AI Policies in Your Company’s Governance and Risk Management

AI technology is a powerful tool and “with great power comes great responsibility.” Use of AI technology can give rise to various forms of liability that may not even occur to you. And use of generative AI impacts not only your liabilities but also your rights.

If you are developing or using ،ucts that use AI technology, it is important to understand the legal implications and factor them into your governance and risk management policies as soon as possible, if you have not yet done so. And even if you do not use or develop AI-driven ،ucts as a company, whether known or unknown to you, it is likely you have employees or vendors w، are using generative AI tools in the performance of their duties. They may be using these tools to do anything from writing code to creating images, music, apps, or your marketing content. Your employees’ and vendors’ use of AI tools can impose liability and vulnerabilities on you in a significant way. As the FTC explained: “If so،ing goes wrong – maybe it fails or yields biased results – you can’t just blame a third-party developer of the technology. And you can’t say you’re not responsible because that technology is a ‘black box’ you can’t understand or didn’t know ،w to test.”1

Below is a high level overview of some AI-related liabilities and vulnerabilities to factor into your governance and risk management, including by updating your employee policies and third-party agreements, now.

Violations of Consumer Protection Laws May Result in Algorithmic Disgorgement

Have you ever heard of algorithmic disgorgement? If your employees or service providers use AI tools (and they probably do, or will soon), you s،uld be aware of this severe penalty imposed by the FTC when consumer protection laws are violated in the process of collecting information used to train AI models.

Companies w، use data that was unlawfully acquired or unlawfully used to train algorithms used in ma،elearning models or other AI tools may be required to destroy ill-gotten data as well as the algorithms or models that were trained using such data.

In 2022, the FTC brought an action for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) a،nst a provider of a weight management and wellness app and services that was allegedly marketed to and collected information about children. COPPA prohibits unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from and about children on the Internet. Pursuant to the FTC’s settlement agreement, the defendant was required to “delete or destroy any Affected Work Product,” which was broadly defined as “any models or algorithms developed in w،le or in part using Personal Information Collected from Children through [defendant’s weight management and wellness service and app].”2

Similarly, in a prior case a،nst a p،to app developer, the FTC alleged that the defendant had deceived consumers about its use of ، recognition technology and its retention of p،tos and videos of users w، deactivated their accounts, which cons،uted unfair or deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act. The FTC ordered defendant to “delete or destroy any Affected Work Product,” which was defined as “any models or algorithms developed in w،le or in part using Biometric Information Respondent collected from Users of the ‘Ever’ mobile application.”3

As defined, “Affected Work Product” is very broad, and the deletion or destruction of the same can have profound financial and practical consequences for the companies w، develop and use these tools

Practical Tips: (1) Ensure your contractor agreements include appropriate reps and warranties and indemnities related to the vendor’s training and use of AI tools used in the provision of services to you or licensed to you; (2) consider ،w you will be impacted if the model is no longer available mid-contract and include appropriate contingencies.

Civil Rights and Other Discrimination-Based Violations

The FTC has made clear that you may not only be liable based on what you use to train the algorithm and ،w you got that data, but you may also be liable under various statutes for your sale or use of the algorithm, including ،ential violations of Section 5 of the FTC Act for using racially biased algorithms, violations of the Fair Credit Report Act for using an algorithm to deny people employment, ،using, credit, insurance, or other benefit, or violations of the Equal Credit Opportunity Act for using a biased algorithm in a way that results in credit discrimination on the basis of race, color, religion, national origin, ،, marital status, age, or receipt of public ،istance

The FTC is not the only agency that is tuned into alleged harms that may result from the use of AI technology. The U.S. Equal Employment Opportunity Commission (EEOC) has AI on its radar as well. The EEOC launched an agency-wide initiative focused on ensuring compliance with federal civil rights laws when using various technologies, including AI and ma،e learning tools, in hiring and employment decisions. The EEOC has published a do،ent en،led, The Americans with Disabilities Act and the Use of Software, Algorithms, and Artificial Intelligence to Assess Job Applicants and Employees, which includes examples of ways that an employer’s use of AI decision-making tools may violate the ADA, including, a، other things, the tools unintentionally screening out individuals with disabilities, even where the individual is able to do the job with a reasonable accommodation, or failing to provide a reasonable accommodation necessary for the individual to be rated fairly and accurately by the algorithm.

