In the spring of 2023, a New York lawyer named Steven Schwartz stood before a federal judge and tried to explain why his brief cited six cases that did not exist. He had asked ChatGPT to research the law, the chatbot had obliged with confident, fluent, fully-formatted citations—Varghese v. China Southern Airlines, Martinez v. Delta Air Lines, and four more—and Schwartz had filed them. None were real. The opposing counsel could not find them. Neither could the court. When Schwartz went back and asked the chatbot whether the cases were genuine, it assured him they were. They were not. Judge P. Kevin Castel sanctioned the lawyers in Mata v. Avianca, Inc., 678 F. Supp. 3d 443 (S.D.N.Y. 2023), and the episode became the cautionary tale every bar association now tells at every continuing-legal-education seminar on technology.

That is artificial intelligence in 2026 in a single anecdote: extraordinarily capable, occasionally hallucinatory, and surrounded on all sides by legal questions the existing rules were never written to answer. AI now drafts contracts, screens job applicants, recognizes faces in retail stores, composes music, designs molecules, and recommends prison sentences. Each of those uses brushes up against a body of law—copyright, patent, privacy, employment discrimination, products liability, professional responsibility—that assumed a human being was doing the work. When the human steps back and the algorithm steps forward, the doctrine wobbles.

This article is a map of that wobble. It is not a comprehensive treatise; for that, see our companion piece, Artificial intelligence key legal issues: A comprehensive overview for businesses and legal professionals. What follows is the working overview: the issues a general counsel, a startup founder, or a curious litigator needs to understand before they sign the license, deploy the model, or file the brief. We will move through intellectual property, privacy, algorithmic bias, contracting, liability, the European regulatory wave, and legal ethics—pausing along the way to look at the cases that have actually been decided, because in this field the difference between a settled rule and an open question is enormous, and it is changing month to month.

A word on the term itself before we begin. There is no statutory definition of "artificial intelligence" that the whole field agrees on, and the marketing departments have not helped. At its core, AI refers to computer software that executes algorithms—sets of coded instructions—to recognize patterns, draw conclusions, optimize processes, and predict behavior, often improving with experience. The technologies range from natural-language processing (the engine behind plain-English legal research) to machine learning (systems that learn from past performance, like predictive text) to artificial neural networks (the architecture behind image recognition and the large language models now in every headline). When this article says "AI," it usually means one of these, and the legal analysis frequently turns on which one and how autonomously it operates.

The copyright question: can a machine be an author?

Start with the most philosophically vivid issue, because it has produced the clearest answers. Copyright protects "original works of authorship fixed in any tangible medium of expression" (17 U.S.C. § 102(a)). For most of the statute's history, the word "authorship" did no heavy lifting—of course there was an author; somebody wrote the book, painted the picture, composed the song. Generative AI broke that assumption. When a diffusion model produces a photorealistic image from the text prompt "a Victorian astronaut riding a seahorse, oil painting," who, if anyone, is the author?

The U.S. Copyright Office has an answer, and the courts have backed it: the author must be a human being. This is not a new position so much as a very old one applied to a new fact pattern. The principle traces to Burrow-Giles Lithographic Co. v. Sarony, 111 U.S. 53 (1884), where the Supreme Court upheld copyright in a photograph of Oscar Wilde precisely because the photographer made human creative choices—posing the subject, arranging the lighting, selecting the costume. The "human authorship" requirement got its most colorful modern airing in the so-called monkey-selfie litigation, Naruto v. Slater, 888 F.3d 418 (9th Cir. 2018), where the Ninth Circuit held that a macaque who tripped a camera shutter could not hold a copyright (the court resolved the case on standing, but the Copyright Office took the broader hint).

Then came the AI cases. In Thaler v. Perlmutter, the computer scientist Stephen Thaler sought to register a visual work titled "A Recent Entrance to Paradise," which he candidly described as "autonomously created by a computer algorithm running on a machine"—his "Creativity Machine." He listed the machine as the author and himself as the copyright owner by virtue of his ownership of the machine. The Copyright Office refused registration; the human-authorship requirement, it said, was not satisfied. The U.S. District Court for the District of Columbia agreed (Thaler v. Perlmutter, 687 F. Supp. 3d 140 (D.D.C. 2023)), and in March 2025 the D.C. Circuit affirmed, holding squarely that the Copyright Act requires a human author and that a machine cannot be one (Thaler v. Perlmutter, 130 F.4th 1039 (D.C. Cir. 2025)). The court did not need to reach the harder questions—about works made with AI assistance rather than by AI alone—because Thaler had stipulated that no human was involved.

