The legal landscape for AI is unsettled. Your work has to ship anyway.
Copyright lawsuits are pending. Disclosure rules vary by jurisdiction. Contracts with customers may or may not cover AI-generated output. Your lawyer can give you exhaustive advice that ends in "it depends."
Most teams respond by doing nothing or by paralysis. Both are mistakes. A clear practical default (not a perfect one) keeps you moving while giving you defensible positions when questions arise.
This module is 90 minutes of getting that default. By the end:
- A clear view of the three legal fronts: training, inference, output.
- A default disclosure practice.
- An attribution log so you can answer "who made this?" six months later.
Note: this module is practical guidance, not legal advice. Your lawyer is your lawyer. This gets you ready to talk to them efficiently.
Thinker.
Three fronts. Different rules on each.
- Training data. What went into the model. You don't control this. You pick providers whose terms you can live with.
- Inference data. What you send into the model at runtime. You fully control this. Governed by your data policy (Module 024).
- Output. What comes out. Copyright, attribution, and disclosure questions attach here.
The output questions
- Ownership. Who owns agent-generated output? Usually you, per your provider's terms. Read them.
- Originality. Agent output may not be copyrightable if it's deemed non-human-authored. Matters if you need to enforce.
- Infringement risk. Agent output may memorize training data. Probabilistic, hard to audit.
The shipping default
Ship if: (a) your provider's terms allow commercial use, (b) the output has human review, (c) you've logged how it was made. This default covers 90% of ordinary use cases. Edge cases go to legal.
Talker.
The disclosure prompt
Run this when deciding whether to disclose AI involvement in a given piece.
You are helping me decide whether to disclose AI involvement
in this piece of work.
Context:
- What is the piece: [description]
- Who is the audience: [customers/partners/regulators/public]
- How was AI used: [draft | edit | research | full generation]
- Human review: [yes, what level / no]
- Jurisdiction: [country]
Return:
1. Recommended position: disclose always / disclose by
threshold / no disclosure required.
2. One-line reasoning.
3. If disclosure is recommended, exact wording to use.
4. One question to take to legal if this is a sensitive area.The attribution log entry
Every shipped piece has a log entry:
## Piece: [title or ID]
- Date shipped: ...
- Human author(s): ...
- AI involvement: [brief] | [none]
- Prompts and tools used: [path to log]
- Human review: [who, when, depth]
- Disclosure status: [on piece | internal only | none]Six months later, when a question arises, the log tells the truth.
Rememberer.
Attribution logs live in the same repo as the work.
[content-repo]/
published/
2026-04-18-launch-post.md
2026-04-18-launch-post.attribution.md
drafts/
...
legal/
disclosure-policy.md
provider-terms/
anthropic-commercial-terms.md
openai-...
The twin-file pattern
Every published file has a paired .attribution.md. Small file. Written automatically by a script at publish time. Never rely on memory.
The provider terms folder
Keep the commercial terms of every AI provider you use in the repo. Date-stamped. When terms change, you can see the diff.
Doer.
Twelve minutes. Audit one shipped piece. Build the habit.
Step 1. Pick the piece (1 min)
Anything you or your team shipped this month that had AI involvement.
Step 2. Reconstruct the provenance (4 min)
Who drafted, who edited, what prompts were used, whose voice file, what data sources. If you can't reconstruct, that's a signal: you need to start logging at the point of creation, not after the fact.
Step 3. Run the disclosure prompt (2 min)
Using the Talker template. Get a recommendation.
Step 4. Write the attribution log (3 min)
Use the template from Talker. One file.
Step 5. Decide: disclose retroactively? (2 min)
If the recommendation is "disclose always" and you didn't, consider an update note. If "disclose by threshold," decide if this piece cleared the threshold. If "no disclosure required," log and move on.
One attribution log. One decision about disclosure. A practice you'll now extend to every piece.
- You can't reconstruct provenance: logging starts today. Don't try to retrofit the archive.
- Your provider's terms are unclear: email their sales or legal contact. Save the response in
legal/provider-terms/. - Legal flags issues: this is what the process is for. Fix going forward. Don't panic backward.
Rookie.
Failure 1. Pretending AI wasn't involved
You drafted a launch post with Claude. You don't mention it. A customer asks. You hedge. Trust erodes.
Fix: pick a disclosure policy and apply it. If your policy is "disclose always," disclose always. If it's "no disclosure needed for edit-level assistance," say so when asked. Consistency is the only defense.
Failure 2. Skipping the provider terms
You used a free-tier model. The terms say output is not guaranteed for commercial use. You ship anyway. No one notices until a contract dispute surfaces the clause.
Fix: read the terms of every model you commercialize output from. Use paid or enterprise tiers for anything commercial. Keep the terms in the repo.
Failure 3. No logs
A journalist asks: "who wrote this piece?" You don't remember. You hedge. The story writes itself.
Fix: attribution logs automatic at publish time. No memory involved.
Manager.
Per-piece attribution as a habit
The attribution log is a 3-minute addition to your publishing workflow. Script it. Make it a publish-time hook so it can't be skipped.
Legal relationship
Meet your lawyer quarterly for 30 minutes. Review the disclosure policy, edge cases from the last quarter, any provider changes. This compounds: your lawyer gets smarter about your specific use, faster answers next time.
Training client / partner conversations
Your customers and partners will ask. Have a one-pager: "How we use AI in our work." Link to disclosure policy. Name a human contact. Readiness prevents improvisation under pressure.
Chief.
Risk 1. Regulatory ambiguity
EU AI Act, US state-level laws, industry-specific rules. The map is moving. Counsel is conservative. Your defaults need to be defensible.
Governance: write down your defaults. Update quarterly. Have counsel sign off annually. Defensible doesn't mean bulletproof, it means articulable.
Risk 2. The undisclosed dependency
Your product quietly depends on a model provider. That provider changes terms. Suddenly your commercial use is questionable. You didn't have a backup plan.
Governance: dual-sourcing where possible. Model-agnostic prompts where possible. A migration plan documented, even if never executed.
Risk 3. Reputation vs. law
Sometimes something is legal but reputationally costly. Using AI in obituaries, for example: legal in most places, disastrous in brand terms.
Governance: legal is one input. Communications / brand is another. Decisions that cross both should be reviewed by both.
Founder.
Solo founder: you are legal, comms, and product, for now.
The solo legal kit
- One-page disclosure policy. Public on your site.
- Provider terms saved in
~/legal/. - Attribution log on every shipped piece, automatic.
- Quarterly 30-min call with a lawyer who knows AI.
The pragmatic default
When in doubt, disclose. Readers increasingly expect it. The legal exposure from over-disclosure is zero. The legal exposure from a "discovered" AI secret is real.
Write down the default. Apply consistently.
The legal landscape is unsettled. Your practice doesn't need to be. A clear, written, consistently-applied default is your best protection. When the rules settle, you adapt. When questions come, you answer with logs. Neither requires you to be a lawyer. It requires you to be organized.