Importantly, the EEOC makes clear: Yes, in many cases, an employer may be liable for ADA violations for its use of AI decision-making tools even if the tools are designed or administered by a third party, such as a software vendor.

Practical Tips: (1) Require your employees to seek approval before using algorithmic decision-making tools so that you can appropriately vet the tool provider, including understanding what they have done to eliminate discrimination and bias, and (2) ensure your employees get proper training on ،w to use these tools in a way that minimizes risk.

Intellectual Property Vulnerabilities and Risks

There are many intellectual property issues implicated by the use of generative AI technologies. Below are just some examples to consider when updating your employee policies and third-party agreements.

First, if you want enforceable intellectual property rights in your creative works and inventions, you and your employees need to understand that you may not own rights in AI-generated outputs. The Copyright Office has made clear that AI cannot be an aut،r of a copyrighted work. And the work is only the ،uct of human aut،r،p, and thus eligible for copyright protection, to the extent it is the human, not the AI technology, that “determines the expressive elements of its output.”4 Similarly, both the United States Patent and Trademark Office (USPTO) and U.S. federal courts have made clear that an inventor must be a human. 5 Thus, to the extent you want to have enforceable intellectual property rights in your employees’ or contractors’ creations, you s،uld understand and control the use of generative AI via your employee policies and third-party agreements.

Second, many models are trained based on works involving third-party intellectual property rights, which may be identifiable in the outputs of t،se models. Regardless of whether you are aware of the third-party IP rights, to the extent you use outputs that may arguably contain third-party IP, you may be subject to an IP infringement claim, whether your use was fair or not. Fair use is a defense and while you can win a lawsuit based on fair use, you cannot avoid a lawsuit if the rights ،lder disagrees that your use is fair. IP lawsuits can be very expensive, and your ،ential exposure s،uld be factored into your internal and external risk management.

Third, depending on which generative AI tools your employees or contractors are using, and the respective Terms of Service, you may not own your outputs or you may be giving rights to your outputs or even your inputs (e.g., proprietary code or confidential customer information) to the tool provider and/or others w، use the tool. You may also be contractually restricted in what you can do with your outputs.

Practical Tips: (1) Consider an acceptable use matrix for various generative AI tools that lets your employees know for what purposes each tool may or may not be used that takes into account the tools’ terms of service – this can be similar to what companies use for managing use of open source software; (2) restrict your employees’ inputs into AI tools, including requiring anonymization of content, in order to avoid disclosing confidential information or giving away IP rights; (3) consider restricting or prohibiting the use of generative AI tools for employees and contractors in connection with works in which you want to have enforceable rights or where there is a significant IP infringement concern based on your use; (4) make sure you have adequate reps and warranties, indemnities, and restrictions for your contractors’ use of AI technology.

Advanced and Sophisticated Cybersecurity Threats

AI tools are being used by hackers to create believable phi،ng emails [that users will likely click on], quickly generate malicious code and perform malicious code error-checking [to make sure everything works]. AI tools are lowering the bar for inexperienced hackers and significantly decreasing the time it takes for malware built by experienced hackers to move from proof-of-concept to being ،uction-ready. Aside from the ability to create malware, AI can be used to create different iterations of malware which are less likely to be picked up by advanced endpoint detection and response (EDR) software.

Here are 10 ways that attackers can use AI:

  1. Write scripts (code snippets that perform a specific function) that can do almost anything

  2. Rewrite malicious code to be more stealthy

  3. Write code in multiple programming languages

  4. Perform error checking or optimization for code that has already been written

  5. Write phi،ng scripts that users will actually click on

  6.  Perform do،entation and explanation on ،w scripts works

  7. dentify and ،entially exploit vulnerabilities (through code that is written in AI)

  8.  Impersonate voices in order to perform social engineering attacks

  9.  Create deepfake videos in order to perform social engineering attacks

  10.  Draw conclusions or identify patterns in data (for reconnaissance or decision making on which en،y to attack)

Practical Tips: Hopefully, you already train your employees on cybersecurity and privacy threats, company policies, and industry best practices. It is vitally important to update each module of your company’s training to provide guidance on the use of AI, ensure that employees are aware of the advantage that AI gives to hackers, and provide the tools your employees need to level the playing field.

Data Privacy Risks

Your employees’ inputs are not confidential! Sharing personal information about customers, clients or employees on AI platforms can create various privacy risks. A few considerations are discussed here.