That harder question is where the practical action is, and the Zarya of the Dawn decision is the key text. Kristina Kashtanova registered a comic book whose images were generated using Midjourney. When the Copyright Office learned how the images were made, it partially cancelled the registration in a February 2023 letter that has become required reading. The Office held that Kashtanova could claim copyright in the elements she authored—the text, and the "selection, coordination, and arrangement" of the images into a comic-book whole, which is a compilation under 17 U.S.C. § 101—but not in the individual AI-generated images themselves, because Midjourney, not Kashtanova, determined how the prompts translated into pixels. Typing a prompt, the Office reasoned, is more like commissioning a work or describing it to an artist than like authoring it; the user does not control the expressive output with sufficient precision.

The Copyright Office formalized this approach in its multi-part report Copyright and Artificial Intelligence, the relevant installment of which (Part 2, "Copyrightability," issued in January 2025) reaffirmed that purely prompt-driven output is unprotectable but that human authorship can attach where a person exercises sufficient creative control—through significant editing, arrangement, or the incorporation of human-authored elements. The line, in other words, is not "did you use AI" but "did you make the expressive choices." A photographer who uses an AI tool to remove a distracting background still authored the photograph. A novelist who writes the prose but generates the cover art with a single prompt owns the prose and not the cover.

Hypothetical. Imagine a marketing agency that produces a campaign for a client. A designer writes a detailed creative brief, generates two hundred candidate images with a text-to-image model, discards all but four, then in Photoshop recomposes those four into a single layered illustration—relighting, repainting portions by hand, adjusting composition. Under current Copyright Office guidance, the final illustration likely embodies enough human authorship (the selection among candidates, plus the substantial hand-editing and arrangement) to be registrable, while the raw, unedited AI outputs would not be. The agency should document the human contributions contemporaneously, because in an infringement suit the registration's scope—and the agency's ability to recover statutory damages and fees—will turn on exactly how much a human did. This is a hypothetical, but it tracks the real fault line the Office has drawn.

For businesses, the takeaways are concrete. First, AI-generated material may fall straight into the public domain, which means a competitor can copy your logo, your stock imagery, or your generated marketing copy with impunity. Second, registration applications must disclose AI-generated content and disclaim it; failing to do so risks invalidating the registration. Third, contracts with creative vendors should specify whether and how AI tools were used and allocate the risk that deliverables turn out to be unprotectable. We explore the front-end copyright-infringement exposure—the claims that training on copyrighted material itself infringes—in Copyright infringement claims against generative AI: The New York Times, Getty, and what comes next, which covers the other half of the AI copyright story: not who owns the output, but whether building the model was lawful in the first place.

The patent question: can a machine be an inventor?

Copyright and patent law rhyme here, and the same restless inventor drove both. Stephen Thaler also built (or claims his AI built) two inventions—a food container with a fractal surface and a flashing emergency beacon—which he attributed to an AI system named DABUS (Device for the Autonomous Bootstrapping of Unified Sentience). He filed patent applications naming DABUS as the sole inventor. The USPTO rejected them, the Federal Circuit affirmed in Thaler v. Vidal, 43 F.4th 1207 (Fed. Cir. 2022), and the Supreme Court denied certiorari in 2023.

The reasoning is narrower than the copyright cases and almost entirely textual. The Patent Act defines an "inventor" as the "individual" who invented the subject matter (35 U.S.C. § 100(f)), and the Federal Circuit, following the Supreme Court's reading of "individual" in other statutes, held that "individual" means a natural person. An AI is not an individual; therefore an AI cannot be a named inventor; therefore an application naming only an AI fails. The court was careful to say it was not deciding whether inventions made with AI assistance are patentable, or who should be named when AI contributes to an invention conceived by humans. Those are the live questions.

The USPTO answered the assistance question in February 2024 with Inventorship Guidance for AI-Assisted Inventions, 89 Fed. Reg. 10043. The guidance is sensibly pragmatic: AI-assisted inventions are not categorically unpatentable, but each invention must have at least one natural-person inventor who made a "significant contribution" to its conception. The agency borrowed the Pannu factors—from Pannu v. Iolab Corp., 155 F.3d 1344 (Fed. Cir. 1998), the standard for joint inventorship—to assess whether a human's contribution was significant enough to count. Merely recognizing a problem, or owning and operating an AI that produced the invention, or providing a general goal, does not make you an inventor. Meaningfully constructing the prompt, designing the experiment, or recognizing and appreciating the AI's output as a solution might.

