AI
& Generative AI Companies

Yes. The EU AI Act applies to any provider that places an AI system on the EU market or whose outputs reach EU users, regardless of where the company is headquartered. GPAI model obligations applied from August 2, 2025; full high-risk Annex III rules apply from August 2, 2026. Penalties for prohibited-AI violations reach 7% of global annual turnover, which makes this a board-level question, not an EU-counsel question.

The answer turns on how you acquired the data and what your model does with it. Two 2025 federal courts (Bartz v. Anthropic and Kadrey v. Meta, both N.D. Cal., June 2025) found training on legally acquired works was transformative fair use, but Anthropic still paid $1.5 billion to settle Bartz over pirated-library acquisition. The U.S. Copyright Office's Part 3 report maps the open questions. Provenance, license, and acquisition method are documented per matter, not assumed.

Under current US law, only outputs reflecting sufficient human authorship are copyrightable, and the company itself can own them only via clear assignment from the human contributor. The U.S. Copyright Office's Part 2 report confirms purely AI-generated material is uncopyrightable, and Thaler v. Perlmutter affirmed the human-authorship requirement. Provider terms of service govern the platform-customer allocation; they do not create copyright the law does not recognize.

California SB 942 requires generative AI providers above one million monthly California users to offer free AI detection, embed manifest disclosures, and include latent provenance metadata. The operative date is January 1, 2026. Enforcement runs through the Attorney General, city attorneys, and county counsel at $5,000 per violation per day, and AB 853 phases in additional platform and capture-device obligations through January 1, 2028.

A system is high-risk under Colorado SB 24-205 if it makes or substantially influences consequential decisions about consumers in employment, lending, housing, healthcare, or insurance. Effective February 1, 2026. The full statutory list also covers education, government services, and legal services. Developers and deployers must use reasonable care to prevent algorithmic discrimination, complete impact assessments, publish public statements, and disclose discovered risks to the AG within 90 days.

AI-specific terms of service should allocate ownership of inputs and outputs, restrict prohibited uses, disclaim accuracy of generated content, define data-retention and training-use rights, and carry an AI-aware indemnity stack. The FTC has flagged silent ToS amendments that expand training-data rights as potentially unfair or deceptive. Output-ownership clauses must align with USCO copyrightability rules; an Acceptable Use Policy carves out deepfake, defamation, illegal-content, and biometric uses.

Investors check the IP cap table, training-data provenance, open-source compliance, AI-specific contract terms, regulatory exposure, and whether founders signed assignments that cover models, weights, and datasets, not just code. Open-source review is critical because copyleft licenses can cascade to proprietary algorithms. AI-specific indemnity gaps in customer contracts surface as deal-breaking liabilities at exit. The path is to address each line item before the term sheet, not during diligence.

Most enterprise procurement teams now require a standalone AI addendum or AI-aware DPA covering training-data restrictions, model-output ownership, prohibited-use carve-outs, indemnity stacks for IP and privacy claims, and audit rights. Without one, enterprise deals stall in legal queues that are looking for exactly these terms. The addendum either lives inside the master agreement or attaches as a referenced exhibit; both work, neither is optional once procurement asks.

Output infringement creates direct, contributory, and vicarious liability exposure for the AI provider, with cases against Midjourney, Suno, Udio, and Perplexity setting the current baseline. The studio cases against Midjourney filed in 2025 and consolidated in late 2025 are the marquee examples. Title 17 of the U.S. Code is the statutory home of fair use, §512 safe harbor, and §1201 anticircumvention. Defenses include fair use, lack of substantial similarity, and §107 transformativeness, but each requires evidence built before the complaint lands, not after.

Personal data in training sets triggers data-subject access, deletion, and correction rights under GDPR Articles 15-17 and CCPA §1798.105; 'the model can't unlearn' is not a recognized exemption. The Italian Garante's 2023 ChatGPT enforcement action established that GDPR Article 15 applies to training inputs. The California Privacy Protection Agency finalized its data-broker registry under SB 361 with a single deletion portal operative 2026. Quebec Law 25 imposes parallel obligations on any model with Quebec residents in scope.

You do not register the training corpus, and AI outputs without sufficient human authorship are unregistrable; what you can register is human-authored code, documentation, and curated datasets. The U.S. Copyright Office's 2023 Policy Statement governs registration practice for AI-involved works, and the Compendium of Copyright Office Practices, Third Edition, governs eligibility. For model weights and architectures, trade-secret protection often outperforms copyright, which is what an IP strategy memo decides per asset.

NIST AI RMF 1.0 is voluntary, but it functions as the de-facto governance standard cited inside Colorado SB 24-205 and California SB 53. Adopting it produces an affirmative-defense posture in regulator and customer reviews. The Generative AI Profile released July 26, 2024 is the operative version for generative AI companies. Enterprise procurement teams increasingly cite RMF and ISO/IEC 42001 in vendor questionnaires, which means alignment is increasingly a sales asset, not just a compliance line item.