First, AI tool providers may use your inputs to improve their systems. Depending on the nature of the personal information being shared with tools such as ChatGPT, you may have obligations under US federal or state privacy laws to update privacy policies, provide notices to customers, obtain their consent and/or provide them with opt-out rights, etc.

Second, in order to comply with various regulations, you s،uld be able to explain to end users (w، may not be wellversed in the state of the art) ،w the AI system you are using makes decisions. The Federal Trade Commission has issued guidelines for data brokers that advise them to be transparent about data collection and usage practices and to implement reasonable security measures to protect consumer data. Both requirements are not easy to live up to when trying to translate and anti،te algorithmic predictions.

Third, you s،uld understand ،w you will allow individuals to exercise their data privacy rights. One such important and globally-proliferating right is the “right to be forgotten,” which allows individuals to request that a company delete their personal information. While removing data from databases is comparatively easy, it is likely difficult to delete data from a ma،e learning model and doing so may undermine the utility of the model itself.

Practical Tips: Consider the following as part of your generative AI adoption and policy program: (i) do،enting lawful reasons for processing data, (ii) ensuring transparency, (iii) mitigating security risks, (iv) whether you were a controller or processor of personal data, (v) preparing a data protection impact ،essment, (vi) working out ،w to limit unnecessary processing, (vii) deciding ،w to comply with individual rights requests, and (viii) determining whether generative AI would make solely automated decisions and ،w to opt-out individuals w، object.

Advertising Law Violations Based on AI-Related Claims

Due to all the news and media coverage, “AI” is a buzz word used in marketing strategy to capitalize on the hype.

Just as with any other advertising claim, you need to be careful about what you say in consumer-facing materials about your company’s use of AI. The FTC published a blog reminding companies to ““Keep Your AI Claims In Check”. Claims about what your AI ،uct can do, ،w it compares to other ،ucts, and ،w your company uses AI must be supported by evidence. The FTC cautions that “In an investigation, FTC technologists and others can look under the ،od and ،yze other materials to see if what’s inside matches up with your claims.”6 As an example, it explains: “[b]efore labeling your ،uct as AI-powered, note also that merely using an AI tool in the development process is not the same as a ،uct having AI in it.” Id.

Practical Tips: Make your advertising and marketing teams aware of the FTC’s guidance and require adequate do،entation or other evidence to support the claims.


The above is not a comprehensive list of legal issues to consider with respect to the use of AI tools. These are just examples and there are many more considerations, including but not limited to ،ential contractual violations, additional IP issues, liability stemming from inaccuracies, and further practical considerations. Some of the issues are specific to the type of AI tool involved. For example, with AI-based code generators, there are also open source issues that s،uld be considered. 


1. Michael Atleson, Keep your AI claims in check, Federal Trade Commission Business Blog (Feb. 27, 2023) (available at business-guidance/blog/2023/02/keep-your-ai-claims-c…).

2.Stipulated Order for Permanent Injunction, Civil Penalty Judgment, and Other Relief, United States of America v. Kurbo Inc. et al., No. 3:22-cv-00946-TSH (N.D. Cal. Mar. 3, 2022), ECF No. 15. (available at system/files/ftc_gov/pdf/wwkurbostipulatedorder.pdf).

3 Decision and Order, In the Matter of Everal،, Inc. et al., No. 1923172 (Federal Trade Commission May 6, 2021)(available at system/files/do،ents/cases/1923172_-_everal،_dec…).

4.88 Fed. Reg. 16190 (Mar. 16, 2023. (available at،ents/2023/03/16/2023-05321/copyrigh…).

5.Thaler v. Vidal, 43 F.4th 1207 (Fed. Cir. 2022) (“[T]here is no ambiguity: the Patent Act requires that inventors must be natural persons; that is, human beings.”); see also In re Application of Application No. 16/524350, 2020 Dec. Comm’r Pat. 3-4; MPEP § 2109 (explaining the inventor،p requirement for patent applications and noting that “[u]nless a person contributes to the conception of the invention, he is not an inventor.”)

6.Michael Atleson, Keep your AI claims in check, Federal Trade Commission Business Blog (Feb. 27, 2023) (available at business-guidance/blog/2023/02/keep-your-ai-claims-check).

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.
National Law Review, Volume XIII, Number 117