AI usage at work – risks and policy template for Indian companies

AI is a vital asset in any organisation providing means to easily scale its operations as well as improve its efficiency. Thus, with the AI still being in its nascent stage the implementation of AI in the workplace especially in India will need a systematic evaluation of the legal risk, compliance and a well-constructed internal governance policy. The main goal of this paper is to explore and describe the risks arising out of the implementation of AI and template of policy which should be implemented by Indian companies to control the usage of artificial intelligence by its employees. The paper further provides mechanism which emphasis the means to carefully balance the functioning of AI in the corporate settings for entities to utilise the benefits at the same time mitigating potential risks.

The rising popularity of generative AI systems stems from OpenAI applications, automation bots, and prediction systems. However, such AI systems have raised concerns with respect to the regulatory, contractual and reputational risk. Indian employers must strategise the implementation of models with the AI systems implementation in daily workflow by the means of formal AI Indian employer policy, which has to be set in force to govern the various departments of an entity which include but is not limited to IT, human resources, and compliance strategies.

What are the legal and business risks, policy template that should be considered in the use of AI at work?

The most relevant risks and issue which causes in hinderance to the preparation of the AI policy arises in the case where the AI implementation in the workplace is likely to create unauthorised exposure of confidential data, data protection violations, intellectual property conflicts, and regulatory non-compliance.

The most prevalent legal and operational risks arising out of the use of AI as far as governance is concerned involve:

• Sharing sensitive confidential client data to AI systems.
• Posting of employee or customer information without conforming to the DPDP Act, 2023 requirements.
• The output provided by the AI giving rise to intellectual property concerns with respect to the ownership of such intellectual property.
• False or discriminative results that may lead to financial or reputational losses.
• Violations of non-disclosure clauses of a contract.

Risks of AI tools confidentiality

One main element of the risks which should be taken in consideration while preparing the policy framework is associated with the confidentiality of the data.

Employees while seeking to utilise the AI tools frequently input:

• Client information;
• Financial records;
• Program source code;
• Human Resource documents; and
• Intranet strategy manuals.

Where generative AI tools store, calculate, or transfer such inputs off the record, the companies acquire risk in the following manner:

• Violation of non-disclosure agreements or clause;
• Publishing of trade secret; and
• Reputational damage.

The risks of breach of confidentiality are major concern for any entity and policy must explicitly prohibited or regulate the use of AI tools in companies.

Is employee use of generative AI tools legal in Indian workplaces?

The Indian law does not ban the use of generative AI tools by employees if they do not violate the contractual, regulatory and data protection requirements. The illegitimacy of AI application at work relies on the policy which have been put in place by the entity to address such issues.

Indian businesses must determine the compliance of generative AI tools with statutory requirements, internal compliance policies and third-party contractual obligations. Specifically, the responsibilities in the Digital Personal Data Protection Act, 2023 should be adhered to in the situation where the personal information is processed by AI.

Key legal factors to assess

• Type of information uploaded to the AI. It is essential to determine whether the employees are uploading personal information, client information, a trade secret or proprietary information into any AI tools.
• Data protection compliance which includes consent requirements, purpose limitation and reasonable security protection under applicable law.
• Cross-border data exposure arises when the AI tools store or process information outside India, it will attract a further compliance examination.
• Client contractual restraints such as non-disclosure agreements that forbid disclosure of the information to the third-party platform.
• Regulatory requirements based on the specific sector.
• Considerations of employment law including  monitoring, restrictions or disciplinary measures and transparency in communication.

Should Indian companies have a formal risks and policy template for AI usage?

Yes, a written risks and policy with respect to AI is necessary to create accountability, map acceptable behaviour, reduce regulatory requirements and liability in the workplace.

Without an official AI workplace policy among Indian employers, companies would experience uncertainty in their operations and high compliance risk. The courts and regulators evaluate the reasonable safeguards that were taken and undocumented practices weaken the defensibility in the event of any data breach.

The following are the functions of a formal policy:

Risk Allocation and Governance

• Determines permitted and unacceptable use of AI.
• Develops escalation and reporting systems.
• Elucidates the concerns over the ownership of AI generated content.

Data Protection and Compliance, Regulatory

• Demonstrates risk aversion.
• Conformity between internal practice and statutory practice.
• Facilitates audit and investigation response.
• Lessens exposures to privacy infractions.

Operational Consistency

• Deters avoids apathetic AI experimentation between teams.
• Introduces the use of AI into the permitted sectors such as IT and HR.
• Makes adoption of new tools i.e. AI in a controlled environment.
• Paves the way for periodic review of the compliance.

The use of AI should be a managed corporate practice, where a structured risks and policy becomes essential to determine the work environment. It allows innovation to take place all the while ensuring that a defined and structure compliance policy is enforced in an organisation.

What should be included in a corporate AI risks policy ?

An effective template for the AI risks policy must be precise, enforceable, and aligned with operational realities. The policy should address the following components.

1. Definition of permitted and prohibited use

The policy must clearly define acceptable AI usage indicating the scope of usage and the activities for which AI tools are not permitted.

Permitted use may include:

• Research;
• Drafting non-confidential content;
• Internal productivity enhancement; and
• Coding assistance using approved tools.

Prohibited use of AI in the workplace should include:

• Uploading of confidential client data or trade secrets;
• Processing of the personal data without consent;
• Use of AI for discriminatory decision-making; and
• Circumvention of IT security controls.

2. Confidentiality and data handling protocol

The risks and policy template must prohibit disclosure of the following:

• Client confidential information;
• Personal data;
• Trade secrets and intellectual property; and
• Internal financial records.

The policy should mandate:

• Prior approval before uploading sensitive data;
• Use of enterprise-approved AI tools only;
• Verification of tool data retention policies; and
• Compliance review for cross-border data flows.

These measures mitigate confidentiality breached and IP risks arising from the use of AI tools.

3. Intellectual property and ownership

The AI-generated outputs raise complex ownership issues particularly with reference to the individual to whom the intellectual property rights shall belong to and who shall bear the risk arising out of any disputes arising therfrom.

The policy must clarify:

• Ownership of employee-generated AI outputs;
• Responsibility for IP infringement risk;
• Requirement to verify originality; and
• Prohibition on relying solely on AI for copyrighted materials.

4. Regulatory compliance and risk assessment

Companies should embed a structured Corporate AI governance framework India within the policy which includes:

• Internal assessment of any AI tool prior to its adoption of such tool;
• Vendor due diligence on AI tool used by such vendor;
• Documentation of approved AI tools;
• Periodic review of tool compliance posture; and
• Escalation procedure for AI-related incidents.

5. Monitoring and enforcement

The risks and policy template should define monitoring rights to the extent of which the employer may implement the following terms:

• Usage logs;
• IT monitoring tools;
• Periodic audits; and
• Mandatory disclosure of AI-generated content.

6. Disciplinary consequences

The Company must establish a clear and concise enforcement mechanisms to enhance the policy’s effectiveness.

The policy should specify the following details and method about the disciplinary mechanism:

• Manner in which the written warnings may be issued;
• Suspension of access privileges if any available to the employee;
• Formal disciplinary proceedings against any violation; and
• Termination in cases of serious misconduct.

By substantiating explicit written consequences for AI misuse and violation of policy ensures that risk is mitigated and the misuse is reduced.

What should companies do to deal with cross-border data exposure?

The data exposure across borders due to the transfer of such data to other countries should be managed through an organised compliance framework which takes into consideration the legal landscape where such data is being transferredintegrated into the policy of the company. Any personal or confidential information shared with AIs located outside of India should only be made after determining the compliance with law and the analysis of potential financial loss.

The majority of generative AI systems store or handle information in other jurisdictions. By having employees enter business information in such tools, the organisation may be performing cross-border data transfers upon each use of the AI tools. A template of policy must require the following protection:

Cross-border data transfers identification

• Acertain whether the AI tool stores or processes data outside India;
• Determine the location of servers and cloud infrastructure maps;
• Check whether or not metadata, prompts or output are maintained by the vendor; and
• Determine whether the tool is based on sub-processors across different jurisdictions.

Legal capacity and regulatory controversies

• Ensure that there is justifiable consent or reasonable purpose to process personal data;
• Ensure that no government notifications limits the data transfer to certain countries;
• Assess industry-related compliance requirements; and
• Make sure that purpose limitation and storage limitation principles are observed.

Vendor due diligence and contractual protection

• Ensure that the data processing agreement of an AI provider is in compliance with the data protection act and is aligned with the best practices;
• Review confidentiality policies and data retention policies to determine the risk arising from such policies;
• Ensure that the vendor has mechanism set out to enforce the right to erasure of data and right to audit ; and
• Evaluate the data breach or misuse indemnity measures.

Cross-border data transfer and processing is not illegal, but uncontrolled flow of transfers is likely to attract greater risks.

How can employers implement AI governance without hindering innovation?

Implementation of AI governance can be done without the need to deter innovation by adopting a proportional and risk-based policy.

AI is a key source of productivity, analytics, and automation at any organisation. A complete prohibition will lead to the existence of shadow use since employees are likely to use unapproved tools without any supervision. An organised system of governance allows innovation under set parameters of compliance.

A decent Corporate AI governance system India must comprise of the following components:

• Artificial intelligence acceptance and supervision system.
• Create a review or approval committee of AI within the company.
• Demand risk evaluation prior to the use of new AI.
• Keep a list of accepted platforms.
• Ramp up risky cases to be reviewed legally and by IT.

This makes AI a part of the formal governmental functions and not a non-formal tool of productivity.

Risky AI tool categorization

• Semi-safe instruments (e.g., grammar correction non-data storage).
• Medium risk instruments (in-house document preparation with protection).
• Tools with a high level of risk (processing personal data, automated decision-making).

The proportional compliance to the stricter controls of the policy should be developed according to the risks level as the risks increase.

Sandbox Testing and Pilot Programs

• Do pilot testing before going enterprise wide.
• Measure data security, accuracy and reliability of operations.
• Findings of the documents and correction steps.
• Get written sanction prior to full implementation.

The legal uncertainty is minimized through structured experimentation and responsible innovation is promoted.

Periodic audit and review of policies

• Examine AI application every so often.
• Revise guidelines in regulatory changes.
• Carry out in-house checks on breaches of compliance.
• Document relevant corrective measures and incident responses.

The government should be flexible as the AI technologies are being developed.

Training and awareness of employees

• Conduct voluntary education on the use of acceptable AI.
• Detail confidentiality and data protection requirements.
• Elaborate on disciplinary measures on misuse.
• Promote reporting of AI-related cases.

The concepts of innovation and compliance are not necessarily opposing. An effective risk and policy template can allow organisations to embrace AI in a responsible way, without the risk of compromising regulatory integrity and confidential business interests.

Policy template – sample structure for Indian companies

1. Purpose

This policy governs AI usage at work and defines the risks and policy template framework applicable to employees.

2. Scope

The policy must specify the individuals to whom the policy applies:

• Full-time employees;
• Contract staff;
• Consultants; and
• Interns.

It should also provide the AI tools which are covered by the policy based on the company’s internal governance.

3. Definitions

The policy must provide for specific definations:

• Artificial Intelligence;
• Generative AI;
• Approved AI Tools;
• Confidential Information; and
• Personal Data.

4. Permitted use

List allowed activities subject to compliance.

5. Prohibited use

The policy must provide the specify and clear prohibitions.

