IP Ownership of AI-Generated Work Product: What In-House Counsel Should Establish Now

Your employees are using AI tools to create deliverables, contracts, and analysis — but AI-generated work product may not be copyrightable. Here's what in-house counsel should establish now to protect the company's IP position.

IP Ownership of AI-Generated Work Product: What In-House Counsel Should Establish Now
Loading AudioNative Player...

Federal copyright law requires a human author. That is not a policy preference or an emerging trend — it is what the statute says and what courts have now confirmed at the appellate level. Under 17 U.S.C. § 101, copyright protection attaches to "original works of authorship," and the D.C. Circuit held in Thaler v. Perlmutter that "the Copyright Act of 1976 requires all eligible work to be authored in the first instance by a human being." The Supreme Court denied certiorari in March 2026, leaving that rule settled. Content produced entirely by an AI system — with no human author in the copyright sense — is not protectable.

The Copyright Office's Part 2 Copyrightability Report (January 2025) fills in the line between protectable and unprotectable AI-assisted work. The Office concluded that prompts alone are insufficient: "prompts may reflect a user's mental conception or idea, but they do not control the way that idea is expressed." Instructing a model to write a contract summary or draft a litigation memo does not make the prompter an author of the output. What does qualify is human creative contribution that is perceptible in the final work — selecting which AI outputs to use, arranging them, or making expressive modifications. The more that human judgment shapes the expressive result, the stronger the copyright claim.

The corporate risk follows directly from this gap. Work-for-hire doctrine under 17 U.S.C. § 101 can only assign to your company a copyright that exists in the first place. If outside counsel, a vendor, or an employee uses an AI tool to produce deliverables that qualify as AI-only output, there is no copyright to transfer — your company receives nothing assignable, regardless of what the contract says. That is the practical problem in-house teams need to plan around now.

⚖️
The Thaler rule in practice: A work produced solely by an AI model — with no human making expressive choices about the output — cannot be copyrighted. Your work-for-hire clauses cannot assign what does not exist.

Work-for-Hire Doctrine and Its Limits When AI Is Involved

Even when a copyright exists in an AI-assisted work product, the work-for-hire doctrine may not deliver ownership to your company in the way your contracts assume. Under 17 U.S.C. § 101, a work made for hire arises in only two situations: a work prepared by an employee within the scope of employment, or a work specially ordered or commissioned that falls into one of nine enumerated categories — contributions to collective works, motion pictures, translations, supplementary works, compilations, instructional texts, tests, answer material for tests, or atlases — provided the parties sign a written instrument expressly designating it as work for hire. Outside those two tracks, no contract language creates a work-for-hire relationship, no matter how confidently drafted.

The employee track is less reliable than it looks. In Community for Creative Non-Violence v. Reid, 490 U.S. 730 (1989), the Supreme Court held that "employee" under the Copyright Act is not defined by contract title but by common-law agency principles — a 13-factor test that examines skill required, source of tools, location of work, duration of the relationship, the hiring party's right to assign additional projects, the hired party's discretion over schedule, method of payment, role in hiring assistants, whether the work is part of the regular business, whether the hiring party is in business, provision of employee benefits, and tax treatment. The practical implication: a highly skilled developer or AI specialist engaged on a project basis may look like a contractor under Reid even if they work exclusively for your company. That means the employee WFH track may not apply, and you are left relying on the nine-category contractor track — which almost certainly does not cover a custom AI system, a trained model, or a strategic analysis memo.

There is also the foundational problem carried over from the copyright gap: work-for-hire can only assign a copyright that already exists. If a vendor or outside counsel uses an AI tool to generate deliverables with no perceptible human authorship, the doctrine has nothing to operate on. Your assignment clause is an empty transfer.

Trade Secret Law as a Parallel Protection Layer

The Defend Trade Secrets Act offers a structurally different path. Neither the DTSA nor the Uniform Trade Secrets Act contains a human-creation requirement — an AI-generated algorithm, dataset, process, or analysis qualifies for protection if it derives independent economic value from not being generally known or readily ascertainable, and if the owner takes reasonable measures to maintain secrecy. Registration is not required. Human authorship is irrelevant. That means AI-generated work product that cannot be copyrighted can still be protected as a trade secret, as long as your company treats it like one.

The operational burden is the tradeoff. Trade secret protection requires affirmative, documented steps: access controls, confidentiality agreements, employee and vendor policies, and internal classification procedures. A company that receives AI-generated work product from a vendor, drops it into a shared drive with no access restrictions, and does not address it in NDAs has likely abandoned any trade secret claim before it arises. In-house counsel building a trade secret protection strategy around AI-generated work product should treat the reasonable-measures requirement as a live operational standard, not a checkbox at contract signing.

