Organizations that want to use artificial intelligence tools but don’t have the capacity to develop their own programs need to set clear guidelines with third-party providers before they agree to adopt new technologies to help them remain competitive.
Effectively integrating such tools requires defining the program’s purpose and how it will meet the business’s needs, ensuring the contract has necessary and practical guardrails, and establishing a comprehensive compliance program.
Because there is little statutory or regulatory guidance for business uses of AI tools, the relationship between AI providers and their customers will be framed by their service, license, or data-sharing agreements.
This private governance—through a contractual infrastructure tailored to the nature of the tool and its anticipated use in the pertinent industry and business context—will be the primary metric for the obligations and responsibilities of the provider and its customer. Using time-worn template clauses in contracts for AI tools and services won’t work in this fast-moving environment because AI tools constantly evolve and require contracting parties and their counsel to “think different,” as Steve Jobs said.
Accessing and deploying AI tools may comprise a complex web of agreements, including development contracts, data-sharing agreements, and tailored collaborations based on specific needs and contributions—at least where the business customer can insist on such agreements rather than merely signing online terms and conditions that are generally nonnegotiable.
Contract elements that can assist in establishing mutually practicable guardrails and controls include:
- Statement of work or work order that adequately describes the tool’s functionality, training offered (if any), and information regarding periodic updates and support
- Notice and acceptance in which the customer gets to test the tool before any payments are due, and a process for addressing whether the tool performs as expected
- Data usage and data protection information, including origin of the data used to train the algorithm, as well as privacy, security, and an incident response process
- Indemnification that specifically addresses unique AI risks, including intellectual property claims, breach and security incidents, and output errors
- Dispute resolution comprising a period in which the parties can discuss the dispute before resorting to litigation or arbitration
Providers and customers who adopt this framework can accrue additional benefits, such as accelerating completion of the deal, helping get revenue in the door faster.
Integrating the tool into the business’s processes will entail a comprehensive risk assessment and an AI compliance program.
The risk assessment should include interviews with the relevant stakeholders as to the kind of AI tool they envision and how it would assist in meeting the subject business needs.
With the tool’s purpose in mind, the company should collect documents and data concerning current AI usage and how its risks are addressed. Key knowledgeable individuals and entities including IT, employees who would use the tool, executive management, and the board of directors should be interviewed. The assessment also should include third parties.
Once a decision has been reached to acquire the AI tool, but before it is deployed, the business will need to prepare an AI compliance program. Compliance controls would address jurisdiction-specific requirements—that is, whether the tool is to be trained on data from regions and countries and states that have laws governing certain uses of AI.
Further, they would include contractual obligations such as cybersecurity controls, access controls, monitoring and quality assurance for output—especially for generative AI—and internal audits on how well the company is meeting the controls in the compliance program.
The company’s compliance office should already have the structure, resources, and expertise to provide these steps for an effective AI compliance program:
- Standards, policies, procedures, and internal controls specific to AI usage
- Compliance officer designation, including a detailed accountability chart and job description
- Background check processes for employees, directors, and third parties, including sample checklists that emphasize background issues unique to AI
- Compliance training for daily users of the AI tool, executive management, directors, and third parties who would access the tool
- Auditing, monitoring, reporting, and accountability processes including detection, investigation, tracking, and acting upon anomalies in the performance of the tool—with a reporting hotline
- Incentives and discipline, including bonus provisions, access termination, and bonus clawback
- Updates and patch management processes
Acquiring AI tools that take advantage of the potential efficiencies in this evolving technology offers various benefits for the organization. But the threshold questions aren’t whether to license the tool, whether to attempt to develop it in-house, what data the tool will use, or what data it will be trained on.
The initial inquiries should be what the tool will do and how it will assist the company’s growth and sustainability. With the answers to these questions in hand, the organization can prepare risk assessment and compliance programs instrumental in making the acquisition and deployment a success.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Kenneth N. Rashbaum is partner at Barton focusing on privacy, cybersecurity, and e-discovery.
Carole Basri is chief adviser of the Association of Corporate Counsel In-House Counsel Accreditation Program and visiting professor at Peking University School of Transnational Law.
Write for Us: Author Guidelines
To contact the editors responsible for this story: