AI is deeply embedded in corporate operations, affecting decision-making, product design and risk management, raising critical concerns for boards. (Photo: iStock) That increased AI use by employees means the question for company boards is no longer whether AI will affect their business. It already does. The sharper question is whether directors know where it is being used, what data it is swallowing, what decisions it is shaping and what legal risks may be creeping in through the side door?
Leanne Mostert, a partner at Webber Wentzel, says AI risk sits at the intersection of law, information technology, intellectual property, governance and strategy. It is not something that can be safely parked with the IT department and revisited once a year in a cyber risk presentation.
“AI is no longer something coming down the line that financial institutions are preparing for. It is already embedded in how decisions are made, how products are designed and how risk is managed,” Mostert says.
For boards, that is the governance tripwire. AI is being used for speed and convenience, but it may also expose companies to copyright infringement, loss of confidential information, weak accountability and poor decision-making if there is no clear oversight.
In an interview with Daily Maverick, Mostert put it plainly: “Copyright infringement, trade secret loss. The basic principles have not changed. It’s just that it’s extremely difficult to use AI in compliance with those principles.”
That difficulty starts with everyday workplace behaviour. Employees may paste client information, internal research, contracts, financial data or strategy documents into public AI tools to summarise, rewrite or analyse them. They may think they are saving time. In reality, they may be giving sensitive information to a system outside the company’s control.
The law has not suddenly become a new beast. Copyright, confidentiality and data protection rules still apply. The problem is that AI makes it much easier for employees to breach them casually and at scale.
Mostert explains that South African copyright law does not depend only on whether a person intended to infringe. The question is whether a substantial part of a protected work has been reproduced. That creates risk where staff upload third-party research, client material or proprietary content into AI platforms without permission.
The intellectual property problem runs in both directions. Companies must ask whether they are unlawfully using someone else’s protected material, but also whether they can protect what AI helps them create.
Patent law in several jurisdictions has made one point clear: AI cannot itself be recognised as the inventor. Human involvement remains central. Owning an AI tool does not automatically mean owning everything it produces.
Stephen Thaler, an AI developer, famously created a system called Dabus, short for Device for the Autonomous Bootstrapping of Unified Science. He argued that Dabus had independently come up with two inventions, with no human hand on the creative steering wheel.
Thaler then filed patent applications listing Dabus as the only inventor. The US Patent and Trademark Office was not having it. It rejected the applications with a ruling in 2022 stating current patent law recognises human inventors, not machines.
Trade secrets
Proprietary datasets, model training methods, internal processes and refined prompts may become commercially important. But some of these assets do not fit neatly into traditional copyright or patent frameworks. They may need to be protected as trade secrets.
Trade secrets are valuable but fragile. Once confidentiality is lost, protection may disappear with it. That is why AI use policies cannot be vague documents in a compliance folder, but need to be understood by staff, monitored by management and tested by the board.
Mostert argues that the board’s role is not to become a room of machine-learning specialists. It is to ask sharper questions.
“Boards must also understand the assumptions, data and processes driving those outcomes,” she says.
Many directors are used to receiving outcomes: a risk score, an approval recommendation, a customer profile, a forecast, a compliance result. AI changes the boardroom burden because directors may now need to understand how those outputs were generated, what data was used, whether the model has drifted, and who is accountable when an AI-assisted decision harms a customer, breaches a contract or damages the company.
Louise Parry, a partner at Lander and Rogers, notes that directors must have a fundamental understanding of AI to properly oversee their organisation’s deployment of AI systems, AI-related risks and to discharge their directors’ duties.
The human factor
There is also a human risk. Heléne Vermaak, director at The Human Edge, warns that AI can improve speed and output while weakening the human connections that make teams effective.
“The conversation around AI has largely focused on productivity and efficiency, but organisations also need to ask what happens to trust, communication and collaboration when people increasingly work through technology instead of with each other,” Vermaak says.
If employees stop asking colleagues for advice and default to AI tools, organisations may lose informal challenge, peer review and ethical friction. Those small human speed bumps often stop bad decisions from becoming expensive ones.
AI governance should therefore cover more than cyber security and software procurement. Boards need a clear map of where AI is used across the company, who approved those tools, what data may be entered, what information is prohibited, how outputs are checked and whether staff understand the risks.
They should also ask whether AI adoption is aligned with business strategy rather than being driven by tool-hopping enthusiasm.
💡Does the company know which AI uses create value?
💡Does it know which ones create legal exposure?
💡Are confidential datasets and internal models protected?
💡Is there a process for reviewing AI outputs before they are used in high-risk decisions?
Mostert’s point is that AI governance cannot be a once-off policy exercise.
“AI is not static. Models evolve, outputs shift and risks change over time,” she says.
That makes AI a boardroom issue rather than a tech trend. The companies that handle it well will not necessarily be the ones using the most AI. They will be the ones that know where it sits in the business, what it is doing, what it is learning from and who remains accountable. DM