Artificial Intelligence — From Risk to Reward: Key Questions to Address When Crafting Generative AI Usage Policies
Aug 21 2023
Generative artificial intelligence (AI) has seemingly infiltrated every aspect of corporate America, and organizations’ legal, compliance, and human resources departments are understandably struggling to keep pace with its proliferation. Forward-thinking companies are beginning to implement policies governing the use of these tools, but an off-the-shelf policy not tailored to your unique circumstances could do more harm than good. As an early adopter of generative AI in the law firm community, Troutman Pepper faced these same challenges when crafting the firm’s first generative AI policy, and we quickly realized that our clients could benefit from reviewing some of the key questions we asked ourselves during that process.
Policy Scope and Contours
- Should your organization adopt a policy specific to generative AI, or should it cover all forms of AI? While generative AI is the new kid on the block, AI has been around for decades, and many of the same components of a generative AI policy would apply equally to traditional AI tools.
- Should your company distribute an entirely new policy, or can existing policies (e.g., those defining acceptable uses of core IT systems), be amended to adequately address generative AI? As with most of these questions, there is no single right answer; the best approach for your company depends in large part on the nature of your current policies. Some organizations have enacted ethical AI charters alongside or as a precursor to a formal policy.
- What other corporate policies and procedures warrant potential amendment due to generative AI use? In addition to the acceptable use policies already mentioned, policies regarding data privacy, information security, bring-your-own-device (BYOD) programs, work-from-home programs, and records retention may also be overdue for a refresh. The same may apply to employee manuals and handbooks.
Current Organizational Usage of, and Comfort With, Generative AI
- To what extent are segments of your organization already using AI, and for what purposes? We suspect that many of your employees are already using generative AI, perhaps without the company’s knowledge and authorization. It is nearly impossible to conceive of a company entirely devoid of AI use.
- Setting aside legal requirements, what uses of generative AI does your organization want to encourage/accept/discourage/prohibit to align with its culture and business objectives? You may deem some uses benign and others verboten based on your company culture and risk tolerance, even if no specific law, regulation, or contractual term prohibits them.
- Does your organization offer any products or services that leverage generative AI? If so, your policy will need to be drafted with those preexisting products and services in mind, and your license agreements and customer-facing “terms of use” may need to be updated accordingly.
- Are safeguards needed to prevent operational dependencies on generative AI that could impact business continuity if the technology becomes unavailable or too costly? The velocity of change in this space is such that what is hot today may be gone tomorrow, and businesses should anticipate and plan for that very real possibility.
Governing Legal Environment
- Do any of your vendors/partners use generative AI to perform functions relating to your business and, if so, should your contracts be amended to address such use? If you don’t know whether your counterparties use generative AI to deliver core services, you should ask. We encourage you to check whether you have unwittingly agreed to terms specifying authorized and unauthorized uses of AI; if so, make sure you have systems in place to track those obligations and ensure compliance. If you have not yet encountered those terms, you likely will soon.
- Are you following all current laws and government agency guidance regarding your use of AI tools? Please see the video recording of our Hiring to Firing podcast for a discussion about the risks and benefits of generative AI in the workplace, including the recent New York City ordinance concerning the use of AI in recruiting and hiring. Additionally, check out our Hiring to Firing blog post describing recent EEOC guidance on employers’ use of AI tools in ways that may run afoul of the Americans with Disabilities Act.
- How can your organization make use of generative AI while simultaneously protecting its own intellectual property and guarding against inadvertent infringement of others’ intellectual property? Please see The Intersection of Generative AI and Copyright Law for more on this topic.
- What are the implications of generative AI use on your organization’s privacy and cybersecurity programs, particularly as it relates to sensitive data collection, use, and sharing? Watch Navigating the AI Landscape: Privacy, IP, Policies and More – An Industry Expert Roundtable for an engaging discussion of these and related issues.
- Is your organization subject to industry/regulatory oversight or jurisdiction-specific limitations on whether/how generative AI tools can be used, and the extent to which uses must be disclosed? We recommend conferring with counsel on these questions given their complexity and the pace of change we are seeing in the regulatory environment around AI.
- How will consumer and employee concerns/complaints regarding generative AI use be handled? How much transparency is required? Will employees and consumers have any opt-out or notice and consent rights with respect to certain uses of generative AI? As usual, the law has not yet caught up with the technology, so companies may want to consider what voluntary safeguards and protections they want to extend to those individuals who could be most directly impacted by the use of AI.
- Are you prepared to preserve and collect all records of generative AI use in the event of litigation or an investigation implicating the use of AI? As mentioned in a recent Hiring to Firing blog post, maintaining, exporting, reviewing, and producing a full audit trail of generative AI prompts and outputs may not be possible, nor do most generative AI tools expose the internal algorithms and underlying training data that informed those outputs.
- Do you have adequate insurance coverage in the event of generative AI-related litigation? It may be prudent to check your policy/endorsement language and consult with your insurance broker to avoid future surprises.
Practical Issues With Implementation and Enforcement
- Which stakeholders within your organization should have a voice in the development, implementation, and enforcement of a generative AI policy? Ideally, at least one person in each department or business unit should be designated to represent the interests of their group.
- Does your organization have the resources to build or license enterprise/private generative AI tools to better safeguard your confidential information and intellectual property? As the saying goes, if you are not paying for the product, you are the product. Rather than using free generative AI tools like ChatGPT, some companies are mandating that employees only use enterprise generative AI services that are subject to more client-friendly terms and/or are developing their own solutions using Microsoft Azure’s OpenAI Service and similar application programming interfaces (APIs).
- Are your organization’s legal, compliance, and HR departments equipped to roll out, enforce, and audit a generative AI policy? How will you know if the policy has been violated, and what consequences for policy violations will be enforced? A policy that is not consistently followed is arguably worse than no policy at all, and regulators undoubtedly will be looking at how companies approach enforcement of these policies, deter would-be violators, and punish those who intentionally circumvent generative AI guardrails.
- What level of human oversight/validation of generative AI output is required? As with most things, it depends on myriad factors, but organizations cannot blindly assume that generative AI output is accurate and free of bias.
- What forms of training does your organization require to educate employees, contractors, and others (including third parties) on the risks and benefits of generative AI as well as the new skills essential to extracting maximum value from the technology? Whether you build or buy such training, someone well-versed in generative AI should be involved in preparing and delivering tailored training to different constituencies at your company.
- How will the policy be revised over time to ensure it keeps pace with the rapidly changing technical and legal landscape? Part of enacting a successful policy is contemplating and scheduling periodic review and amendment procedures.
We hope this guidance helps to reduce, rather than amplify, the anxiety rightfully felt by many seeking to gain better control over unfettered use of generative AI. If you need assistance devising and executing on your generative AI strategy, Troutman Pepper has a task force of attorneys and technologists on the front lines of generative AI across all major industries and practice areas. Click here to learn more.