Exponential improvements in artificial intelligence (AI) and other technologies have recently led to an explosion of interest and investment in AI by businesses across the world. That has prompted a wide range of, often urgent, AI-related questions to be put to in-house counsel.

This blog provides a short summary of the top actions that the legal counsel of an organisation contemplating using AI tools should take.

1. Understand the types of legal and reputational risks

Track the main legal and reputational risks that may be engaged by the use of the AI.

Examples include:

  • intellectual property, including whether you: (1) are entitled to use your existing content to train the AI system; (2) own any improvements you make to the AI system; and (3) have rights to the AI system’s outputs;
  • liability for the AI system’s outputs;
  • data protection, including managing the use of personal data as an AI input;
  • compliance with other applicable laws and regulations (eg, antitrust, consumer protection, bank secrecy regulation and export control rules);
  • ethical considerations, which often overlap with privacy and consumer protection rules; and
  • for employee use cases, employment law risks such as those associated with employee monitoring and employee data.

For further information, see Generative AI: Five things for lawyers to consider.

We’ll also be diving deeply into these topics in future blogs linked on this page.

2. Track developing AI-related laws and how they might impact your plans

Be aware that regulation of AI, data and technology is a fast-developing area globally.

For example, an increasing number of jurisdictions (including recently India and various US states) have enacted or announced privacy laws that are similar to the EU’s GDPR or which impose other challenging requirements that may be relevant to the development or deployment of AI.

In addition, some jurisdictions have introduced (eg, China), or are in the process of developing (eg, Canada, Thailand, Brazil and the EU), laws that specifically target AI. Other jurisdictions (such as the UK) have taken steps to adapt existing regulatory structures and approaches to address AI.

Organisations deploying AI need to keep abreast of future legislation and build anticipated requirements into their plans. For example, organisations with an EU-nexus that are implementing AI systems need to consider what aspects of the EU’s AI Act are likely to apply to them.

3. Implement strong AI governance

Strong governance is crucial, including in relation to:

  • establishing appropriate training and clear policies for the development, deployment and use of the AI system;
  • ensuring that the AI system is thoroughly tested and validated prior to launch;
  • documenting the AI system’s design, operation, and limitations;
  • identifying suitable use cases and triaging for higher risks that merit a deeper legal review;
  • issuing frequent and comprehensible disclosures to users about the limitations or known bugs;
  • monitoring the AI system’s performance, errors, and any potential biases on an ongoing basis, with a plan in place to address any issues promptly;
  • implementing privacy measures compliant with data protection law; and
  • adapting other policies and processes, such as seeking adequate insurance coverage where possible.

Click here for more information on risks and mitigants in the context of generative AI.

4. Tailor the approach to your sector and organisation

Ensure your approach is tailored to the laws and regulatory frameworks applicable to your sector and individual organisation, alongside their respective culture and values.

For further information, see our blog posts:

Look out for our forthcoming blogs

We are working closely with many businesses across various sectors as they develop and implement AI at all levels of the AI value chain.

In the coming months we will publishing a series of further blog posts, drawing on our experience to expand on many of the points highlighted in this article.