The practical consequence is a documentation problem. Patent prosecution now requires a clear record of which human did what, conceptually, when AI was in the loop—because if the answer is "no human contributed significantly," there is no valid inventorship, and an invalid inventorship can sink a patent. We go deep on this allocation, including the international divergence, in AI-generated inventions: Who owns what the machine creates and survey the comparative landscape in Artificial intelligence and inventorship: Global perspectives on machine contributions to innovation. The short version: the United Kingdom's Supreme Court reached the same result as the Federal Circuit in the parallel DABUS litigation, while a handful of jurisdictions have flirted with broader rules—but no major patent office currently lets a machine be an inventor.

A separate patent wrinkle deserves a mention, because it predates the inventorship fight and remains a daily obstacle: eligibility. AI systems are, at bottom, algorithms, and algorithms run headlong into the abstract-idea exception to patent-eligible subject matter under 35 U.S.C. § 101. Since Alice Corp. v. CLS Bank International, 573 U.S. 208 (2014), a claim "directed to" an abstract idea is patent-ineligible unless it recites "significantly more"—an inventive concept that transforms the abstraction into a patentable application. (The exclusion of abstract ideas, laws of nature, and natural phenomena goes back at least to Diamond v. Chakrabarty, 447 U.S. 303 (1980).) Drafting AI patent claims to survive Alice is an art unto itself; the USPTO's 2019 subject-matter-eligibility guidance and its 2024 examples for AI inventions provide the roadmap, and our patent eligibility after Alice guide walks through the strategies in detail.

Privacy and biometric data: the law that lets you sue

If copyright and patent are where AI meets the question "who made this," privacy is where AI meets the question "where did you get all that data." Machine-learning models are hungry; they are trained on vast corpora of personal information, and they are increasingly deployed to recognize, profile, and predict. The United States, unlike the European Union, has no single comprehensive privacy statute. It has a patchwork: sectoral federal laws (HIPAA for health data, the FCRA for credit and background reports, the GLBA for financial data, COPPA for children) and a growing thicket of state laws, with California's CCPA/CPRA (Cal. Civ. Code §§ 1798.100 et seq.) leading and a dozen-plus states following.

But the statute that has generated the most AI-relevant litigation, by a wide margin, is a quirky Illinois law from 2008: the Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA). BIPA regulates the collection, use, and storage of "biometric identifiers"—retina and iris scans, fingerprints, voiceprints, and crucially, scans of face or hand geometry—and "biometric information" derived from them. Before a private entity may collect your biometric data, BIPA requires it to (1) inform you in writing that the data is being collected and stored, (2) tell you the specific purpose and length of storage, and (3) obtain your written release (740 ILCS 14/15(b)). The Act also requires a publicly available retention-and-destruction schedule (§ 15(a)) and bars selling or profiting from biometric data (§ 15(c)).

Two features make BIPA the eight-hundred-pound gorilla of AI privacy litigation. The first is its private right of action with statutory damages: $1,000 per negligent violation and $5,000 per reckless or intentional violation (740 ILCS 14/20). The second is the Illinois Supreme Court's interpretation of who may sue. In Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the court held that a plaintiff need not allege any actual injury beyond the statutory violation itself—the loss of the statutory right to control one's biometric data is the injury. Then in Cothron v. White Castle System, Inc., 2023 IL 65, the court held that a separate claim accrues each time an entity unlawfully scans or transmits biometric data, not just the first time. White Castle, which used a fingerprint timeclock, faced a theoretical exposure that the court itself acknowledged could reach into the billions. The Illinois legislature amended BIPA in 2024 to limit per-scan accrual, but the message had landed: facial-recognition and fingerprint systems built on machine learning are radioactive in Illinois without airtight consent.

The litigation has been spectacular. Facebook paid $650 million to settle a BIPA class action over its photo-tagging feature, which used facial-geometry analysis (In re Facebook Biometric Information Privacy Litigation, N.D. Cal.). Clearview AI, which scraped billions of photos from the internet to build a facial-recognition database sold to law enforcement, has faced BIPA litigation, a settlement, and regulatory action on multiple continents. For any company training or deploying a model that touches faces, voices, or fingerprints, BIPA is the first compliance question, and a growing number of states (Texas, Washington) and proposed laws are following its lead. We treat this whole field in depth in Biometric data privacy laws and their impact on AI development, and a closely related frontier—using someone's face or voice without their biometric or publicity consent—in The right of publicity meets digital doubles: Deepfakes, AI avatars, and celebrity likeness.

