AI and the law for Texas businesses: the compliance landscape.

Texas businesses can and do use AI tools, but doing so without evaluating the legal exposure is not the same as having no exposure. AI use intersects with established areas of law — IP, employment, contract, privacy, and consumer protection — and creates new questions in areas where the law is developing. The principal risks include: confidential information exposure when proprietary or sensitive data is submitted to third-party AI services; copyright and IP infringement risk both when AI-generated outputs incorporate protected material and when company IP is submitted as training input; employment law exposure when AI is used in hiring, performance management, or termination decisions; contract liability when AI tools produce errors or hallucinations that affect deliverables; and consumer protection exposure when AI is used to make automated decisions about customers. None of these risks are unmanageable, but managing them requires an AI use policy that addresses what tools are permitted, what data may be submitted, what review is required of AI-generated outputs, and what disclosure obligations apply. Texas businesses operating without an AI use policy are not avoiding the risks — they are accepting them without analysis.

The U.S. Copyright Office's current position, set out in 2023 guidance and confirmed in subsequent registration practice, is that copyright protection extends only to material that is the product of human authorship. Material generated entirely by AI without sufficient human creative input is not protected by copyright. Material that combines AI-generated elements with human-authored elements may receive copyright protection for the human-authored portions. The practical consequence for Texas businesses producing AI-assisted creative work — marketing content, software code, written materials, designs — is that the human contribution to the work matters significantly for determining whether the resulting product is protectable. Substantial human selection, arrangement, modification, and creative input typically produces a copyrightable work; minimal human input on AI-generated material typically does not. Federal courts have begun addressing AI copyright questions including Thaler v. Perlmutter (D.D.C. 2023) confirming human authorship is required, and several pending cases addressing whether use of copyrighted works in AI training constitutes infringement. The legal landscape is evolving rapidly. Texas businesses with material AI-assisted creative output should document the human contribution to the work and revisit copyright strategy as the legal landscape clarifies.

Generally no — at least not without specific contractual protections that ensure the information is not used for model training and is not retained beyond what is necessary for the immediate task. Many publicly available AI tools — particularly free or low-cost consumer versions — explicitly retain submitted data and use it for model training. Submitting confidential business information, trade secrets, customer data, or attorney-client privileged material to such tools may constitute a disclosure that destroys confidentiality protection. The legal consequences include: loss of trade secret status; waiver of attorney-client privilege; breach of confidentiality obligations to customers, partners, or employees; and potential breach of regulatory confidentiality obligations under HIPAA, GLBA, FERPA, or state privacy laws. The practical answer for Texas businesses is to use enterprise AI products that contractually disclaim training use and provide enterprise-grade data handling commitments — Microsoft Copilot for Enterprise, Google Workspace AI offerings, Anthropic's enterprise products, OpenAI's enterprise products, and similar — and to maintain an AI use policy that prohibits submission of confidential information to consumer-grade AI tools. The combination of contractual protections plus operational discipline is the structural answer; relying on either alone is typically insufficient.

Yes, but the employment use case is one of the most regulated areas of AI compliance and the area where regulatory enforcement has begun. The federal EEOC has issued technical assistance documents and brought enforcement actions where AI tools used in hiring produce disparate impact on protected groups, taking the position that employer use of AI does not change the substantive prohibition on employment discrimination. NYC Local Law 144 (effective July 2023) requires bias audits and candidate notice for automated employment decision tools. The Colorado AI Act (signed 2024, effective February 2026) imposes substantial obligations on developers and deployers of high-risk AI systems including those used in employment decisions. Illinois, Maryland, and other states have enacted narrower provisions. Texas has not enacted AI-specific employment legislation but Texas employers using AI in employment decisions remain subject to federal anti-discrimination law and to the laws of states where their employees work. The structural recommendations: do not assume AI tools are bias-free; require vendor representations about bias testing; maintain human review of AI-influenced employment decisions; document the role of AI in any contested decision; align practices with the most stringent applicable jurisdiction.

