.png)
Drafting a comprehensive AI use policy is only one side of the coin. Without proper enforcement, your policy is nothing more than a paper tiger: formidable on the surface but ineffectual and lacking in capacity for real impact.
As AI continues its giant strides across industries, there's been a growing awareness of the various risks associated with its usage, from data privacy and ethical concerns to risks of abuse and over-reliance. To stem its potential negatives and ensure productive and ethical use, adequate enforcement of AI use policies is non-negotiable.
That said, most organizations have yet to implement an AI use policy, with only 21% of McKinsey’s survey respondents confirming the presence of an AI governance framework in their organization.
The absence of a binding policy exposes organizations to a variety of risks, from financial and reputational losses to legal liabilities and stakeholder trust erosion.
What has been the reason for the relatively low enforcement rates, and how can in-house counsel navigate these bottlenecks and safeguard their organization?
Read on to find out.
Why should you care?
The benefits of AI in business are immense, from speed and productivity to cost savings and better decision-making, among others.
But its use has also come along with a variety of risks that cannot be ignored, especially from a legal standpoint. As an in-house counsel, you understand that the AI landscape is relatively uncharted, with many considerations to deal with.
We address some of them below.
#1 AI use might pose data exposure risks
AI relies heavily on data, and while this dependence fuels its capabilities, it also raises concerns about data security.
Here’s how:
Employees using AI tools for various purposes often input detailed prompts to generate specific outputs. If they inadvertently include business data or sensitive information in any of these prompts, this data can become a part of the AI’s iterative training dataset.
Some AI platforms also incorporate human reviewers from time to time to ensure that the platforms are used in accordance with their policies. As such, there's always a chance that sensitive data from businesses might become exposed to these groups.
“My team started using ChatGPT right away, which I think is a good thing in order to stay competitive. But they were putting in data that were honestly kind of horrifying. I was caught a little flat-footed, which is unfortunate, so I would say if you don’t have a policy, put one in.”
~ Noga Rosenthal, General Counsel and Chief Privacy Officer, Ampersand
SpotDraft Panel and Q&A: Developing and Implementing Practical AI-Use Policies
#2 There’s a potential for misuse by employees
AI tools are incredibly faster than humans, accomplishing hour-long tasks in seconds. It is possible for users to get carried away by the efficiency and convenience these tools provide, inadvertently leading to abuse.
Consider scenarios where an employee uses AI algorithms to manipulate data, skewing results for personal benefit or causing harm to competitors.
The lack of proper oversight and strong enforcement mechanisms makes it challenging to detect and prevent such abuses. This not only poses a threat to the integrity of organizational data but also exposes the company to legal ramifications.
A well-enforced AI use policy becomes crucial in setting boundaries, educating users about responsible AI usage, and deterring malicious activities.
#3 AI may perpetuate biases in decision-making processes
AI systems, particularly those driven by machine learning algorithms, operate based on patterns and data fed into them during training. This raises ethical concerns when these systems make decisions that impact individuals or communities.
Historical biases present in the training data may result in discriminatory outcomes, perpetuating existing social inequalities.
For example, if historical hiring data used to train an AI recruitment tool reflects gender or racial biases, the AI system might inadvertently favor certain demographics over others. This can lead to discriminatory hiring practices, reinforcing existing inequalities and potentially exposing the organization to legal challenges.
Addressing bias in AI is a complex task that requires a combination of careful data curation, algorithmic transparency, and ongoing monitoring. An effective AI use policy should explicitly acknowledge the potential for bias and outline measures to mitigate and address it.
What areas should your AI use policy cover?
A comprehensive AI use policy should address a range of key areas to ensure a well-rounded governance framework for the productive and responsible use of AI technologies within the organization.
The following areas are particularly crucial:
#1 What kind of AI tools are acceptable?
"One important piece that neither of us brought up is "Should there be a policy around what tools folks can even use?" Because a lot of these AI tools out there do have enterprise versions versus more open versions, and if you're willing to spend the money or invest in it, you can use an enterprise version that very specifically maybe doesn't commingle your data or has very strict retention or output requirements around it, so that your data is not being used that way."
~ Julia Shulman, General Counsel at Telly
SpotDraft Panel and Q&A: Developing and Implementing Practical AI-Use Policies
Organizations need to define the scope of acceptable AI tools within their AI use policy. This involves identifying the specific types of AI applications that align with the organization's goals, values, and ethical standards.
The policy should outline whether off-the-shelf solutions or custom-built AI tools are permissible and, if so, what criteria they must meet.
Also read: Top 5 Free AI Tools for In-House Legal Teams
#2. What kind of data can be input into these AI systems?
