Artificial intelligence isn’t “coming to” business and law—it’s already embedded in them. It drafts. It predicts. It hires. It prices. It recommends medical care. It decides who gets a loan, who gets flagged, and who gets fired. And because AI systems increasingly act (or appear to act) with autonomy, the legal system is being forced to answer a blunt question:

When an algorithm causes harm, who pays—and under what theory?

What follows is a practical, lawyer-friendly map of the biggest AI legal issues that companies (and their counsel) must confront now—especially if they are using, buying, licensing, or building AI.

Figure 1

1) The New Center of Gravity: Contracts and Risk Allocation

Most AI disputes won’t start in court. They’ll start in the contract you signed—or failed to negotiate.

If AI is part of your product, service, or internal operations, the “standard software license playbook” is no longer enough. AI changes the risk profile because:

• outputs can be wrong but plausible

• systems can drift over time

• training data can create IP exposure

• models can create privacy liability

• failures can scale instantly across customers

Figure 2

The contract terms that matter most

Representations & warranties:If the vendor claims performance, accuracy, compliance, “non-infringement,” or “no harmful output,” push for clarity on what those words mean in an AI context. “Non-infringement” is especially fraught when an AI system can generate code, text, or images that resemble protected works.

Indemnification:Traditional indemnities assume we can identify the human “cause.” AI breaks that assumption. You need to define who bears risk when harm arises from:

• model output (hallucination, defamation, discrimination)

• training data (copyright/trade secret issues)

• fine-tuning (customer-controlled behavior)

• deployment choices (unsafe use cases)

  
  

Limitation of liability:A “fees paid” cap can be absurdly low compared to AI-driven damages:

• regulatory penalties

• class-action exposure

• product safety claims

• breach response costs and reputational lossAI failures can be catastrophic without being intentional.

  
  

Data rights and reuse:AI vendors often want rights to aggregate customer data to improve their models. Customers often fear training competitors’ advantage. Contracts must precisely define:

• permitted uses (training vs. analytics vs. debugging)

• aggregation/anonymization requirements

• security and retention

• opt-outs and audit rights

Bottom line: AI contracting is no longer “procurement paperwork.” It’s enterprise risk engineering.

2) Privacy and Data Security: The Laws Are Catching Up to the Models

AI runs on data. But privacy law runs on boundaries: purpose limitation, minimization, transparency, and control.

That creates a built-in conflict:

• AI wants more data for more signal

• privacy frameworks demand less data for less exposure

Figure 3

The collision points you cannot ignore

Automated decision-making rights (ADMT):Regulators are increasingly demanding transparency and controls when AI produces “significant decisions” about individuals (think: employment, housing, credit, healthcare, education). California’s privacy regulator has announced finalized ADMT rules with compliance timing that effectively pushes businesses toward full readiness by January 1, 2027 for significant-decision ADMT use.¹

Security and governance expectations:NIST’s AI Risk Management Framework (AI RMF 1.0) is becoming a de facto baseline for “responsible AI” governance discussions—especially when regulators, customers, or litigants ask what “reasonable” looks like.²

Secure development as a legal defensibility story:Security agencies are now publishing “secure-by-default” guidance for AI systems—useful not only for engineering, but for future legal defense when a breach, manipulation, or unsafe output occurs.³

Bottom line: If you can’t explain your data flows, retention, model access controls, and monitoring—your AI will eventually explain them for you, in discovery.

3) Intellectual Property: The Three-Front War (Outputs, Training, and Ownership)

Figure 4

A) Outputs: “Who owns what the model creates?”

The U.S. Copyright Office has reiterated that purely AI-generated material isn’t copyrightable; human creativity must be meaningfully present.⁴ Courts have reinforced the same principle: the D.C. Circuit held that copyright requires human authorship, rejecting protection for an AI-created artwork with no human author.⁵

Practical effect:If your business model depends on “we own the AI outputs,” you need careful structuring:

• human authorship workflows

• documentation of human contribution

• clear IP assignment provisions with contractors and vendors

B) Training: “Can you train on copyrighted works?”

The “training = infringement vs. training = fair use” fight is intensifying. Federal courts have begun issuing major decisions analyzing fair use in LLM training, including rulings in cases involving Anthropic and Meta/Llama training on books.⁶⁷ These decisions are fact-specific—and they do not give a blanket immunity story, especially where datasets include pirated materials or the record is underdeveloped.

Practical effect:If you train models (or fine-tune them), you need a defensible data story:

• dataset sourcing

• licenses

• provenance tracking

• filtering and takedown processes

• policies against pirated corpora

C) Ownership: “What if the AI invents something?”

Patent law still requires inventors to be human beings; AI is treated as a tool, not an inventor. (If you use AI in R&D, your biggest risk is sloppy inventorship documentation and overclaiming novelty.)

Bottom line: IP is no longer just “protect our code.” It’s “prove where our data came from, prove humans contributed, and prove we didn’t ingest someone else’s crown jewels.”

4) Product Liability: When AI Is in the Thing That Hurts Someone

Figure 5

As AI moves from chatbots into machines—cars, robots, IoT devices—the legal system is being pushed toward new fault models.

