Traditional NDAs weren't designed for a world where employees and contractors routinely interact with AI tools for work.
When someone inputs confidential information into most AI platforms, that data doesn't necessarily just disappear. It might be used to train future models, stored indefinitely, or accessed by the platform provider. Some platforms explicitly state they don't use inputs for training, but their privacy policies can change, and contractual protection is critical.
Why Current NDAs Fall Short
Most NDAs were drafted before anyone imagined employees and contractors would be having conversations with artificial intelligence about work projects. Yet that's exactly what's happening across industries every day. The problem isn't necessarily intentional wrongdoing but it's that people don't realize they're potentially violating confidentiality when they ask an AI tool for help with a presentation or to debug some code.
Essential Updates
Start with a broad prohibition. Effective language may include: "Recipient shall not input, upload, or provide any Confidential Information to artificial intelligence systems, machine learning platforms, or automated content generation tools without prior written consent from Discloser."
Define "AI Tools" broadly. Rather than naming specific platforms, stronger definitions use: "AI Tools include any artificial intelligence, machine learning, or automated system that processes, analyzes, or generates content based on user inputs." This catches everything from ChatGPT to industry-specific AI applications.
Build in flexibility for legitimate use. Complete AI prohibition isn't always realistic. For clients who want some AI usage permitted, effective frameworks include an approval process: the AI tool must be pre-approved, offer enterprise-level protections, and interactions must occur through approved platforms/accounts with proper data protection agreements.
Require sanitization when AI use is allowed. If a client permits any AI interaction with their information, data sanitization requirements are essential. All identifying details, specific metrics, and proprietary methodologies must be removed before any AI interaction.
Practical Considerations
Don't just copy and paste AI language into your existing NDA template. Consider how these new provisions interact with your current confidentiality definitions, return of confidential information clauses, and remedy provisions. I've seen instances where new AI restrictions contradicted existing language about permitted disclosures.
Also, think about enforcement. How will you know if someone violates these AI provisions? Technical monitoring may be necessary for organizations with high-value confidential information.
For more information, contact John Billiris at