Beyond biometrics, the broader privacy challenge is automated decision-making. Both the GDPR and the newer wave of U.S. state laws give individuals rights regarding decisions made about them by algorithms. Article 22 of the GDPR grants a qualified right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, and Articles 13–14 require organizations to disclose the existence of such processing and provide "meaningful information about the logic involved." California's CPRA directs the issuance of regulations governing access to, and opt-out from, automated decision-making. These transparency obligations collide awkwardly with the reality that modern neural networks are often genuinely uninterpretable even to their creators, and with the fact that disclosing the model's "logic" may mean disclosing a trade secret. Regulators have so far accepted that organizations can provide meaningful information about a system without exposing the underlying code.

Algorithmic bias: when the model discriminates

AI is only as good as its training data, and training data is a record of the past, biases included. A model that learns from historical hiring decisions learns whom the company historically hired—and if that history skews male, or white, or under forty, the model will too, dressed up in the false objectivity of a number. This is not a hypothetical risk. Amazon famously scrapped an internal résumé-screening tool after discovering it penalized résumés containing the word "women's" (as in "women's chess club captain") because it had been trained on a decade of male-dominated tech résumés. The legal exposure here is real, immediate, and grounded in some of the oldest civil-rights law on the books.

The central statute is Title VII of the Civil Rights Act of 1964 (42 U.S.C. § 2000e et seq.), which prohibits employment discrimination based on race, color, religion, sex, and national origin. Title VII reaches algorithmic hiring through two theories. Disparate treatment is intentional discrimination—rare with AI, because nobody programs a model to reject women on purpose (and if they did, it would be straightforward to condemn). The dangerous theory is disparate impact: a facially neutral practice that falls more harshly on a protected group and is not justified by business necessity. The doctrine was born in Griggs v. Duke Power Co., 401 U.S. 424 (1971), where the Supreme Court struck down a high-school-diploma requirement that disproportionately excluded Black applicants and bore no demonstrated relationship to job performance. An AI screening tool that disproportionately rejects a protected group is a Griggs problem in modern dress: the employer need not have intended to discriminate to be liable.

How does a plaintiff (or an enforcement agency) measure disproportionate rejection? The workhorse is the four-fifths rule (also called the 80% rule), codified in the EEOC's Uniform Guidelines on Employee Selection Procedures, 29 C.F.R. § 1607.4(D). The rule provides a rule of thumb: if the selection rate for any protected group is less than four-fifths (80%) of the selection rate for the group with the highest rate, that disparity is generally regarded as evidence of adverse impact.

Worked example (hypothetical). Suppose an AI résumé-screener advances 100 of 500 male applicants (a 20% selection rate) and 60 of 500 female applicants (a 12% selection rate). The female rate divided by the male rate is 12 ÷ 20 = 0.60, or 60%. Because 60% is below the 80% threshold, the tool flunks the four-fifths rule, and the employer now bears the burden of showing the screen is "job related for the position in question and consistent with business necessity" under 42 U.S.C. § 2000e-2(k). If it cannot, or if a less-discriminatory alternative was available and refused, the employer faces disparate-impact liability—even though no human ever consciously discriminated and the vendor's marketing promised the tool was "bias-free." The four-fifths rule is a screening heuristic, not a safe harbor; smaller disparities can still be actionable with statistical proof, and the EEOC has cautioned that the rule is not the only measure.

The enforcement apparatus has noticed. The EEOC launched an Artificial Intelligence and Algorithmic Fairness Initiative and, in 2023, issued technical-assistance guidance applying the four-fifths rule and disparate-impact analysis to "software, algorithms, and artificial intelligence used in employment selection procedures." The EEOC also brought and settled its first AI-discrimination suit, EEOC v. iTutorGroup, where software was alleged to automatically reject older applicants in violation of the Age Discrimination in Employment Act (29 U.S.C. § 621 et seq.)—the company settled for $365,000 in 2023. State and local law has gone further: New York City's Local Law 144 (effective 2023) requires employers using "automated employment decision tools" to commission an independent bias audit, publish the results, and notify candidates. Illinois regulates AI in video interviews. Colorado's 2024 AI Act, the first comprehensive U.S. state AI statute, imposes duties on developers and deployers of "high-risk" systems—including hiring tools—to use reasonable care to avoid algorithmic discrimination.