6. Data protection compliance

The policy must mandate the adherence to:

• Internal data handling standards are maintained;
• Applicable privacy law and best industry practices; and
• Client contractual obligations are implemented.

7. Intellectual property

The policy must mandate that the employee is able to certify that the product being submitted to the entity was created by such employee and that the employer has the right to review the originality of such submissions.

8. Monitoring and audit

The policy must specify grant the employer rights to:

• Monitor usage with respect to AI work;
• Conduct audits; and
• Investigate violations of the policy.

9. Disciplinary action

The policy must establish a mechanism by which the parties may approach any grievance arising out of use of AI. It must provide the contact details for grievance offer and other key factors.

10. Review and updates

The policy must be regularly updated in order to maintain compliance with the law and best practice with respect to AI.

Frequently asked questions

Can an Indian company ban AI tools entirely?

Yes, the companies may prohibit AI usage if risk assessment deems it necessary. The same can be implemented by meticulously preparing policies and agreements of the company to govern the internal functions to restrict usage of AI.

Is it illegal to paste client data into generative AI tools?

The legality of such use is subject to the agreement and policies that are enforced by the entity. The use of generative AI tools may constitute a breach of confidentiality or privacy obligations depending on such documents.

Are employers liable for employee AI misuse?

Yes, in certain situations employers remain responsible for actions which includes the misuse of AI if such misuse falls within scope of employment.

Should startups adopt an AI policy?

Yes., the AI policy ensures that the start up’s risk is mitigated. The risk exposure arising out of AI is not limited to large enterprises.

How often should the policy be updated?

It is suggested that an entity may at least at an annual or upon regulatory developments basis update its policy.

Conclusion

AI is another tool in one’s toolbox and its adoption in the Indian workplaces presents both opportunity and exposure to risk. To control the demerits of the use of AI, the entity must establish a structured policy which ensures that:

• Compliance with Digital Personal Data Protection Act, 2023;
• Protection of confidential information by implementation of relevant clauses;
• Clear allocation of responsibility with respect to use of AI;
• Regulatory defensibility; and
• Sustainable innovation.

A well-drafted governance framework transforms unmanaged risk into structured operational control and room for growth.

About Us

Corrida Legal is a boutique corporate & employment law firm serving as a strategic partner to businesses by helping them navigate transactions, fundraising-investor readiness, operational contracts, workforce management, data privacy, and disputes. The firm provides specialized and end-to-end corporate & employment law solutions, thereby eliminating the need for multiple law firm engagements. We are actively working on transactional drafting & advisory, operational & employment-related contracts, POSH, HR & data privacy-related compliances and audits, India-entry strategy & incorporation, statutory and labour law-related licenses, and registrations, and we defend our clients before all Indian courts to ensure seamless operations.

We keep our client’s future-ready by ensuring compliance with the upcoming Indian Labour codes on Wages, Industrial Relations, Social Security, Occupational Safety, Health, and Working Conditions – and the Digital Personal Data Protection Act, 2023. With offices across India including Gurgaon, Mumbai and Delhi coupled with global partnerships with international law firms in Dubai, Singapore, the United Kingdom, and the USA, we are the preferred law firm for India entry and international business setups. Reach out to us on LinkedIn or contact us at contact@corridalegal.com/+91-9211410147 in case you require any legal assistance. Visit our publications page for detailed articles on contemporary legal issues and updates.

Legal Consultation

In addition to our core corporate and employment law services, Corrida Legal also offers comprehensive legal consultation to individuals, startups, and established businesses. Our consultations are designed to provide practical, solution-oriented advice on complex legal issues, whether related to contracts, compliance, workforce matters, or disputes.

Through our Legal Consultation Services, clients can book dedicated sessions with our lawyers to address their specific concerns. We provide flexible consultation options, including virtual meetings, to ensure ease of access for businesses across India and abroad. This helps our clients make informed decisions, mitigate risks, and remain compliant with ever-evolving regulatory requirements.