Tech transformation: Addressing AI risk across funds and portfolios

PARTNER CONTENT

 

---

By Nick Farnsworth, Shannon Yavorsky, Sarah Schaedler, and Vertis McMillan, Orrick.

 

---

 

Private equity investments in artificial intelligence and related services have surged in recent years. While PE firms have long recognized the potential for economic and market optimization in target companies leveraging AI, many are now turning their attention to the risk and opportunities of their own use of AI and that of their existing portfolio.  

More and more companies that are neither AI model developers nor software providers or high technology companies are adopting AI-powered offerings to increase efficiencies in their business operations, including for customer service, supply chain, marketing and human resources. This trend raises a critical question for PE firms: are they and their portfolio companies asking the right questions when procuring AI solutions?  

This article outlines the fundamental principles and key considerations PE firms and their portfolio companies should keep in mind when engaging providers of AI solutions.  

What is artificial intelligence? 

While there is no universally accepted definition of AI, a widely recognized set of characteristics has emerged: 

• Machine-based systems – which are developed with or run on machines; 

• Designed to operate with varying levels of autonomy to achieve specific objectives—whether explicitly programmed or inferred; 

• That are able to infer by analyzing input data to make content, determinations, predictions, or recommendations; and  

• Can influence physical, virtual, or human environments through the outputs produced.
   

What are the key risks associated with AI adoption? 

While the efficiency benefits of AI are clear, the risks of AI depend on its capabilities and the context of its implementation. PE firms and portfolio companies should be aware of the following common risks:  

• Inappropriate or harmful outputs: AI may produce incorrect, unrealistic, or unintended outputs, or outputs that reinforce biases present in training data.  

• Intellectual property (IP) challenges: The intersection of AI and IP law remains unsettled. Third parties may try to assert IP claims over training data, AI outputs, or AI components. Additionally, IP protection may not extend to AI-generated content or outputs.  

• Privacy & confidentiality impacts: AI can generate outputs similar to their training data. Providing third-party developers access to personal, sensitive or confidential data – especially for training purposes – may conflict with legal obligations, contractual commitments, or company privacy / confidentiality objectives.  

• Individual autonomy & choice: Overreliance on AI recommendations or persuasive techniques can undermine individuals’ ability to make free and informed decisions.  

• Security threats: Threat actors can use AI to enhance traditional attacks (e.g., phishing, malware). AI tools and solutions may introduce new vulnerabilities or attack vectors, such as compromised training data or prompt interfaces.  

• New regulatory requirements: AI adoption can expose companies to new regulatory requirements, which can increase compliance cost and result in unwanted scrutiny from regulators.
   

What are the key questions for assessing AI engagements? 

To identify the risks and benefits of an AI engagement, PE firms and portfolio companies should seek clarity on the provider, the solution’s capabilities / limitations, and the intended use case.  

Provider diligence considerations 

• Who is the provider? 

• Where are they located? 

• How long have they been in business? 

• What terms and regulatory requirements apply to the engagement? 

• What supporting documentation has been provided?

 

AI diligence considerations 

• What is the AI designed to do?  

• What input data is required? 

• What outputs are generated? 

• How and where are outputs used? 

• Does the AI rely on third-party technologies?

 

Use case diligence considerations 

• What is the intended use case?  

• What benefits does the AI offer?  

• What are the associated risks? 

• What mitigation measures can be implemented? 

• Do the benefits outweigh the risks after mitigation?

Many organizations develop standard AI vendor questionnaires to help gather this information.

What are the key issues in AI contracts? 

If an AI engagement is deemed worthwhile, several contractual points should be considered before finalizing the agreement:  

Ownership and Rights: The parties should assign ownership over outputs or customizations and allocate use rights among the various parties.  

• Providers typically own the AI, training data, and AI improvements. 

• Customers generally own all AI inputs and outputs, often designating them as “Confidential Information.” 

• Providers may request licenses to inputs and outputs for AI training purposes, but enterprise customers frequently ask for limitations on the broader use thereof.  

• Customers may seek ownership or rights in AI developed or customized for their use. 

 

Roles and allocation of risk: The parties should clearly define each party’s role in connection with AI and allocate responsibility for potential liability in the event a risk comes to fruition.

• Providers may disclaim warranties and offer systems “as is” or as beta versions.
• Increasingly, providers offer IP infringement commitments for the AI itself and some may offer the same for AI outputs (subject to varying use restrictions). 
• Some providers warrant outputs will conform to accuracy and performance standards. 
• When personal data is involved, providers are frequently designated as data processors—though processor status may not be available in all jurisdictions when AI training is involved.
• The parties often agree to comply with applicable law for the portions of the engagement for which they are responsible.

Other considerations:

• Clearly define input and output data to support ownership and use rights provisions. 

• Consider the interaction of AI-specific terms with other sections (such as whether confidentiality provisions extend to AI inputs or outputs, or whether inputs / outputs may qualify as feedback) as well as ancillary documents, such as acceptable use policies and other customer binding policies.  

• Allocate any potentially applicable compliance obligations, such as bias testing, consumer disclosures, or consent requirements.  

Final takeaway 

AI offers significant benefits for PE firms and their portfolio companies, but these advantages are only realized when technologies are properly vetted and implemented. Careful assessment of providers, AI, and use cases, along with targeted contractual protections, is essential for mitigating risks and maximizing value.  

---

 

About Orrick 

Orrick is a global law firm focused on delivering innovative solutions to investors in Technology, AI, Energy & Infrastructure, Life Sciences & Healthtech, and FinTech. We help sponsors and their portfolio companies execute innovative investment strategies, navigate operational issues, enable the execution of growth opportunities and manage risk in a rapidly evolving business landscape. For more information on AI developments, please visit the Orrick AI Law Center.  

 

Nick Farnsworth Partner, Orrick – Nick is a partner in Orrick’s Cyber, Privacy & Data Innovation practice. He advises companies on the responsible development and use of data and technology, guiding clients through U.S and international AI, privacy, security and data enablement requirements and strategies. Nick develops comprehensive data protection programs and risk management solutions for the development, use and acquisition of advanced technologies, including AI and machine learning, adtech, automated and connected vehicles, and biometric tools. He also represents clients subject to regulatory inquiry and governmental investigations relating to their data and technology practices.