MANAGING THE RISK OF AI: PART III - BUILDING A PLANE MIDFLIGHT (FOR LEGAL)
Lead Consultant
Seprio has a few Clients putting together AI risk review committees and proactively working to address the AI storm. These Clients agree on one thing: We’re already catching up. As one Client puts it, they are “building a plane midflight.” The corporate world is just starting to prepare for a storm that’s already hitting.
We might be catching up, but there’s no time like the present to start. This article will provide advice to legal counsel on the risk of AI and how this risk differs from other technology agreements. While this article may be dripping with “lawyer ick” as Ted Lasso’s Rebecca Welton describes it, Part 4 of this Series will describe these same risks from the business perspective.
The Legal Side of Things
As lawyers (or a recovering attorney, in my case), we see the world through the lens of potential risks. We come in skeptical and ask that the world prove us wrong. We sit on a webinar for a supplier promoting AI functionality, and think it’s fun and flashy, but that’s only half the story. Now, if this isn’t true for you as a lawyer, I apologize for the generalization. But the first step for us skeptics is to understand that the businesspeople AI is being sold to are the opposite of skeptical. Often, they aren’t thinking about making sure the proper reviews are happening. They’re thinking, How fast can I get this so I can start using it?! They are thinking, Let’s get this done now because tomorrow is too late.
Getting our businesspeople to slow down will be step 1. Step 2 is going to be the bigger mountain to climb.
Understanding the Risk
We have talked a lot in this series about how contracts related to AI functionality are likely to slip under the radar. This is because they are often terms of adhesion, agreed to by the use of the functionality, or they are attached to functionality that is added on or sold at a very low cost. But this is the risk we’ve been alluding to for AI – the contract terms.
There are far more risks that the contract should address than what we can cover here, but the two I want to address are the use of Customer Data and suppliers’ disclaimers of liability, especially around infringement and use of third-party intellectual property.
Lifeblood
Data is the lifeblood of AI. I said this in Part 2, but what does it really mean? It means that any AI functionality is practically useless without data to consume. I’ve read countless articles by different publications or various Data Security company websites with an almost identical title: “Data is the Lifeblood of Your Organization.” Obstructed bloodstreams lead to insufficient oxygen; if data is leaked or cut off entirely, loss of life is imminent. This may seem like an extreme analogy, but data is invaluable to organizations, and AI can’t function without that data. AI is a lot less useful without business data fueling it. So, shouldn’t we guarantee the contracts protect your data?
Let’s focus on the supplier language we’re seeing:
On Ownership. Most suppliers’ agreements say they do not claim ownership of content fed to AI by their customers, but by using the services, customers are often granting the suppliers a very broad right to use the content. Many of the top contributors to AI (which will remain unnamed as I write this in Word) are already feeling the heat of lawsuits, so they’re doing everything they can to protect themselves from liability and limiting any protections they could offer their customers. Suppliers are shielding themselves from liability for using content for commercial purposes. The language around use of data is generally very broad, and they’re careful not to mention specific issues, like whether data is being used to improve the training of the AI.
On liability. This is where the biggest legal question mark for AI lives right now. Many suppliers specifically disclaim all guarantees or promises that the AI will work as promised and state that creations may or may not be unique across users. For many of the services, especially for the low-complexity embedded functionality we’ve been discussing in this Series, like chatbots, randomness is baked into the system, and getting a good answer is relative. This means that answers could change from day to day and answers to questions should not be relied upon, especially answers to important legal questions that you want your business to come to you with.
Most importantly, many suppliers explicitly state that they do not promise that the content created will not infringe on a third party’s intellectual property. They expect you to indemnify them for infringement for anything you put into the solution, but that they will not indemnify for any infringement that may be created.
And, as is the case with most one-sided supplier agreements, the limitations of liability have only limited supplier’s damages and have often been even lower than the typical “paid by customer in the 12 months prior to the event giving rise to the claim” language that is a standard starting point for technology suppliers. Also, remember that the company often won’t have paid much of anything for the AI functionality.
Is the plane built yet?
Unfortunately, no. The plane is built when there is a process set up to handle the AI functionality that your businesspeople are chomping at the bit to use. It’s important to make them understand the risk review process and the importance of it, even if it means they’re frothing at the mouth a bit longer. Part 4 of this Series will help you get started.
There are significantly more risks around AI and the related contracts than what we’re able to cover here, but the point is this: If the contracts aren’t getting reviewed, important data is going into the solutions, and the contracts have one-sided language protecting the suppliers, do you feel like your company is protected?
The Plane Truth (Pun Intended)
Not all AI contracts can be negotiated, but risk management isn’t just about mitigating or preventing risk. It’s about knowing the risk is there, understanding it, monitoring it, and finding the best ways of mitigating it outside of the contract’s language.
Please join us next week as the 2025 Seprio Summer Series dives into the risks associated with multi-tenet cloud environments and concludes its review of the Risk Management section of Supplier Governance.
Please let us know in the form below what you think about this blog post, other content on this website, or ask any other questions you might have. Don’t be shy.