AI Risks and Responsible Use — Lesson 4
Privacy, Copyright, and Synthetic Content
Learning Objectives
- 1Understand data privacy risks when using AI tools.
- 2Navigate copyright and intellectual property considerations.
- 3Identify risks from deepfakes and synthetic content.
Data privacy in AI tools
When you type a prompt into an AI tool, that data is transmitted to and processed by the AI provider. The key questions are: Does the provider store your prompts? Does the provider use your prompts to train future models? Who at the provider can access your data? Where is the data stored geographically?
Different providers have different policies. Some consumer-tier products use prompts for training by default. Enterprise tiers typically offer data isolation and no-training guarantees. The distinction matters: if you include confidential customer data, proprietary strategies, or trade secrets in prompts to a consumer AI tool, that data may be seen by others or influence future model outputs.
Best practice: treat prompts like emails to an external party. Do not include anything you would not want the provider to have. For sensitive work, use enterprise-tier services with documented privacy guarantees, or self-hosted AI models that keep all data on your infrastructure.
Copyright and intellectual property
The copyright status of AI-generated content is evolving and varies by jurisdiction. In many jurisdictions, purely AI-generated content may not be copyrightable because copyright requires human authorship. Content that is substantially modified by a human after AI generation may receive copyright protection.
Using copyrighted material in prompts raises additional questions. If you paste a copyrighted article into a prompt and ask the AI to rewrite it, the output may be considered a derivative work. The legal landscape is still developing, but the safest approach is to use AI for original creation and transformation rather than reproduction of copyrighted content.
For images, AI-generated imagery trained on copyrighted art has been the subject of multiple lawsuits. If you use AI-generated images commercially, understand the training data provenance of the model and the terms of service regarding commercial use.
Deepfakes and synthetic content risks
AI can generate realistic synthetic images, video, audio, and text. Deepfakes — synthetic media that impersonates real people — can be used for fraud, misinformation, and reputational damage. A deepfake video of a CEO approving a fraudulent transaction or a synthetic voice authorizing a wire transfer are real threats.
For businesses, the risks include: impersonation of leadership in social engineering attacks, fake reviews or testimonials, manipulated evidence in disputes, and synthetic media used to damage brand reputation.
Defense against synthetic content includes: establishing verification procedures for unusual requests (especially financial), educating teams about the existence and quality of deepfakes, using established communication channels for sensitive decisions, and monitoring for unauthorized use of your brand assets in synthetic content.
Case Study
The confidential data in the chatbot
Situation
An employee pasted a confidential merger negotiation document into ChatGPT to help draft a summary. The document contained target company valuations, acquisition terms, and board member names. The consumer version of ChatGPT stored and potentially used this data for model training. The company legal team discovered this when another employee received a ChatGPT response that referenced similar M&A terminology.
Analysis
The employee did not understand that prompts are transmitted to and potentially stored by the AI provider. There was no company policy about what data could be included in AI prompts. The enterprise version of the tool with data isolation guarantees would have prevented this, but the company had not invested in it.
Takeaway
Establish clear policies about what data can be included in AI prompts. Provide enterprise-tier AI tools for teams that handle sensitive information. Treat AI prompts with the same data classification standards as email.
Reflection Questions
- 1. Does your organization have a policy about what information employees can include in AI prompts?
- 2. Could someone create a convincing deepfake of your CEO? What verification procedures would catch an impersonation attempt?
Key Takeaways
- ✓Treat AI prompts like emails to an external party — do not include data you would not share.
- ✓Copyright of AI-generated content is legally uncertain — consult counsel for commercial use.
- ✓Deepfakes and synthetic content create new fraud and impersonation risks.
- ✓Establish clear policies about data in AI prompts and provide appropriate enterprise tools.