Tammy Zhu, VP of Legal at Sourcegraph Inc. , shares risk management steps that companies should take when negotiating contracts and selecting features for AI coding assistants in the workplace. The rapid growth of AI coding assistants has made them a sought-after tool for engineering teams across all companies. While these assistants can enhance test coverage and identify code issues, they pose legal risks that need to be addressed. To mitigate these risks, there are four key terms to consider when evaluating AI coding providers. Firstly, it is crucial to include in your contract that your data (inputs and outputs) will not be used for model training. Model providers typically retain your data, and in the event of a security breach, this could result in a notifiable security incident. Depending on the sensitivity of the data in your code, you may be obligated to notify affected users, customers, and government agencies. Customer termination rights may also be triggered by security breaches. Personal data processed by the model may be subject to data subject rights.

Negotiating minimal retention periods for your code's models is essential to reduce the risk of code leakage and ensure compliance with data privacy regulations. The best approach is a zero retention policy, where your inputs and outputs are not stored beyond the generation of the output. Additionally, it is important to clarify ownership of the outputs created by your use of the AI coding assistant. To avoid potential issues, ensure that you own the intellectual property rights instead of licensing them from the provider. If licensing is necessary, request an irrevocable, perpetual, and royalty-free license to protect your interests. Lastly, a broad indemnity should be negotiated to cover potential copyright claims related to AI-generated code. While the risk of copyright suits is low due to the private nature of code snippets, an indemnity will provide defense against claims of IP infringement. In addition to these contractual considerations, enforcing coding best practices is crucial. Avoid incorporating personal and customer data in code, implement thorough code reviews, and regularly conduct scans and testing. By following these risk management steps and prioritizing coding best practices, companies can navigate the challenges presented by AI coding assistants effectively.