The rapid rise of generative artificial intelligence has fundamentally transformed how technology companies operate. AI-powered tools are now used to write code, analyse documents, prepare proposals, automate business processes, and support R&D work.

In practice, more and more organisations are deploying AI models faster than they can establish procedures governing their use.

And that is precisely where one of the most significant legal risks of recent years emerges: uncontrolled use of generative AI can lead to the disclosure of trade secrets, loss of data control, and serious compliance failures.

In many companies, the problem does not stem from bad intent on the part of employees, but from the mistaken assumption that AI tools work similarly to conventional office software. In reality, generative models operate in an entirely different way — and the legal consequences of feeding them information can be far more serious than businesses assume.

What Is a Trade Secret?

Under the Act on Combating Unfair Competition, a trade secret is information that:

  • has commercial value,
  • has not been disclosed to the public, and
  • has been subject to reasonable steps by the entrepreneur to maintain its confidentiality.

In practice, this may include:

  • source code,
  • algorithms,
  • technical documentation,
  • product roadmaps,
  • business models,
  • customer data,
  • pricing strategies,
  • research findings,
  • funding information,
  • operational know-how.

The problem is that much of this data now enters AI systems entirely unknowingly.

Why Does Generative AI Create New Legal Risks?

Traditional IT systems typically operate within a company’s closed infrastructure. Generative AI, by contrast, very often runs as a SaaS (Software as a Service) solution, where data is processed by third-party providers.

In practice, this means an employee using an AI tool may transmit:

  • code snippets,
  • product documentation,
  • customer data,
  • contract content,
  • business strategy assumptions,
  • information about planned transactions.

And this often happens without any awareness of the legal consequences.

The greatest risk arises when an organisation lacks:

  • an AI usage policy,
  • data classification procedures,
  • anonymisation guidelines,
  • oversight of the tools being used.

Does Sharing Data with an AI System Mean Losing Trade Secret Protection?

This is one of the most important practical questions — and in many cases, unfortunately, the answer is yes.

If an organisation fails to implement adequate confidentiality safeguards, there is a credible argument that the information in question may no longer meet the criteria for trade secret protection.

This issue is particularly acute when:

  • data is fed into public AI models,
  • the organisation has no control over how the data is further processed,
  • there are no contractual restrictions on the AI provider,
  • employees independently use external tools.

In practice, this can lead to severe consequences, including:

  • loss of know-how protection,
  • a weakened litigation position,
  • disputes with counterparties,
  • complications during due diligence,
  • breaches of NDAs or compliance obligations.

Shadow AI — The Biggest Organisational Challenge

Organisations are increasingly confronting what is known as “shadow AI” — the unauthorised use of AI tools by employees. This is currently one of the most serious compliance risks facing technology companies.

Employees frequently:

  • analyse contracts in AI chatbots,
  • generate code,
  • paste in project documentation,
  • prepare summaries of customer data,
  • create sales strategies.

From an organisational perspective, the core problem is that these activities take place entirely outside the formal oversight of IT, compliance, or management. In practice, many companies today have no real visibility into what information is being shared with external AI models.

Key Risk Areas for Technology Companies

Intellectual Property Risks

Entering source code or technical documentation into AI tools can give rise to issues relating to:

  • intellectual property ownership,
  • know-how protection,
  • licensing,
  • the use of data for model training.

In some cases, this may also create the risk of breaching obligations owed to clients or investors.

GDPR Risks

Where personal data is fed into AI systems, organisations must additionally assess compliance with the General Data Protection Regulation (GDPR). This covers, among other things:

  • lawful bases for processing,
  • data transfers outside the European Economic Area (EEA),
  • data retention,
  • profiling,
  • security of processing.

Risks are particularly elevated where the data involved is health-related, financial, employment-related, or biometric.

Contractual Risks

An increasing number of agreements — including investment agreements, SaaS contracts, outsourcing arrangements, R&D agreements, and NDAs — contain restrictions on the use of AI. Unauthorised use of generative AI may therefore also result in a breach of contractual obligations.

Regulatory Risks

The rollout of the EU AI Act means organisations will need to exercise ever-greater control over how AI is used — particularly in the context of high-risk AI systems and entities operating in regulated sectors.

The Most Common Mistakes Companies Make

No AI Policy

This is currently the most widespread organisational failing. Many companies deploy AI operationally without establishing any rules governing the use of generative tools.

A Ban That Exists Only on Paper

Some organisations introduce formal prohibitions on AI use that are not enforced in practice. This typically fuels the growth of shadow AI.

Lack of Data Classification

Employees often have no clear guidance on which data may be used, which information requires anonymisation, and what must never be shared with AI models.

Failure to Evaluate AI Providers

In practice, few companies assess the terms of use of the models they rely on, data retention policies, whether data may be used for model training, or the location of the infrastructure.

How to Mitigate the Risks

The most important step is implementing genuine AI governance — not merely formal prohibitions. In practice, organisations should establish:

  • an AI usage policy,
  • a data classification framework,
  • anonymisation procedures,
  • an AI tool approval process,
  • risk monitoring procedures,
  • employee training programmes.

Contractual analysis of AI providers is also becoming increasingly important, as is assessing compliance with GDPR, the EU AI Act, internal security policies, and the requirements of clients and investors.

AI Governance as a Component of Business Security

Until recently, AI governance was viewed primarily as a technology issue. Today, it is becoming an integral element of corporate risk management.

Investors, auditors, and business partners are increasingly examining:

  • whether the organisation controls how AI is used,
  • what data is being fed into models,
  • whether compliance procedures are in place,
  • how know-how is protected.

In practice, the absence of structured AI governance is beginning to be treated in the same way as the absence of cybersecurity or data protection policies.

Conclusion

Generative AI offers enormous business opportunities — but at the same time opens an entirely new category of legal and compliance risks. One of the most serious threats is the uncontrolled disclosure of trade secrets through data being shared with AI models.

In practice, the problem very rarely stems from the technology itself. The greatest risks arise when an organisation deploys AI without proper procedures, governance, or legal awareness.

And it is precisely this area that is increasingly determining not only regulatory safety, but the overall value of a technology business.