"Most organizations are realizing that they should have a policy in place for AI adoption because, otherwise, there's a risk of customer data or confidential data being put into the public tooling."
~ Ken Priore, ex-Director of Privacy, Atlassian
Mastering the Intersection of Law, Technology, and Privacy
AI heavily relies on data for training and decision-making, making it imperative to establish guidelines on the nature and source of data permissible for use. Define the categories of data that are considered appropriate and align with the organization's ethical standards and legal obligations.
To mitigate data exposure risks, emphasize the importance of ensuring that sensitive business information or personally identifiable data is not inadvertently included in AI prompts or training datasets.
Implementing strict controls on the types of data used contributes to maintaining data integrity and safeguarding against potential breaches or privacy violations.
Also read: In-House Legal Guide to Safeguarding Company Data
#3 How should product teams incorporate AI components into products?
An AI use policy should cover not only how business teams use AI tools but also how product teams build functionalities that have AI components.
With the AI rush picking up pace, more organizations are building AI-driven products or incorporating AI into existing ones. This amplifies the need for a policy addressing how product teams integrate AI into company products.
The policy should define the responsible and ethical use of AI components, emphasizing the importance of aligning AI applications with organizational values and legal standards.
Encourage transparency in communicating the presence of AI features to end-users. Provide training and resources to product teams to enhance their understanding of AI ethics, potential biases, and the importance of user consent.
Additionally, set procedures for continuously monitoring and evaluating AI-integrated products to ensure ongoing compliance with the established policies.
#4 What constitutes intellectual property for the organization?
The intersection of AI and intellectual property poses unique challenges that necessitate explicit guidelines in an AI use policy. Clearly define what constitutes intellectual property concerning AI-generated outputs, algorithms, and models.
Establish ownership rights and usage permissions to prevent disputes over proprietary information.
Consider addressing the collaborative nature of AI development, outlining how contributions from various teams or individuals factor into intellectual property rights.
Specify the protocols for safeguarding confidential AI-related information and ensure the policy aligns with existing intellectual property laws and regulations.
Note: For AI use policy development, you don't need to start from scratch! We have created a detailed AI use policy playbook with wisdom from top legal minds.
It's more than just a guide; it's your defense against those hidden traps. With it, you'll be able to draft a policy that helps you:
- Grasp the legal side of AI and LLMs
- Stay ahead, ensuring your company is both cutting-edge and on the right side of the law
- Clear the fog on data privacy, biases, and those tricky IP issues
Download SpotDraft's AI Use Policy Playbook
Also read: Crafting Effective Generative AI Policies: A Step-by-Step Guide
Common challenges with enforcing AI use policies
While developing comprehensive AI use policies is crucial, the road to effective enforcement is fraught with challenges. These hurdles, if not addressed, can undermine the very essence of the policies and expose organizations to a spectrum of risks.
Some of these challenges include:
#1 A lack of awareness and understanding
Implementing and enforcing AI use policies requires an in-depth understanding of the intricacies of artificial intelligence.
However, considering the novelty of AI in business, many organizations face a significant challenge in fostering awareness and comprehension among their workforce. From top-level executives to front-line employees, there is often a lack of understanding around the potential risks and ethical considerations associated with AI use.
This knowledge gap hampers the effective communication, implementation, and adherence to AI use policies throughout the organization.
#2 Variability in regulations
The global nature of AI usage introduces a complex regulatory landscape characterized by variability and inconsistency. What's acceptable under EU laws at a particular time may be unacceptable under American standards, and vice-versa. The same applies to different industries, too.
For organizations operating in multiple regions, aligning policies to diverse, constantly evolving legal frameworks becomes a challenge. This variability not only complicates policy enforcement but also raises the risk of inadvertent non-compliance.
#3 Difficulties with cross-departmental coordination
Enforcing an AI use policy demands seamless collaboration across various organizational departments, each with unique functions, priorities, and interpretations. However, achieving this coordination is often easier said than done.
Departments such as IT, operations, and compliance may view AI policies through different lenses, leading to divergent interpretations and approaches. The lack of a standardized understanding can result in inconsistent enforcement, as each department may prioritize certain aspects of the policy over others based on their specific concerns.
For instance, the IT department may stress technical compliance, while operational teams prioritize efficiency. This disparity leads to fragmented enforcement, heightening the risk of compliance gaps and ethical challenges in AI applications.
#4 Rapid technological advancements
As AI capabilities advance, new applications and use cases emerge, outpacing the development and adaptation of policies. This creates a gap in governance, leaving organizations vulnerable to unforeseen risks and ethical dilemmas.
