Excerpted from a Troutman Pepper Blog by Jason Lichter, Alison Grounds, Tracey Diamond, Ahsley Hager, Kim Phan and James Koenig
Generative Artificial Intelligence (AI) has infiltrated every aspect of corporate America, and organizations’ legal, compliance, and human resources departments are understandably struggling to keep pace. Forward-thinking companies are beginning to implement policies governing the use of these tools, but an off-the-shelf policy not tailored to your unique circumstances could do more harm than good.
As an early adopter of generative AI in the law firm community, we faced these same challenges when crafting the firm’s first AI policy, and we quickly realized our clients could benefit from reviewing some key questions we asked ourselves during that process.
Policy Scope
- Should your organization adopt a policy specific to generative AI, or should it cover all forms of AI?
- Should your company distribute an entirely new policy, or can existing policies (e.g., those defining acceptable uses of core IT systems), be amended to adequately address generative AI?
- What other corporate policies and procedures warrant potential amendment due to generative AI use? Policies regarding data privacy, information security, bring-your-own-device (BYOD) programs, work-from-home programs, and records retention may also be overdue for a refresh.
Organizational Usage of Generative AI
- To what extent are segments of your organization already using AI, and for what purposes?
- Setting aside legal requirements, what uses of generative AI does your organization want to encourage/accept/discourage/prohibit to align with its culture and business objectives?
- Does your organization offer any products or services that leverage generative AI? If so, your policy will need to be drafted with those preexisting products and services in mind.
Legal Environment
- Do any of your vendors/partners use generative AI to perform functions relating to your business and, if so, should your contracts be amended to address such use?
- Are you following all current laws and government agency guidance regarding your use of AI tools?
- How can your organization make use of generative AI while simultaneously protecting its own intellectual property and guarding against inadvertent infringement of others’ intellectual property?
- What are the implications of generative AI use on your organization’s privacy and cybersecurity programs, particularly as it relates to sensitive data collection, use, and sharing?
- Is your organization subject to industry/regulatory oversight or jurisdiction-specific limitations on whether/how generative AI tools can be used, and the extent to which uses must be disclosed? We recommend conferring with counsel on these questions.
- How will consumer and employee concerns/complaints regarding generative AI use be handled? How much transparency is required? Will employees and consumers have any opt-out or notice and consent rights with respect to certain uses of generative AI?
- Are you prepared to preserve and collect all records of generative AI use in the event of litigation or an investigation implicating the use of AI?
Practical Issues
- Which stakeholders within your organization should have a voice in the development, implementation, and enforcement of a generative AI policy?
- Are your organization’s legal, compliance, and HR departments equipped to roll out, enforce, and audit a generative AI policy?
- What level of human oversight/validation of generative AI output is required?
- What forms of training does your organization require to educate employees, contractors, and others on the risks and benefits of generative AI as well as the new skills essential to extracting maximum value from the technology?
We hope this guidance helps to reduce, rather than amplify, the anxiety rightfully felt by many seeking to gain better control over unfettered use of generative AI.
For the full story, please click here.