"Put Gen AI policies in place now to prepare for future legal requirements"
As employees experiment with generative artificial intelligence, general counsel must issue guidance that will prove valuable to the enterprise and to employees, according to a new report by global research and advisory firm Gartner Inc.
“To craft an effective policy, general counsel must consider risk tolerance, use cases and restrictions, decision rights, and disclosure obligations,” said Laura Cohn, senior principal, research at Gartner. “Having GenAI guardrails and policies in place will better prepare enterprises for possible future legal requirements.”
Based on practices in AI policies instituted by companies and city governments, the report indicates that general counsel should direct organizations to consider four actions when establishing a policy:
Align on Risk Tolerance
Legal leaders should borrow a practice from enterprise risk management and guide a discussion with senior management on ‘must-avoid outcomes.’ Discuss the potential applications of generative AI models within the business. Once these are identified, consider which potential outcomes must be avoided, and which entail acceptable risk given the potential benefit of AI.
Determine Use Cases and Restrictions
Legal leaders should gain an understanding of how generative AI could be used throughout the business by collaborating with other functional leaders. Compile a list of use cases and organize them according to perceived risk — both the likelihood and severity of the risk.
“General counsel should not be overly restrictive when crafting policy,” Cohn said. “Banning use of these applications outright, or applying hard controls, such as restricting access to websites, may result in employees simply using them on their personal devices. Leaders can consider defining low risk, acceptable use cases directly into policy, as well as employee obligations and restrictions on certain uses, to provide more clarity and reduce the risk of misuse.”
Agree on Decision Rights and Risk Ownership
It’s imperative that general counsel and executive leadership agree on who has the authority to make decisions on generative AI use cases. Legal teams should work with functional, business, and senior leadership stakeholders to align on risk ownership and review duties.
Decide on Disclosures
Organizations should have a policy of disclosing the use and monitoring of generative AI technologies to both internal and external stakeholders. General counsel should help companies consider what information needs to be disclosed and with whom it should be shared.
“A critical tenet common across global jurisdictions (including the standard-setting EU) is that companies should be transparent about their use of AI. Consumers want to know if companies are using generative AI applications to craft corporate messages, whether the information appears on a public website, social channel, or app,” said Cohn.
“This means general counsel should require employees to make sure the GenAI-influenced output is recognizable as machine generated by clearly labeling text. Organizations also may consider including a provision to place watermarks in AI-generated images to the extent technically feasible,” she added.