The defensive playbook borrows from decades of disparate-impact practice: audit the tool before deployment and periodically after, using the four-fifths rule and more rigorous statistical tests; validate the selection procedure against actual job performance, as the Uniform Guidelines contemplate; document the business-necessity justification; search for and adopt less-discriminatory alternatives; and—critically—do not assume the vendor handled all of this. Liability under Title VII runs to the employer who uses the tool, not just the developer who built it. For the foundational doctrine, see our explainer on age discrimination basics, which covers the ADEA framework the iTutorGroup case ran on.

Contracting for AI: who eats the risk

Most organizations do not build their own AI; they license it. And the moment AI becomes a load-bearing component of a business—running a production line, scoring credit applications, powering customer service—the license agreement stops being boilerplate and starts being the document that decides who pays when the model fails. AI contracts raise the ordinary software-licensing issues, which we cover in Drafting software license agreements: Key terms and negotiation points, plus a cluster of issues peculiar to systems that learn, adapt, and occasionally produce output nobody can fully explain.

Three risk-allocation provisions carry most of the weight. Representations and warranties are the first. A vendor of conventional software typically warrants that it owns or has sufficient rights to the software and that the software performs to specification. AI complicates both halves. On the rights side, a generative model may itself produce infringing output—code that copies a copyrighted library, an image that reproduces a protected work—and the non-infringement warranty must be read carefully to see whether it covers outputs or only the model. (Several major AI vendors now offer "copyright shield" indemnities precisely because customers demanded an answer to this question.) On the performance side, AI output is probabilistic; a model that is "95% accurate" will be wrong one time in twenty, and a warranty that promises error-free operation is either unattainable or a future lawsuit. Sophisticated customers negotiate performance warranties tied to defined accuracy benchmarks, acceptance testing, and the right to terminate if the model degrades.

Indemnification is the second. Indemnity clauses allocate liability to the party best positioned to prevent or absorb the harm. With AI, that determination is genuinely hard, because when an autonomous system causes a loss it is often impossible to say whether the fault lay with the developer's model, the customer's data, or the customer's deployment. The contract should resolve this by allocation rather than leaving it to a later fight: who indemnifies whom for third-party IP claims arising from output, for privacy violations arising from training or inference data, for bodily injury from an AI-enabled product. The party with the most knowledge and control—usually the developer as to the model, the customer as to the deployment and the data it supplies—should generally bear the corresponding risk.

Limitations of liability are the third, and in the AI context they deserve unusual scrutiny. A standard liability cap—say, twelve months of fees—may be wildly inadequate when the downside is catastrophic. If an AI analytics system inadvertently discloses the personal data of millions of downstream users, the customer faces class actions, regulatory penalties, and reputational ruin that dwarf the annual license fee. Customers should push for carve-outs from the cap (or a "super-cap") for IP infringement, breach of confidentiality, and data-protection failures, and for the indemnification obligations to sit outside the general cap. Insurance—commercial general liability, technology errors-and-omissions, cyber—backstops these allocations, but coverage for AI-specific harms is still maturing, and counsel should confirm that the policies actually reach algorithmic failures rather than excluding them.

Two further AI-specific terms round out a well-drafted agreement. Data rights govern whether the vendor may use the customer's data to train or improve its models—a question with profound confidentiality and competitive implications; many enterprise customers now insist on contractual prohibitions against their data being used for model training, mirroring the trade-secret concerns we discuss in Drafting enforceable non-disclosure agreements for technology transactions. And explainability and audit provisions—rights to documentation, to bias-audit results, to model cards—help the customer meet its own regulatory obligations (the NYC bias audit, the EU AI Act disclosures) that the vendor's black box would otherwise frustrate.

Liability: when the autonomous system hurts someone

Step away from contracts for a moment and consider the tort question, which is in some ways the deepest. Product-liability law—negligence, breach of warranty, strict liability—evolved to assign fault when a product injures someone, on the assumption that a human designed it, a human manufactured it, and a human used it. Autonomous AI scrambles that chain. When a self-driving car veers into a motorcyclist, or an AI-guided industrial robot strikes a worker, who is the actor: the manufacturer, the software developer, the owner, the human "supervisor" who was not actually in control—or the machine itself?