The Colorado AI Act, Senate Bill 24-205, was signed into law in May 2024 and takes effect February 1, 2026. It is the first comprehensive state AI regulation in the United States and creates obligations for both developers and deployers of high-risk AI systems. High-risk AI systems are defined as those that make or are a substantial factor in making consequential decisions concerning education, employment, financial services, housing, government services, health care, insurance, or legal services. Deployer obligations include: implementing risk management policies and programs; conducting impact assessments for high-risk systems; providing notice to consumers about AI use in consequential decisions; offering consumers the ability to correct incorrect personal data and to appeal adverse decisions; and posting public statements about AI use. Developer obligations include providing impact assessment information to deployers and publishing public summaries of high-risk systems. The Act applies to entities doing business in Colorado, which generally includes Texas businesses with Colorado customers, Colorado employees, or Colorado-located decisions affected by AI. Other states are considering similar legislation, and the Colorado AI Act is widely viewed as a likely model for state AI regulation in the next several years.

AI vendor contracts now address several categories of provisions that were not standard in pre-AI software contracts. Data handling provisions: how customer data is processed, whether it is used for model training, retention periods, deletion obligations, and security commitments. Output ownership: whether the customer or vendor owns AI-generated outputs, what rights either party has to use them, and any restrictions. IP indemnification: whether the vendor indemnifies the customer against IP infringement claims arising from AI outputs. Performance and accuracy: representations about output quality, hallucination rates, and accuracy, with often-modest commitments and disclaimers. Compliance obligations: representations about compliance with applicable AI regulation including state laws like the Colorado AI Act, employment AI regulations, and bias testing obligations. Audit rights: customer rights to audit AI use, particularly for high-risk applications. Service level commitments: uptime, performance, and remedies for failure. Termination rights: customer rights to terminate for cause including failure to meet AI-specific performance commitments. The contracting landscape favors larger customers who can negotiate. Smaller customers using consumer or self-serve AI products are typically bound by vendor-favorable form contracts that limit recourse.

An effective AI use policy typically addresses six recurring topics. Approved tools: which AI tools employees are authorized to use for company purposes, distinguishing enterprise products with appropriate contractual protections from consumer products that should not be used with company information. Permissible uses: what tasks may be performed with approved AI tools, with attention to high-risk uses requiring additional review (employment decisions, customer-affecting decisions, regulatory submissions). Data handling: what categories of company information may be submitted to AI tools, what categories may not (confidential information, trade secrets, customer data, regulated data, attorney-client privileged material), and the rationale that translates into practical guidance. Review and verification: requirements for human review of AI-generated outputs before they are used for company purposes, with attention to factual accuracy, source verification, and the well-documented hallucination problem. Disclosure: when and how AI use must be disclosed — to customers, counterparties, regulators, in employment decisions, in legal proceedings. Compliance integration: how the policy interacts with other company policies including information security, confidentiality agreements, employment policies, and customer commitments. The policy should be operational rather than aspirational. The policy should be reviewed at least annually.

AI has materially affected legal work and will continue to do so. Document review, contract analysis, legal research, drafting first drafts of routine documents, and similar tasks have all been affected, with capable AI products handling some categories of work that were previously performed by junior lawyers and paralegals. The strategic and judgment-intensive elements of legal practice — understanding what a client actually needs, reading the human dynamics of a contested matter, anticipating how a regulator or counterparty will react, knowing when to push and when to yield in negotiation, recognizing the difference between what the client is asking for and what the client should have, integrating legal advice with broader business strategy — remain firmly within the domain of human lawyers and are unlikely to be replaced by AI in any near-term horizon. The realistic answer is that AI tools augment the work of capable lawyers rather than replace them. The work AI can do well, AI does increasingly well; the work AI cannot yet do well — and may never do well — is the work that distinguishes high-quality legal counsel from commodity legal services. The implication: AI is making routine legal work more efficient and less expensive, while making strategic and judgment-intensive legal work more valuable by comparison.