Founders adopting AI tend to focus on the upside: faster work, more output, and a clearer competitive edge.
What often gets missed is what you are agreeing to when you start using these tools, and how quickly small decisions can create legal exposure.
Below are five legal questions every business should answer before going all-in on AI.
1. Are you feeding confidential data into a model that is training on it?
If confidential information goes into an AI tool, you need to understand what happens next.
Some tools use inputs to improve their models by default. Others keep inputs isolated. The difference matters. If your data is being used to train and improve models, in theory a competitor could see and take advantage of your company’s confidential information in the outputs it receives. It could also risk losing confidential status altogether.
What to check:
Whether the provider trains on your prompts or uploaded files.
Whether there is an opt-out, and whether it actually applies to your plan.
Whether you have an internal policy for what can and cannot be pasted into AI.
2. Does personal data go in, and do you have a legal basis for that?
AI tools are often used on real customer data without anyone intentionally deciding to do so.
If personal data is being processed, you need a lawful basis, clear notices where required, and appropriate agreements and risk assessments in place.
What to check:
What personal data is being used, and for what purpose.
Whether you have the right lawful basis under data protection rules.
Whether the tool provider’s agreements cover this use.
3. Who owns what the AI produces?
AI-generated output can raise questions about ownership, licensing, and reuse.
Even where ownership looks straightforward, the provider’s terms can still restrict how output is used or shared. Where you are using AI tools to produce valuable IP (such as production code), any suggestion that you do not own it could be disastrous at your next raise or on an exit.
What to check:
What the terms say about output ownership and licensing.
Whether the provider can reuse output to improve products or train models.
Whether your customer contracts need to address AI-created deliverables.
4. Is anyone checking the output before it informs a real decision?
AI output can be wrong, incomplete, or biased, and it can still look convincing.
The legal risk often shows up when output is relied on without review, such as in marketing claims, HR decisions, financial conclusions, or customer advice. Automated decision making is also currently the most regulated area of AI use, sometimes requiring consent depending on the impact.
What to check:
Where AI output is being used in workflows.
Whether there is a human review step for higher-risk uses or consequential outcomes.
Whether you have a documented process for testing and monitoring accuracy.
5. Do your customers know when they are interacting with AI?
If customers interact with AI, they may need to be told. In some contexts (such as deepfakes or AI videos), transparency is not just good practice, it is a legal requirement.
What to check:
Whether your product or support workflow involves AI-driven interaction.
Whether your customer terms, privacy notice, and product messaging are consistent.
Whether you need additional disclosures for specific jurisdictions or sectors.
None of these risks are hypothetical
These are live issues that have already caused problems for other businesses.
If your team is scaling AI use and you want to make sure the foundations are solid, it helps to review tools, data flows, and contracts before problems surface.
We are a fixed-fee legal service built for startups and scaleups. If you want a quick review of your AI stack and how it is being used, get in touch with us below.