The existing cases mostly show the traditional framework straining at its seams. In Cruz v. Raymond Talmadge, a Massachusetts case arising from a bus that struck a low overpass while the driver followed GPS directions, the injured plaintiffs sued the GPS manufacturers on ordinary theories of negligence, breach of warranty, and strict liability, alleging defective design (the device should have warned of the height-restricted route). Because the GPS was only semi-autonomous—the human driver remained in control—the injuries could be traced back to human conduct, and the conventional doctrine more or less worked. The harder case is Nilsson v. General Motors LLC, No. 18-cv-471 (N.D. Cal. 2018), where a motorcyclist alleged that a GM autonomous vehicle, not its inattentive backup driver, drove negligently and caused the crash. The pleadings are remarkable: the plaintiff alleged negligence by the vehicle, and GM's answer admitted that "the Bolt was required to use reasonable care in driving." The parties settled before any court had to decide what standard of care governs a machine—a reasonable human standard, or a new "reasonable machine" standard—but the question was squarely on the table.

These cases expose a doctrinal puzzle that scholars have chewed on for years. Strict liability under Section 402A of the Restatement (Second) of Torts holds a seller liable for a product sold in a "defective condition unreasonably dangerous"—but it applies only if the product reaches the user "without substantial change," and a self-modifying learning system arguably changes itself constantly. Negligence depends on foreseeability—but what is foreseeable for a system that generates novel behavior its designers never anticipated? Professor David Vladeck, in an influential article, suggested the common-law doctrine of res ipsa loquitur ("the thing speaks for itself") might shift the burden to manufacturers in cases where an autonomous system causes harm and the injured party cannot pinpoint the defect (David C. Vladeck, Machines Without Principles: Liability Rules and Artificial Intelligence, 89 Wash. L. Rev. 117 (2014)). Workplace cases sharpen the issue further: in Holbrook v. Prodomax Automation Ltd., the estate of a worker killed by an automated assembly robot sued the robot's manufacturers and integrators on negligence, defective-design, failure-to-warn, and res ipsa theories—suing the suppliers rather than the employer, because workers'-compensation exclusivity barred suit against the employer.

The unresolved question underneath all of this is whether the law should ever treat an AI as a legal actor with its own standard of care, or should always trace liability back to a human (the designer, the deployer, the owner). The European Union briefly proposed, then shelved, an "AI Liability Directive" that would have eased the burden of proof for plaintiffs injured by AI; the U.S. has no comprehensive answer and is proceeding case by case. For now, counsel advising clients who deploy autonomous systems should assume the traditional product-liability theories apply, insist on robust contractual indemnities up and down the supply chain (see the contracting section above), and maintain rigorous documentation of design choices, testing, and safety measures—the same evidence that wins or loses a conventional product-defect case.

The EU AI Act: extraterritorial gravity

No survey of AI law is complete without the European Union, because the EU does to AI what it did to data privacy with the GDPR: it writes a comprehensive, risk-tiered, extraterritorial statute and dares the rest of the world to ignore it. The EU Artificial Intelligence Act (Regulation (EU) 2024/1689), which entered into force in August 2024 with obligations phasing in through 2027, is the first comprehensive horizontal AI law in the world, and like the GDPR it reaches any provider or deployer whose AI system's output is used in the EU—regardless of where the company sits. A U.S. startup with European users is in scope.

The Act's architecture is a pyramid of risk. At the top, a small set of practices are prohibited outright (effective February 2025): social scoring by public authorities, manipulative subliminal techniques, untargeted scraping of facial images to build recognition databases (a direct shot at the Clearview model), most real-time remote biometric identification in public spaces, and emotion recognition in workplaces and schools. Below that sits the heavily regulated high-risk category—AI used in employment, education, credit, essential services, law enforcement, biometric identification, and critical infrastructure—which must satisfy a long list of obligations: risk management systems, high-quality training data, technical documentation, human oversight, accuracy and robustness standards, and conformity assessments before market entry. Below that, limited-risk systems (chatbots, deepfakes) carry transparency duties: users must be told they are interacting with AI, and AI-generated or manipulated content must be labeled. And minimal-risk systems (spam filters, AI in video games) are essentially unregulated.

A separate regime governs general-purpose AI models—the large foundation models like GPT-class systems—with tiered transparency and, for the most capable models posing "systemic risk," additional obligations around evaluation, adversarial testing, and incident reporting. The penalties are GDPR-scale and then some: up to €35 million or 7% of worldwide annual turnover for the prohibited-practice violations.

