DATA EXPOSURE: AI may be smart, but boards still carry the legal headache

Artificial intelligence is no longer the shiny new toy in the corporate cupboard. It is already sitting inside fraud detection systems, customer service tools, compliance monitoring, investment processes, document drafting, staff workflows and board packs.

That increased AI use by employees means the question for company boards is no longer whether AI will affect their business. It already does. The sharper question is whether directors know where it is being used, what data it is swallowing, what decisions it is shaping and what legal risks may be creeping in through the side door?

Leanne Mostert, a partner at Webber Wentzel, says AI risk sits at the intersection of law, information technology, intellectual property, governance and strategy. It is not something that can be safely parked with the IT department and revisited once a year in a cyber risk presentation.

“AI is no longer something coming down the line that financial institutions are preparing for. It is already embedded in how decisions are made, how products are designed and how risk is managed,” Mostert says.

For boards, that is the governance tripwire. AI is being used for speed and convenience, but it may also expose companies to copyright infringement, loss of confidential information, weak accountability and poor decision-making if there is no clear oversight.

In an interview with Daily Maverick, Mostert put it plainly: “Copyright infringement, trade secret loss. The basic principles have not changed. It’s just that it’s extremely difficult to use AI in compliance with those principles.”

That difficulty starts with everyday workplace behaviour. Employees may paste client information, internal research, contracts, financial data or strategy documents into public AI tools to summarise, rewrite or analyse them. They may think they are saving time. In reality, they may be giving sensitive information to a system outside the company’s control.

The law has not suddenly become a new beast. Copyright, confidentiality and data protection rules still apply. The problem is that AI makes it much easier for employees to breach them casually and at scale.

Mostert explains that South African copyright law does not depend only on whether a person intended to infringe. The question is whether a substantial part of a protected work has been reproduced. That creates risk where staff upload third-party research, client material or proprietary content into AI platforms without permission.

The intellectual property problem runs in both directions. Companies must ask whether they are unlawfully using