Traditional product liability theories still dominate:

• negligence (design, warnings)

• breach of warranty

• strict liability (defective and unreasonably dangerous)

But AI complicates the simplest question: what was the defect?

• the model?

• the training data?

• the update?

• the deployer’s configuration?

• the human who relied on the output?

Courts are already seeing cases where plaintiffs use classic theories against tech-like systems (e.g., navigation errors leading to accidents). The evolution here won’t be philosophical—it’ll be driven by injuries, insurance, and juries.

Bottom line: If AI is making real-world decisions, you need safety engineering + legal defensibility baked in from day one.

5) Employment: Bias, Disparate Impact, and the “Black Box” Problem

Figure 6

Using AI in hiring and HR creates two simultaneous legal hazards:

1. Discrimination risk (disparate treatment / disparate impact)

2. Explainability risk (you must articulate nondiscriminatory reasons)

AI can screen at scale—meaning plaintiffs can argue class-wide impact more easily. And the more opaque the model, the harder it is to defend decisions under traditional burden-shifting frameworks.

Bottom line: If AI touches hiring, promotion, termination, or accommodations, you need:

• bias audits and ongoing monitoring

• accommodations pathways

• documented human oversight

• vendor transparency obligations

  
  

6) Antitrust: The Algorithm Can Collude Faster Than Humans Can Text

Figure 7

AI pricing tools can optimize markets—or quietly coordinate them.

The Department of Justice has prosecuted algorithm-assisted price fixing in e-commerce contexts, including cases involving poster sales where pricing algorithms were used as part of illegal coordination.⁸

Even if your company never “agreed” with a competitor, regulators are watching scenarios where:

• algorithms learn to match price moves predictably

• firms rely on the same pricing engine vendor

• systems respond to competitors in ways that stabilize prices

Bottom line: If AI sets prices or recommends pricing, antitrust compliance must be part of the design, not a memo after the fact.

7) The Regulatory Drumbeat: Federal vs. State Power Struggles

Figure 7

AI governance isn’t just “more regulation.” It’s a conflict about who controls the rules.

On December 11, 2025, President Trump issued an Executive Order aimed at creating a national AI policy framework and directing evaluation of state AI laws deemed inconsistent with federal policy, alongside steps that anticipate litigation and funding pressure tied to that framework.⁹

Whatever your politics, the legal consequence is simple:AI compliance is now a moving target across federal, state, and sectoral regimes.

Bottom line: A company with a “single national AI strategy” still needs state-by-state legal awareness, at least for privacy, consumer protection, employment, and healthcare.

The “Do This Now” Checklist

If you want a serious posture (that is defensible to regulators, customers, and juries), start here:

1. Inventory every AI use case (internal + customer-facing).

2. Classify risk (safety, discrimination, privacy, IP, consumer deception).

3. Rewrite contracting standards for AI vendors and AI-enabled customers.

4. Document data provenance and implement retention/minimization controls.

5. Adopt an AI governance framework aligned to NIST AI RMF principles.²

6. Set rules for human oversight (when humans must review outputs).

7. Create incident response playbooks for model failures and harmful outputs.

8. Train your people—because most AI disasters start with ordinary employees pasting confidential data into tools.

   
   

AI Is Not a Tool Problem—It’s a Liability Architecture Problem

AI doesn’t just change efficiency. It changes responsibility. The companies that win won’t be the ones who “use AI the most.” They’ll be the ones who can say—clearly, provably, and consistently:

Sources

1. Cal. Privacy Prot. Agency, California Finalizes Regulations to Strengthen Consumers’ Privacy Rights Regarding Automated Decisionmaking Technology (ADMT) (Sept. 23, 2025) (announcing compliance beginning Jan. 1, 2027).

2. Nat’l Inst. of Standards & Tech., Artificial Intelligence Risk Management Framework (AI RMF 1.0), NIST AI 100-1 (Jan. 2023).

3. Nat’l Cyber Sec. Ctr. (UK), Guidelines for Secure AI System Development (Nov. 2023); see also Cybersecurity & Infrastructure Sec. Agency, CISA and UK NCSC Unveil Joint Guidelines for Secure AI System Development (Nov. 26, 2023).

4. U.S. Copyright Office, Copyright and Artificial Intelligence, Part 2: Copyrightability (Jan. 17, 2025).

5. Thaler v. Perlmutter, No. 23-5233 (D.C. Cir. Mar. 18, 2025) (affirming human authorship requirement).

6. Bartz v. Anthropic PBC, No. 3:24-cv-05417 (N.D. Cal. June 23, 2025) (order addressing fair use issues in AI training context).

7. Kadrey v. Meta Platforms, Inc., No. 3:23-cv-03417 (N.D. Cal. June 25, 2025) (order granting Meta partial summary judgment on fair use issues).

8. U.S. Dep’t of Just., Former E-Commerce Executive Charged with Price Fixing in the Antitrust Division’s First Online Marketplace Prosecution (Apr. 6, 2015).

9. Exec. Order No. ___, Eliminating State Law Obstruction of National Artificial Intelligence Policy, The White House (Dec. 11, 2025).