AI Legal Issues From the 1,000 Ft View — Revisited

Originally written internally in November 2023, while I was in-house lead legal counsel for my former Central Engineering Organization and the Product Security Offices at a semiconductor company. I’m sharing it now with a “here’s what actually happened” lens.

Run toward the hardest problems

In 2023, as generative AI started rippling across the company I worked for, I found myself pulled into some of the hardest, least-settled questions in my legal career. Lawyers tend to thrive where the law is settled, even better if there is a precedent or a clear statute to point to. AI created several scenario that completely blew all that up. It was cutting-edge, deeply technical, and almost entirely unprecedented, my happy place.

My CEO at the time had a line she came back to often: “Run toward the hardest problems.” In my view, in order to be helpful and effective, that’s what I, as in-house counsel, had to do with AI in 2023, there was no settled doctrine to retreat to.

So here’s what I wrote at the time, plus an honest look at how it’s held up.

Three legal buckets

From the 1,000-foot view, I found it useful to boil the legal issues down to three areas:

  1. Intellectual Property
  2. Data Protection and Privacy
  3. Liability and Accountability

They blur together once you get into the weeds, but staying at altitude, here’s what I was worried about as in-house counsel, and how each has played out since.

Intellectual Property

The 2023 concern: Could we lose our ability to claim IP ownership over things AI helped create? Generative and discriminative AI tools mimic the very thing IP law was built to protect, a human’s ability to think, discriminate, and create. The law was (and still is) wrestling with how much AI-assisted work is protectable. My guidance at the time: mark AI-generated content as AI-generated, and be careful about how much creative/inventive credit you claim for work a model helped produce.

A related worry, were we giving up IP protection just by using these tools? The cautionary tale everyone cited back then was Samsung employees pasting confidential code into public ChatGPT, which stripped that information of trade-secret protection the moment it left the building. The fix many companies adopted was to go private: procure private, enterprise versions of these tools so confidential material never touches a public model.

The second IP issue was the inverse question: is the tool infringing someone else’s rights? Are we sure we have the rights and licenses to the model, the training data behind it, and the output it generates? In 2023, this was almost entirely a question mark.

Where it stands now: This is the one that’s actually moved. Since 2023, three rulings have given the first real shape to AI-and-copyright law:

  • Bartz v. Anthropic settled for $1.5 billion after a federal judge drew a sharp line: training an LLM on legally-acquired books can be fair use, but acquiring those books via pirated shadow libraries is not. Acquisition and training got treated as two separate legal questions.
  • Kadrey v. Meta reached a similar fair-use conclusion on training, but flagged that market-harm arguments (AI flooding a market with substitutes for the original works) could tip the analysis the other way with a better evidentiary record.
  • Thomson Reuters v. Ross Intelligence went the other direction, the court found Ross’s AI training on Westlaw’s copyrighted headnotes was not fair use. As of Jun 2025, the case is now on appeal, and so we are far from any kind of settled jurisprudence.

In other words: my “we genuinely don’t know” from 2023 has resolved into “it depends heavily on how you acquired and used the training data”, which is progress, but it’s a fact-specific, case-by-case kind of progress, not a bright-line rule. The music industry is fighting a parallel version of this same battle right now, with publishers and labels pursuing billion-dollar claims against several AI companies on the same piracy-in-training-data theory.

Data Protection and Privacy

The 2023 concern: AI tools run on data, and that data often includes personal information about employees, customers, or third parties. Companies still have to comply with GDPR, CCPA, PIPEDA, and the rest of the existing privacy patchwork, AI doesn’t get a carve-out. My guidance then: don’t feed personal or personnel information into an AI tool as input.

Where it stands now: This guidance has aged the least, in the sense that it’s still applicable, and it’s only gotten more codified. A growing number of jurisdictions have layered AI-specific obligations (impact assessments, transparency requirements, consent rules for automated decision-making) on top of the existing privacy frameworks rather than replacing them. The baseline rule from 2023, treat AI input the same way you’d treat any other third-party data transfer, still holds.

Liability and Accountability

The 2023 concern: What happens when an AI tool produces inaccurate, biased, or unlawful output — or gets hacked and produces something actively harmful? I posed a hypothetical at the time about a compromised internal AI tool inserting a vulnerability into a hardware design, and asked: who’s liable, and can that liability be capped or shifted to a vendor?

Where it stands now: Still genuinely unsettled, and arguably more pressing. Litigation has expanded into areas like AI-driven hiring and screening tools, where plaintiffs are testing whether using an algorithm to make consequential decisions shifts or expands liability rather than insulating the company that deployed it. The core questions I raised in 2023, can you contractually push liability to the vendor, does “the model did it” work as a defense, are still being tested in real cases rather than answered by settled doctrine.

The triage question I still use

When I assess legal risk for a specific AI tool or use case, it still comes down to three questions:

  1. What’s going into the tool?
  2. What is the tool doing with that input?
  3. What are we planning to do with the output?

That framework hasn’t needed updating. The law around each of those three questions has — and will keep moving for a while yet.

As always: none of this is legal advice, just one in-house lawyer’s notes from inside the disruption.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top