🔑
The fallback that works: When copyright is unavailable because the work is AI-generated, DTSA trade secret protection is the most reliable alternative — but only if your company actively maintains secrecy from the moment the work product is created or received.

What AI Vendor Terms Actually Say About Output Ownership

Before drafting an internal AI policy, most in-house counsel reach for the vendor's terms of service. The language in those agreements looks promising at first glance — until you read it carefully. Both OpenAI's Terms of Use and Anthropic's Commercial Terms assign outputs to customers using near-identical language: OpenAI "assigns to you all our right, title, and interest, if any, in and to Output," and Anthropic mirrors this with "assigns to Customer its right, title and interest (if any) in and to Outputs." The qualifier does the real work here. A contractual assignment of rights the assignor does not possess conveys nothing. If copyright does not attach to the AI output under the Copyright Act, there is nothing for the vendor to assign.

Microsoft's M365 Copilot documentation is more candid about the problem. Microsoft does not claim ownership of Copilot outputs, but it also explicitly declines to determine whether a customer's output is copyright-protected — and flags a structural issue that the other vendors' terms gloss over: because generative AI systems may produce the same response to similar prompts from multiple users, "multiple customers may have or claim rights in content that is the same or substantially similar." That is not a vendor problem to solve. It is a consequence of how large language models work, and no assignment clause in any terms of service changes it.

Vendor indemnification programs are often cited as a form of IP protection, but they operate in a different dimension entirely. Microsoft's Copilot Copyright Commitment, for example, covers the scenario where a third party sues your company for infringing someone else's copyright by using Copilot output. That is a shield against incoming claims. It does nothing to establish whether your company can wield the output as a copyright asset — asserting it against a competitor who copies your AI-assisted deliverable, registering it with the Copyright Office, or licensing it. Vendor indemnification resolves the defensive risk; it leaves the offensive IP question completely open.

⚠️
Vendor assignment clauses do not create copyright — they transfer whatever rights exist. If U.S. copyright law does not recognize a right in AI-generated output, the assignment clause is a conveyance of zero. Policy decisions cannot rest on contractual language that presupposes a legal answer courts have not yet given.

What an AI IP Policy Needs to Cover — A Framework for In-House Counsel

The legal exposure documented in the prior sections — the copyright gap, the work-for-hire ambiguity, the vendor indemnification carve-outs — all reduce to the same operational problem: your company is generating work product through AI tools without a documented basis for ownership claims. A well-drafted AI IP policy closes that gap. The following elements represent the minimum framework your policy team should address.

Define AI-Generated vs. AI-Assisted

This distinction is the documentation hook for everything else. AI-generated content (where the AI produces the substantive output with minimal human creative input) is not eligible for copyright protection under current Copyright Office guidance. AI-assisted content (where a human author makes expressive choices and the AI executes them) may be — but only for the human-authored portions. Without a clear definition embedded in your policy, your team cannot consistently categorize deliverables, and you cannot know what is protectable before you try to protect it.

Employee Disclosure and Attestation at Project Delivery

Require employees to document, at the point of delivering any significant work product, what AI contributed versus what they authored. A short attestation field in your project management or document management system serves this function without adding meaningful friction. This creates the contemporaneous record your IP counsel will need if a copyright question arises after the fact, and it builds the habit of distinguishing authorship before it becomes a dispute.

Documentation Requirements: Prompts, Version History, Human Contributions

For any AI-assisted work your company intends to register or defend, the documentation standard should include prompt logs, version history showing iterative human editing, and notes identifying the human decisions embedded in the final output. This is a precondition for copyright registration, not a nice-to-have. The Copyright Office will require this level of specificity when you disclose AI involvement in a registration application.

When filing applications for AI-assisted works, Copyright Office guidance published at 88 Fed. Reg. 16190 (March 2023) requires applicants to disclose AI-generated content and claim only the human-authored portions. Your policy should specify this as the default registration practice: disclaim the AI output, claim the human selection, arrangement, and editorial contribution. Registration with accurate disclosure is defensible. Registration that misrepresents authorship is not.

Approved Vendor and Tool List

Not every AI tool your employees are using has terms of service that support corporate IP ownership. As addressed in the prior section on vendor terms, several major platforms include "if any" qualifications on output ownership or reserve training rights over user inputs. Your policy should establish an approved list of AI tools vetted for: (1) output ownership granted to the user, (2) no-training clauses covering company inputs, and (3) enterprise data processing agreements. Unauthorized use of public AI tools for company confidential content should be an explicit policy violation — not because it is inconvenient, but because it constitutes a potential trade secret disclosure. Frameworks like the one published by Fisher Phillips identify vendor management as a standalone governance category, distinct from general acceptable use.