For a U.S. business, the EU AI Act functions much as the GDPR did—a de facto global standard, because building two versions of a product (one compliant, one not) is usually harder than just complying everywhere. The compliance work begins with classification: figure out, for each AI system, which risk tier it occupies and whether you are a "provider" or a "deployer," because the obligations differ sharply. The contractual implications loop back to the licensing discussion above: deployers need from their providers the documentation, conformity assessments, and disclosures the Act requires, and those have to be negotiated into the agreement. Meanwhile, the United States has no federal analogue; the relevant federal posture has shifted with administrations (from a 2023 executive order emphasizing safety and equity to a 2025 reorientation toward deregulation and innovation), leaving the field to the states—Colorado, California, and others—and to sectoral regulators applying existing law.

Legal ethics: the profession's own reckoning

We opened with Mata v. Avianca, and we return to it, because the legal profession occupies an unusual position in the AI story: lawyers are simultaneously advisors about AI risk and users of AI tools who face their own professional-responsibility constraints. The ethical rules are not new; what is new is applying them to a tool that produces confident, plausible, sometimes-fabricated text.

The foundational duty is competence. ABA Model Rule 1.1 requires competent representation, and Comment 8 (added in 2012) provides that competence includes keeping abreast of "the benefits and risks associated with relevant technology." Most states have adopted this duty of technological competence. In practical terms, it means a lawyer who uses a generative-AI research tool must understand—at least at a working level—that such tools can "hallucinate" plausible-looking citations, and must verify the output. The Mata sanctions were not imposed because the lawyers used ChatGPT; they were imposed because the lawyers used it and did not check its work, then doubled down when challenged. Courts since Mata have sanctioned a steady stream of lawyers (and at least one pro se litigant) for the same failure, and many courts have issued standing orders requiring disclosure of AI use or certification that AI-generated content was verified.

The second pillar is confidentiality. ABA Model Rule 1.6 forbids disclosing information relating to a client's representation. A lawyer who pastes a client's confidential documents into a public AI tool—one whose terms permit the vendor to retain and train on the input—may be making an unauthorized disclosure. The competent practice is to use enterprise tools with contractual confidentiality protections (no training on inputs, data segregation) rather than consumer chatbots, and to understand the data-handling terms before feeding the tool anything sensitive.

The third is supervision. ABA Model Rule 5.3, retitled in 2012 from "Nonlawyer Assistants" to "Nonlawyer Assistance," extends a lawyer's supervisory duties to outside service providers and—per Comment 3—to technology. Treating an AI tool as you would a junior associate or paralegal is the right mental model: you may delegate the work, but you remain responsible for the product. Courts have disbarred lawyers for failing to supervise human assistants who filed deficient documents (see People v. Calvert, 280 P.3d 1269 (Colo. 2011)); the principle applies with equal force to an unsupervised algorithm. And the fourth, in litigation, is candor to the tribunal under Model Rule 3.3, which the fabricated-citation cases violate directly: a lawyer may not knowingly make a false statement of law to a court, and filing nonexistent cases—even unknowingly, where the lawyer failed to verify—runs straight into Rule 3.3's neighborhood and Rule 11's sanctions regime.

In July 2024, the ABA Standing Committee on Ethics and Professional Responsibility synthesized these threads in Formal Opinion 512, "Generative Artificial Intelligence Tools." The opinion is measured rather than prohibitionist: lawyers may use generative AI, but they must do so consistently with their duties of competence, confidentiality (including obtaining informed client consent before inputting client information into certain tools), communication (informing clients about material use of AI), candor, supervision, and reasonable fees. On fees, the opinion notes that a lawyer generally may not bill a client for the time AI saved—you cannot charge two hours for research that the tool completed in twenty minutes—a point that quietly reshapes the economics of legal work. Opinion 512 is now the reference text, and several state bars have issued their own opinions building on it.

Practice tip. The defensible workflow for AI-assisted legal work has four steps that map directly onto the rules: (1) choose a tool with appropriate confidentiality protections (Rule 1.6); (2) understand its known failure modes, including hallucinated citations (Rule 1.1); (3) independently verify every factual and legal assertion the tool produces—pull and read the actual cases (Rules 3.3 and 5.3); and (4) bill only for the time you actually and reasonably spent, not the time the tool saved (Rule 1.5 / Opinion 512). A lawyer who follows these four steps is not at meaningful ethical risk; a lawyer who skips step three is one filing away from a sanctions order with their name in the caption.

