Using A.I. in your business: the legal and financial risks every UK board should be addressing

Generative AI tools have moved from novelty to default in the space of two years. Your teams already use them to summarise documents, draft emails, write code and analyse client data — usually before anyone at board level has agreed how they may. The question for the board is not whether AI is being used in your business; it is whether that use is quietly building an unbudgeted liability on the balance sheet, in the form of regulatory fines, indemnity payouts, lost legal privilege and intellectual property that turns out not to be yours.

The questions we are most often asked are not theoretical. They tend to follow something that has already happened — a confidentiality slip, a query from a regulator, a contract dispute. By then the cost has crystallised.

The points below are the ones every UK business — not only those that consider themselves “AI businesses” — ought to be addressing now.

Confidentiality — once it is out, you cannot get it back

Most public AI tools send whatever you type to remote servers. When a member of staff pastes a client contract, a board paper, a draft offer letter or a financial forecast into a free consumer tool, the business has just disclosed that information to a third party — and almost certainly breached an NDA or client confidentiality undertaking it has already signed.

The risk runs inward as well. On default settings, some tools keep your prompts and feed them into the provider’s next model — pricing strategy, supplier terms, customer lists, source code, the lot. Providers retain prompts for "abuse monitoring" and share them with sub-processors no one in your business has vetted. If staff paste in legal advice to have it summarised, the business loses privilege over that advice, and the other side can demand it in any future dispute.

It is worse still when staff use AI through personal accounts, browser extensions or unsanctioned consumer tools outside corporate IT. The business is left with no audit trail of what has gone out, to whom, or under whose terms — and no realistic way to claw it back.

Financially, this matters because UK GDPR fines run to £17.5m or 4% of global turnover. A serious confidentiality breach can trigger customer churn, breached NDAs, indemnity claims and rising PI insurance premiums — none of it provisioned for.

Reliance on AI outputs — confident is not the same as correct

AI tools confidently produce text that is partly or entirely wrong — the much-publicised "hallucinations". When staff treat the output as authoritative and act on it without checking, the business picks up the bill: negligence claims, contractual breach, regulatory complaints, reputational damage. Staff create the largest exposure when they ask AI to summarise long documents, do the maths or draft client-facing advice — precisely the work where errors are hardest to spot and most expensive to put right.

Intellectual property — who owns what AI produces?

UK law on AI-generated work is still unsettled. When AI drafts something and your team finishes it off, can you demonstrate authorship? If not, the value sitting on your balance sheet as IP may not hold up. When your team uses AI to produce marketing copy, code, designs or imagery, two risks land at once: you may not own what you have produced, and you may have infringed someone else’s rights along the way. The original rights-holder can sue the business — and your own client can call on the IP indemnity in their contract, leaving you to pay both sides.

Your supplier contracts — the AI clauses worth reading

Enterprise SaaS suppliers now build AI processing into the core product — sometimes on by default, sometimes via opt-in switches that quietly become opt-out at the next renewal. AI provisions tend to be tucked away in updated DPAs or new "AI Schedules", and suppliers reserve the right to vary those terms unilaterally. At renewal those clauses deserve as much attention as the price and the SLA — they decide whether your data trains someone else’s product, and who carries the liability when it goes wrong.

What to do now?

A short, proportionate programme will close most of this exposure, and costs a fraction of one serious incident. UK businesses should:

• adopt an AI Acceptable Use Policy that names the approved tools, the data staff may and may not feed them, when human review is mandatory, and who decides the edge cases;

• back the policy with technical controls (DNS, web filtering, MDM) to prevent unsanctioned consumer tools and personal-account use on corporate devices;

• update NDA and confidentiality templates to address AI explicitly — restricting the input of confidential information into AI tools, and recording any permitted use;

• refresh customer and supplier contracts so that AI use, AI-assisted deliverables and training-data restrictions are addressed in every new agreement;

• review and renegotiate AI clauses in software supplier agreements at renewal — training rights, output ownership, IP indemnities and sub-processors;

• run a DPIA for any AI use involving personal data at scale, or any decision-making that affects individuals; and

• train your people. Well-meaning staff cause most AI incidents — they simply do not know what is off-limits. Short, role-specific training pays for itself the first time it stops one ill-judged paste into the wrong tool.

It is unglamorous work — but it is materially cheaper than defending claims for breach of confidence, negligence or IP infringement once the information is already out.

Orange Grove Law’s experienced commercial, IP and data privacy team can help you put a workable AI governance framework in place — proportionate to the size and risk profile of your business — and navigate what is, for now, a fast-moving minefield. Contact us to discuss your AI governance