Contractor and Freelancer AI Clauses

Your standard contractor agreements should be updated to require pre-authorization before any AI tool is used on deliverables, written disclosure of AI use at delivery, and assignment of all AI-generated outputs — including prompts and intermediate outputs — to your company. A well-structured clause addresses inputs, prompts, and deliverables separately, confirming client ownership across all three. It should also prohibit entry of confidential or customer data into public AI platforms as a separate, affirmative restriction. If your current contractor templates predate 2023, they almost certainly do not address these issues.

Trade Secret Input Restrictions

This is the element with the most immediate risk profile. Employees entering confidential business information, client data, proprietary processes, or source code into non-approved AI platforms may be inadvertently destroying trade secret protection — reasonable measures to maintain secrecy are a prerequisite for DTSA protection, and permitting unrestricted AI input undercuts that standard. The same risk applies to in-house lawyers who use public AI tools to draft legal work involving client confidences. Texas Bar Ethics Opinion 705 (February 2025) identified this risk directly, noting that self-learning AI programs may store confidential information input by a lawyer and reveal it in responses to future third-party queries. ABA Formal Opinion 512 (July 2024) similarly addresses confidentiality and competence obligations when lawyers use AI tools.

⚠️
For in-house lawyers: Entering client data, litigation strategy, or confidential business information into a public AI tool — one without an enterprise DPA and data isolation guarantees — is not just a policy violation. It is a potential confidentiality breach under applicable professional conduct rules. Your AI policy should address your legal team's tool usage separately from the general employee policy, with stricter controls on what data may be processed and by which platforms.

Practical Steps for In-House Counsel to Act on Now

The policy framework from the previous section does not protect the company until it is actually in place. Shadow AI is not a future risk — a 2025 Gartner survey found that 69% of organizations already suspect or have evidence that employees are using prohibited public generative AI, and Gartner projects that more than 40% of enterprises will experience a shadow AI security or compliance incident by 2030. The six actions below translate the policy framework into concrete deliverables with a defensible sequence.

  1. Audit current AI tool usage across every department. Commission an inventory of every AI tool in use — sanctioned or not. Shadow AI is pervasive: Unseen Security's 2026 State of Shadow AI report found only 16% of employees are using employer-authorized AI tools, and 38% are sharing confidential data with unapproved platforms. Without a baseline, you cannot know what trade secret disclosures may have already occurred or what IP ownership gaps already exist.
  2. Update employment agreements. Add an explicit AI work product ownership clause that vests all AI-assisted output in the company. Separately, prohibit employees from inputting confidential or proprietary information into any AI tool that has not been approved through your vendor review process.
  3. Update contractor and vendor agreements. Add provisions requiring: prior written authorization before using AI tools on company work; disclosure of AI use at delivery; assignment of all AI-generated output to the company; and a prohibition on inputting confidential company information into any unapproved model. The Trinidad v. OpenAI court's dismissal of trade secret claims — because the plaintiff had voluntarily disclosed proprietary frameworks to ChatGPT — illustrates what happens when this restriction is absent from contractor agreements.
  4. Establish a documentation practice before you need it. The Copyright Office requires evidence of human authorship and creative control for AI-assisted works to qualify for registration. That evidence does not exist unless someone creates it contemporaneously. Implement a prompt log, version history, and human-contribution attestation as standard practice now, so the record exists when a registration question arises.
  5. Brief leadership on the copyright gap. AI outputs are not automatically copyrightable — the company cannot enforce IP rights it does not own. Texas Bar Ethics Opinion 705 makes the parallel point for lawyers: responsibility for work product submitted attaches regardless of whether AI did the drafting. Executives making build-vs.-buy decisions, product managers shipping AI-generated content, and marketing teams generating copy all need to understand that output without documentation is output without protection.
  6. Build a quarterly policy review cadence. Copyright Office guidance, DTSA case law on AI-related trade secret claims, and vendor contract terms are all evolving on a schedule that annual reviews cannot track. Assign a calendar owner, set a review trigger for major Copyright Office or court decisions, and treat IP-AI policy the way you treat your data retention schedule — as infrastructure requiring active maintenance.
The gap between having an AI policy and having an enforceable IP position is mostly documentation and contract language. Both are solvable problems — but only before a dispute, not after.

Need help auditing your AI contracts and IP ownership policies? Promise Legal works with in-house teams to close the gaps before they become disputes.

Start the conversation