Frequently asked questions

Can I copyright something I made with AI? It depends on how much you contributed. Purely AI-generated output—an image produced from a text prompt with no further human creative intervention—is not copyrightable in the United States, because it lacks human authorship (Thaler v. Perlmutter, 130 F.4th 1039 (D.C. Cir. 2025); Copyright Office, Zarya of the Dawn). But you can copyright the human-authored elements: your own text, your selection and arrangement of AI outputs into a larger work, and material you substantially edit or transform by hand. Disclose the AI-generated portions when you register, and keep records of what you, the human, actually did.

Can an AI be named as an inventor on a patent? No. The Federal Circuit held in Thaler v. Vidal, 43 F.4th 1207 (Fed. Cir. 2022), that the Patent Act requires a human "individual" as the named inventor. But AI-assisted inventions are patentable as long as at least one human made a significant contribution to the conception, per the USPTO's 2024 inventorship guidance. The practical task is documenting the human contribution.

Is my company liable if a hiring tool we bought from a vendor discriminates? Likely yes, at least under federal law. Title VII liability for disparate impact runs to the employer who uses a selection procedure, not only to the developer who built it (cf. Griggs v. Duke Power Co., 401 U.S. 424 (1971)). "The vendor said it was bias-free" is not a defense. Audit the tool before and after deployment using the four-fifths rule (29 C.F.R. § 1607.4(D)) and validate it against job performance.

What is BIPA and why does everyone worry about it? The Illinois Biometric Information Privacy Act (740 ILCS 14/) regulates collecting and storing biometric data—fingerprints, face and hand geometry, voiceprints. It requires written notice and consent before collection, and it has a private right of action with statutory damages of $1,000–$5,000 per violation. After Rosenbach (no actual injury required) and Cothron (per-scan accrual), even minor noncompliance can generate enormous class exposure—which is why any facial-recognition or biometric system needs airtight consent before it touches an Illinois resident.

Does the EU AI Act apply to a U.S. company? Yes, if your AI system's output is used in the EU. Like the GDPR, the AI Act (Regulation (EU) 2024/1689) is extraterritorial. The first step is classifying each system by risk tier (prohibited, high-risk, limited-risk, minimal-risk) and your role (provider or deployer), because the obligations and penalties—up to €35 million or 7% of global turnover—differ sharply.

Can I use ChatGPT to write a legal brief? You can use generative AI in your practice, but you must verify everything it produces, protect client confidentiality, and bill honestly (ABA Formal Opinion 512). The lawyers in Mata v. Avianca were sanctioned because they filed AI-generated citations to cases that did not exist without checking. Treat AI like a junior associate whose work you must review—because under Model Rule 5.3, that is essentially what it is.

Conclusion and next steps

The legal issues AI raises are not, for the most part, new legal issues. They are old doctrines—authorship, inventorship, consent, disparate impact, product defect, the duty of competence—colliding with a technology that quietly removed the human from the middle of the process. The pattern repeats across every domain: the rule assumed a person was making the decision, the writing the work, the invention; AI takes the person's place; and courts and regulators must decide whether to stretch the old rule, draw a new line, or refuse to recognize the machine at all. So far the answers have been strikingly consistent in one respect: the law keeps insisting on a human. A human author for copyright. A human inventor for patents. A human who consents to biometric collection. A human employer answerable for the algorithm's bias. A human lawyer accountable for the chatbot's citations.

For businesses and the lawyers who advise them, that consistency is actually good news, because it makes the compliance task legible. Find the human in the loop, and make sure that human—and the contracts, audits, disclosures, and documentation around that human—does the work the law requires. Before deploying an AI system, classify it (especially against the EU AI Act's tiers and any applicable state AI law), audit it for bias if it makes decisions about people, lock down the data-privacy posture (BIPA first if biometrics are involved), and negotiate the license agreement as though the model will someday fail—because eventually one will. Before relying on AI internally, particularly in a regulated profession, build the verification and confidentiality habits that the ethics rules now demand.

The terrain will keep shifting; this is a field where a single Federal Circuit opinion or a single EU regulation can redraw the map overnight. But the underlying questions—who made this, who consented, who decided, who is responsible—are durable. Get those right, and you are most of the way home.

If your organization is building, buying, or deploying AI, the issues above rarely arrive one at a time; a single product can implicate copyright, privacy, employment law, and contract simultaneously. Experienced counsel can help you sequence the analysis and allocate the risk before, rather than after, the model ships.

Related articles

This article is provided for general informational purposes only and does not constitute legal advice. The law governing artificial intelligence is developing rapidly and varies by jurisdiction. Consult qualified counsel about your specific circumstances.