My colleague Gerrit Beckhaus was quoted in a recent FT article about the watershed moment for the legal sector that was the unleashing of generative AI (genAI) tools. AI-powered tools have been around for some time - but while they previously may have been suitable for individual use cases, they often didn’t live up to their marketing claims which touted a world in which lawyers’ jobs were easier and where AI helped to streamline repetitive tasks and free lawyers up to do the most interesting, strategic advice.
The explosion of genAI tools – algorithms that can be used to generate new content, including text, images or software code – is likely to be a gamechanger and has brought digital transformation even higher up the agenda for many sectors, including the legal sector. The risks presented by genAI are largely common across all industries – and the strategies for mitigating those risks will also be similar.
Where do you start with your risk assessment so you can embrace the opportunities presented by AI?
It’s useful to consider AI-related risks from three perspectives: input risks, AI model/platform risks and output risks – that then enables a tailoring of the most appropriate risk mitigants.
Assessing risks relating to model inputs requires asking questions about the inputs used to train a GenAI model and query that model through prompts –
for example, are you risking:
- loss of IP protection or exclusivity - sharing confidential or IP-protected input could result in that input losing its confidentiality, or in that input (or related metadata) being licensed to the AI provider or third parties.
- infringing on third party rights or breaching contract terms – are you using third party content as input in a way which infringes third party IP rights (note that, for example, statutory exceptions for use of copyrighted content are limited and vary from jurisdiction to jurisdiction) or puts you in breach of the contractual terms under which you first accessed that content?
- breaching regulation – do the inputs you are using include data that is subject to other regulations (eg data privacy regulation, antitrust, consumer protection, bank secrecy regulation, data that is subject to export control rules) and, if so, is your use of that data as a model input permitted under the relevant regulations?
The particular model/platform you are using may raise its own issues
– for example, are you considering the following issues in your use of a genAI tool:
- ownership – your use of a genAI model might result in an accrual of improvements that benefit the AI provider (and the contractual terms on which you access the model may allocate the ownership of the rights in those improvements to the AI provider). This is something you need to make sure you diligence in the terms pursuant to which a model provider makes available their tools to you, particularly if you are spending considerable time fine-tuning or weighting a model to your benefit.
- model drifting and loss of accuracy – this is a particularly acute risk when a model encounters data that is different to the data it was trained to handle (data drift). Do you know that the data used to train the model you are using is like the data you will be using with that model?
The output from an AI model is a work independent of the model and may raise its own issues – for example, it may:
- infringe third party IP – what guarantees is the provider of the relevant model willing to give that the output of its model is free of third party rights so that you know you can exploit that output?
- be incorrect - what if the output is simply wrong and you make a business or other decision based on it? Who is liable for the consequences of that use of the output? Model hallucination doesn’t just make for a snappy headline - it might result in reputational and commercial risk.
- not be eligible for IP right protection – IP laws typically require a human creator for protection – so how will you ensure you maintain value in the output that is created by the model? Is the model provider at least willing to contractually agree that the output is yours and that they do not store / reuse any copies of the output?
Mitigating the risks presented by genAI requires an “eyes open” approach
– know the limitations of the genAI tools you use, identify the associated risks and potential mitigants. And evaluate the risks and mitigants periodically – the tool you are using will likely evolve and the risks it presents may also change requiring new mitigants. For your menu of potential mitigants, you should be considering:
- Strong governance, including training and clear policies for AI development, deployment and usage
- Using redacted information as inputs into AI models or, if you’re confident that the AI model protects the confidentiality of your inputs, making sure the model is trained on data you have controlled and checked for provenance, to reduce the hallucination risk
- Verifying sources and quality of output
- Reviewing the risk of potential IP infringement which may arise from using generative AI, including by reviewing the terms of use of the AI system and the sources of training data
- Monitoring the AI’s performance and errors, including any potential biases, with a plan in place to address any issues promptly
- Clearly documenting the chosen AI system’s design, operation, and limitations
- Frequent and understandable disclosures to users (either internal business users or customers that might interact with a model) about the limitations or known bugs in the model/AI product
- How dependent you are on a third party tool – the aim is to design your AI programme in a way that develops your models and IP separately from a third party AI provider’s models
For more of our thinking on AI and how to navigate the legal issues it presents, see: https://www.freshfields.com/en-gb/our-thinking/campaigns/technology-quotient/tech-and-platform-regulation/artificial-intelligence-regulation/