Is your company adequately adapted to AI? Key considerations to keep in mind

Is your company adequately adapted to AI? Key considerations to keep in mind

The rapid expansion of artificial intelligence (AI) continues to accelerate, and many companies are now compelled to review and design their strategies for adopting AI systems within their internal processes. However, any such strategy must be grounded in a prior assessment of the legal implications and risks that may arise from implementing the AI system in question.

Legal risks associated with the use of artificial intelligence

The main legal risks typically faced by companies include the following:

1. Personal data: this is one of the most common risks. If employees upload information relating to clients, staff, or suppliers into an external AI model, the company may face compliance issues if it cannot control where such data is stored or how it is processed. In practice, an innocuous copy-and-paste may constitute a breach of the General Data Protection Regulation (GDPR).
2. Intellectual property: some companies generate text, images or other types of content using AI, but they are not always aware of the extent to which such output may be derived from protected works. This may give rise to potential claims or uncertainty regarding the true ownership of the rights associated with the resulting material.
3. Automated decision-making: in areas such as recruitment, financial analysis or customer segmentation, an AI model may introduce bias without being detected. If a decision is unfair or discriminatory, ultimate liability rests with the company rather than with the tool.
4. Generic contracts with AI providers: companies often enter into agreements with AI vendors or developers that fail to specify what happens to the data introduced into the system, the provider’s guarantees, or the allocation of liability in the event of an incident. These omissions relate to essential aspects that must be addressed when integrating any AI solution into internal processes.
5. Trade secrets: if employees using external AI systems have not received adequate training, they may inadvertently disclose confidential information when preparing a report or seeking assistance, potentially exposing commercially sensitive information.
6. Traceability: is a mandatory requirement for any AI system. If the company is unable to explain how a particular output was generated (i.e., if it cannot reconstruct the process (which data were used, how the model was trained, what decisions were involved) it may encounter difficulties in the context of an audit or a legal claim.

These constitute some of the principal risks associated with implementing AI models within a company, though they are not the only ones. It is therefore essential that, prior to implementation, the tool is assessed and the organisation prepared for its integration as an operational resource.

Compliance with the EU Artificial Intelligence Act

The new European Union Artificial Intelligence Act requires companies to understand the types of AI systems they use and the level of risk associated with each. Using a simple productivity tool is not the same as deploying a model that makes decisions affecting customers or employees. Accordingly, the first step is to correctly identify the applicable risk category in order to determine the relevant obligations.

AI systems classified as “high-risk” are subject to additional controls, such as ensuring data quality, documenting system functionality, guaranteeing genuine human oversight, and establishing incident-management protocols. This means that companies must have the capacity to monitor and review the behaviour of these systems.

For generative AI tools, the AI Act introduces specific transparency obligations. These include informing users when content has been generated or modified by AI, as well as adequately documenting sources and the measures taken to respect third-party rights. These requirements aim to maintain trust and prevent confusion or misuse.

The legislation also encourages companies to conduct periodic risk assessments, documenting the purpose of each tool, how it is supervised, and the measures adopted to minimise potential impacts. This not only ensures legal compliance but also provides a clear understanding of how AI affects the organisation and enables proactive decision-making.

All of this entails generating internal documentation and records: which systems are used, who administers them, which providers are involved, and what controls are in place. Such documentation is critical for demonstrating compliance during inspections and for avoiding potentially significant penalties.

Internal training and operational adaptation

Integrating AI into a company is not merely a matter of adopting new tools; it requires preparing staff and adapting operational workflows. A fundamental step is establishing an internal policy governing AI use, setting out what is and is not permitted, the types of information that must not be entered into external tools, and the best practices employees should follow.

In this respect, staff training is equally important. It is not sufficient to teach employees how to “use” a tool; they must also understand the legal risks, how to detect bias, how to protect privacy, and how to critically assess AI-generated outputs. The greater the organisation’s digital literacy, the lower the likelihood of errors.

Many companies are now beginning to appoint individuals responsible for overseeing AI use (sometimes referred to as “AI champions”), who serve as internal points of reference, resolve queries, and help incorporate these tools in an orderly and compliant manner.