it becomes functionally indistinguishable from any other content your company produces. Regulators do not care that it was generated by an LLM. They care about its effects.
5. Statutory Liability Extends Beyond the Model
Liability arises from incorrect outputs, harmful content, decisions made using LLM results, missing audit trails, and weak oversight. The organisation, not the LLM vendor, carries the exposure.
6. Governance Must Be Built Into the Architecture
Systems must include identity constraints, capability boundaries, output format rules, grounding controls, citation rules, safety layers, audit logs, and drift monitoring. Governance is a technical requirement, not a policy document.
7. Evaluation Requires a Dedicated Function
Evaluation must cover schema checks, grounding fidelity, safety tests, reasoning quality, adversarial probing, and drift tracking. This work is continuous and specialised. It cannot be handled ad‑hoc by developers.
8. Vendor Models Do Not Remove Responsibility
Using a third‑party model does not transfer risk. Your organisation is responsible for outputs, data handling, integration behaviour, and controls. Outsourcing the model is not outsourcing the risk.
9. LLM Systems Must Be Treated as Regulated Infrastructure
LLMs influence decisions, customer interactions, internal processes, and public content. They must be governed like any regulated system with clear controls, auditability, and oversight.
10. Strategic Direction: Build Capability, Not Experiments
Executives should invest in controlled architectures, evaluation teams, compliance‑aligned processes, clear ownership of AI risk, continuous monitoring, and safe scaling. LLM adoption is an organisational capability, not a series of pilots.
Conclusion
LLMs introduce technical, operational, and regulatory risks that cannot be managed through normal development practices. Their behaviour is probabilistic, their failure modes are unique, and their outputs carry direct compliance and statutory exposure. The organisation must respond with structured controls, continuous evaluation, and clear ownership.
Actions for Tech Executives
- Treat LLMs as high‑risk components that require strict controls.
- Mandate architectural layers for identity, boundaries, and format.
- Require governance of the retrieval pipeline in all RAG systems.
- Classify all LLM output as regulated content with compliance review.
- Establish audit trails, traceability, and runtime enforcement.
- Create a dedicated AI evaluation team with ongoing responsibility.
- Integrate legal, risk, and compliance into the development lifecycle.
- Do not rely on vendors for safety or liability protection.
- Govern LLM systems like regulated infrastructure, not experiments.
- Invest in long‑term capability: controlled architecture, monitoring, and safe scaling.
Take Away
LLM adoption is not a feature. It is an organisational commitment that requires governance, evaluation, and cross‑functional oversight. These actions are the minimum required to deploy AI systems safely and responsibly at scale.
Related Work
- LLM systems behave differently from traditional software and require layered safety, strong governance, observability, and architectural discipline to operate reliably and sustainably.
- AI adoption is an organisational transformation requiring mandates, measurement, and redesigned processes.
- AI strengthens brands when it improves precision, consistency, and control — and destroys them when it introduces noise.
If this piece was useful, you’ll appreciate the free Phroneses newsletter — clear thinking on engineering leadership, organisational clarity, and reliable systems. Practical, honest, and built for people who care about doing the work well.
I work with leaders and teams on clarity, capability, and momentum. Work with me →
Table of Contents
- What Tech Executives Need to Know About Working With LLMs
- 1. LLMs Are Not Deterministic Components
- 2. LLMs Introduce New Failure Modes
- 3. RAG Changes Risk, It Does Not Remove It
- 4. Compliance Exposure Is Direct and Material
- 5. Statutory Liability Extends Beyond the Model
- 6. Governance Must Be Built Into the Architecture
- 7. Evaluation Requires a Dedicated Function
- 8. Vendor Models Do Not Remove Responsibility
- 9. LLM Systems Must Be Treated as Regulated Infrastructure
- 10. Strategic Direction: Build Capability, Not Experiments
- Conclusion
- Related Work
- Table of Contents