Rachel Harris is the General Counsel and AI Governance and Privacy Officer at Suzy, an AI-driven market research firm. She began her career in multidistrict pharmaceutical litigations, was appointed by a federal judge to a national steering committee, before pivoting into privacy and AI governance.
Whenever someone tells Rachel that legal is a bottleneck for their company, she tells them it’s an indicator something else has gone wrong.
"If legal is a bottleneck, the real question becomes: have we not integrated ourselves into this workflow appropriately? Something upstream is broken," Rachel said.
GC AI founder Cecilia Ziniti met Rachel through the GC community and has long admired her online presence. In this conversation, CZ and Rachel discuss embedding legal in critical functions, the cure for compliance theater, and how AI is changing the way products are built.
"I sure as heck wouldn't change getting to be a GC right now in the age of AI and how fun and crazy things are,” Rachel said. “We get to navigate the murky, messy, but also fun and exciting world of AI.”
Opposite of Easy: Why Rachel Chose the Hard Path to In-House
Rachel did not plan to end up in private practice. She said as much out loud in law school, to anyone who would listen. Her first job out of law school was litigating pharma MDLs.
The universe, as she puts it, tends to manifest the opposite of whatever she declares.
That first job was the startup training ground Rachel didn’t know she needed. It provided complex, high volume, incredibly stakes work to dive into. Even better, she had a female colleague with a nursing background who could sludge through 3,000 FDA MedWatch reports to find a needle in the haystack.
Her MDL work taught Rachel what it means to do hard, unglamorous, intellectually demanding work in service of a big bet that might not pay off for years. It also taught her something unexpected: how to transition into any environment.
"I think back to what if anything could have prepared me for life in a very high-growth startup, and it was hands down working at the plaintiff's firm,” she said. “There are so many analogies between the vibe and the speed at which you have to work, make decisions in ambiguity, and take big bold bets."
Rachel’s next role was at a small firm for general corporate experience. Then General Data Protection Regulation (GDPR) took effect in 2018 and she found herself building privacy programs from scratch for companies that had never had one.
Following a short stint at Thompson Coburn, Rachel was given an opportunity to take on privacy and governance at Suzy. Her predecessor took a chance on someone without in-house experience, and offered her a critical piece of advice: become best friends with the product and engineering teams. She took that advice.
"There's no great playbook,” Rachel laughs. “The best playbook is: don't doubt yourself and make friends."
How to Diagnose an Upstream Problem
Many guests on this show have mentioned the tendency for Legal to become “the department of No.” Rachel adds that a bottleneck at Legal is almost always an upstream problem.
The remedy is to evaluate whether your team is embedded cross-functionally. Rachel asks: have we truly integrated ourselves into the workflow appropriately? Most bottlenecks are not about the legal process. It’s nearly always due to a gap that formed much earlier, way before the contract arrived or the last ticket was opened.
Rachel gives Salesforce as an example of an upstream legal problem. Contracts counsel was spending too many turns going back and forth with Sales on agreements that did not match the product being sold. It turned out, the account executives had never been trained to understand the company's fundamental business model. Every mismatch between the contract and the product was a downstream symptom of an upstream gap.
There was no budget for a CLM, so Rachel’s team built one directly into Salesforce, where the Sales team already lived. Now every salesperson had a central reference for how to have the right conversations earlier, flag the right issues before they reached Legal, and carry notes on specific customer relationships.
"We've got it down to two turns max,” Rachel said. “It's almost completely removed the notion of a bottleneck or why are we taking three turns on a contract.”
Now, anytime legal feels like friction, Rachel and her team re-evaluate the process and how early Legal should be involved, so there aren’t bottlenecks at the finish line.
How to Avoid ‘Compliance Theater’ In-House
Rachel defines compliance theater as what happens when you put words in a questionnaire for the sake of having certain words in the questionnaire, or pursue a security certification for the badge rather than because a customer requires it.
She remedies performative compliance by radical self-reflection. Go one by one through every question on your security review questionnaire and ask yourself three things:
What is this question capturing?
Why is it included here?
Can it be asked more clearly?
If you cannot answer all three, that question is probably compliance theater. By following this auditing process, Rachel has created a faster, clearer experience for the vendor being reviewed and a more accurate picture of what is happening with their data.
The certification question follows the same logic, she says. SOC 2, ISO 42001, and the various other audit frameworks serve a genuine commercial purpose, but only if they replace the security questionnaires for customers. She advises being strategic about which certifications are worth the cost, and educating customers on what those certifications mean.
"Has a customer contractually required that certification? Or are we just jumping through the hoops for the sake of jumping through the hoops? You have to be very strategic in where you're investing those dollars because those audits are not cheap," she said.
Note from CZ: We debated getting SOC 2 at one of my previous companies and the GRC manager made the same point: it only serves a commercial purpose if it replaces the questionnaires. Rachel's response was to build knowledge bases that help her team get through the remaining questionnaires faster, a pragmatic solution while the industry catches up to itself.
The Markdown File That Let Rachel ‘Hand Her Brain to Engineering’
The night before CZ and Rachel recorded this episode, Rachel built a markdown file for the Suzy engineering team describing how consent should work across different jurisdictions, under different age thresholds, and in different regulatory contexts. She handed it directly to the heads of product and engineering, who began uploading it to the company’s AI agents the same day.
"Can you infuse the brain of Rachel into the thing that you've built? Rather than marketing having to come to me and review go-to-market collateral, boom – you've already got an MD file from me,” Rachel said. “Put it where you already are."
By utilizing AI, Rachel’s legal spec became the product spec. The handoff between legal and product used to require a product manager to translate legal language into engineering requirements, but now the intermediary step was unnecessary.
This AI-driven handoff between Legal and Product points to where product counsel is headed as artificial intelligence continues to grow. The traditional assumption that Legal and Product need a middleman is changing, and the modern GC is now also a product manager, a project manager, and increasingly, a direct contributor to engineering workflows.
"The delivery of legal expertise is just what might change,” Rachel said. “Our knowledge and expertise will always be needed. We can start to bypass the traditional handoff as much as we can."
Rachel is not waiting to see how AI shakes out; she is already through the door. If you are a new lawyer starting out or have been practicing for 30 years, she says, the window that the internet lawyers of the 1990s got is open right now, and the lawyers who get in early will be the ones who define what comes next.
GC AI is built for savvy in-house lawyers who want to embed their expertise directly into the workflows that matter, not just review the output after the fact. Try the best legal AI on the market for free at gc.ai.