Staying abreast of technological advancements and updating policies accordingly becomes a perpetual challenge for in-house counsel as enforcing outdated policies becomes increasingly impractical.
Best practices for enforcing an AI use policy
As already established. Putting hours into crafting a comprehensive AI use policy is not always enough. You need to devise a means to ensure that everyone across the board adheres to the rules stipulated in your policy.
Here, we’ve covered some best practices to keep in mind.
#1 Get buy-in from stakeholders
Stakeholder buy-in is a mission-critical component of a successful AI-use policy. If your stakeholders are on board with you, then the enforcement process will be a lot easier.
This process should start early on, during the drafting process. You need to explain the scope of the policy and how it might impact their workflow. At the same time, you must get their own opinions, understand what challenges they might face, and work toward a consensus.
That way, you build a policy rooted in the unwavering support of your stakeholders.
“You need to think about how this is going to impact various teams, who those teams are, who are your stakeholders, going to them, and understanding some of the challenges that they might face if you're about to put a policy in place. You should really think about how it's going to impact upstream and downstream teams, your products, and your processes and get their buy-in before you go jam a policy down their throat.”
~ Julia Shulman, General Counsel at Telly
SpotDraft Panel and Q&A: Developing and Implementing Practical AI-Use Policies
#2 Make arrangements for general education
Conduct training sessions to raise awareness about AI risks, ethical considerations, and the specifics of the AI use policy.
Tailor educational content to address the specific risks associated with AI use in your organization, emphasizing ethical implications, data privacy, and legal considerations. An informed workforce is more likely to comply with policy guidelines.
“You can't even start talking about [AI use] policies and rest without people actually all being on the same page around what it means, what it is, and what it isn't. That doesn't mean that everyone in that room who participated in the training truly took stuff away, but it forces us to think about what [AI] does and doesn't do.”
~ Julia Shulman, General Counsel at Telly
SpotDraft Panel and Q&A: Developing and Implementing Practical AI-Use Policies
#3 Make sure the policy is easy to understand
“I've seen other companies' policies, and honestly, I found a lot of them very hard to follow. So, making sure people understand it is crucial.”
~ Noga Rosenthal, General Counsel and Chief Privacy Officer, Ampersand
SpotDraft Panel and Q&A: Developing and Implementing Practical AI-Use Policies
Complex, jargon-filled policies can hinder understanding and compliance. Craft the AI use policy in clear and accessible language, avoiding unnecessary technicalities.
Use real-life examples to demonstrate key points and provide practical guidance. Clarity in communication fosters understanding and makes it easier for employees to adhere to the policy's stipulations.
#4 Maintain an open-door culture
“When we started asking people to slow down the use of the public version of chatGPT, people came back to my office right away, and we talked it through. But that's because we have an open-door policy. People know we're reasonable. We listen, and we hear feedback. I'm not in the “no” department, and I think that's something all of us as attorneys have to do.”
~ Noga Rosenthal, General Counsel and Chief Privacy Officer, Ampersand
SpotDraft Panel and Q&A: Developing and Implementing Practical AI-Use Policies
Establish a culture that fosters open communication and feedback regarding the AI use policy. Employees should feel comfortable raising concerns, seeking clarification, or reporting potential policy violations.
An open-door culture fosters transparency and allows for swift resolution of issues, preventing minor infractions from evolving into major compliance issues.
#5 Establish a feedback loop for policy refinement
"These policies need to be fairly iterative. You can't be updating them all the time, or none of us would get anything done, but my guess is they're going to keep changing and iterating based on what we see and how they're working."
~ Julia Shulman, General Counsel, Telly
SpotDraft Panel and Q&A: Developing and Implementing Practical AI-Use Policies
The AI landscape is dynamic, and policies must evolve accordingly. Implement a structured feedback loop that collects insights from employees, department heads, and other stakeholders.
Regularly review the policy based on feedback, technological advancements, and changes in legal and regulatory landscapes. This iterative process ensures the policy remains relevant, effective, and in tandem with the organization's evolving needs.
Keeping AI in check
The impact of AI in the world of business has been profound. But like uncharted waters, we've yet to discover the full extent of its capabilities and the various risks associated with it.
As an in-house counsel, your role in ensuring the safe and compliant use of AI within your organization is pivotal. This encompasses not just an in-depth drafting process but also a robust enforcement strategy.
As already established, enforcing an AI use policy is really not an easy feat. But with the best practices we've covered, you'll not only be on track to establish a robust framework for AI governance but also contribute to fostering safe innovation within your organization.
