AMBART LAW  ·  For AI-Enabled & SaaS Companies

AI Governance, Product Counseling & the Contracts That Follow

"AI governance" is often sold as a standalone deliverable—a policy, a memo, a checklist. We treat it as one part of a larger job: we also counsel your product and close the commercial agreements that put it into the world. Governance that stops at a memo is not governance. It is homework.

Get the 2026 AI Playbook Book a 20-minute fit call

What we actually do

Three things, in the order your product needs them

A lot of what we do is not "AI governance" in the abstract. It is AI product counseling—and then drafting the commercial agreements that make the product shippable. The governance work, the product work, and the contracts are one continuous job, and we do all three.

01

AI Governance

We map the laws that actually apply to your use case—new AI statutes and the legacy laws underneath them—and build a governance approach your engineering and product teams can live with. Practical, not performative.

02

AI Product Counseling

We sit with the build. What does the model do, what data does it touch, what does it score, rank, or filter? We answer the product questions before they become litigation questions—before deployment, not after.

03

Commercial Agreements

Then we draft and negotiate the contracts: vendor and data-sharing agreements, MSAs, and the reps, warranties, and indemnities that follow from your actual risk taxonomy—not a template tweaked until it sounds right.

Why most AI compliance has a blind spot

The new AI laws are newsworthy. But most are disclaimer laws and lack a private right of action. The laws that are more likely to get you sued are decades old.

Recently, 3 AI recruiting startups came to us in a single week with the same ask: help us with our client contracts. The ask was wrong—or at least incomplete.

All 3 knew NYC Local Law 144, the automated-employment-decision-tool disclosure law. None of them had heard of Mobley v. Workday, the live class action. That gap is the whole problem.

3 / 3
knew NYC Local Law 144 (the new, newsworthy AI law)
0 / 3
had heard of Mobley v. Workday (the case that certified a class)

In Mobley, an applicant who was screened out of 150+ jobs sued under the Age Discrimination in Employment Act of 1967—the ADEA—arguing Workday's AI screening had a disparate impact on applicants over 40. The Court rejected the "we're just a platform" defense and certified a class on the age-discrimination claims. The irony: Workday had lobbied for Local Law 144's narrow definition of "automated decision technology." It got hit not with that law, but with a statute from 1967.

If your product scores, ranks, or filters people—job candidates, tenants, borrowers, patients—a decades-old anti-discrimination statute almost certainly governs it: the ADEA and Title VII for hiring, the Fair Housing Act for tenants, the Equal Credit Opportunity Act for borrowers, Section 1557 of the ACA for patients. You are in that liability conversation whether or not you have read the statute. And your contracts are making reps and warranties, and potentially indemnifying customers, against exactly these suits. Luckily, that is what we are here for.

This is what we call legacy law: statutes that predate AI by decades, with a robust body of case law, that apply directly to what your product does. As well as laws that were never written with AI in mind but are now being leveraged to bring claims (e.g., state recording consent or wiretap laws, the Computer Fraud and Abuse Act). Real governance means evaluating the laws that apply to your use case—the ADEA, the Illinois Biometric Information Privacy Act (BIPA), the Fair Housing Act (FHA), the Equal Credit Opportunity Act (ECOA), the Children's Online Privacy Protection Act (COPPA)—not just the AI regulations, and not just the "right" words in a contract.

Update · June 2026 · Connecticut

Connecticut just routed AI hiring tools back to anti-discrimination law

On June 2, 2026, Connecticut enacted the Artificial Intelligence Responsibility and Transparency Act (the "CART Act," Public Act 26-15). It regulates automated employment decision technology—and, learning from the gaps in NYC's Local Law 144, it amends the Connecticut Fair Employment Practices Act to make clear that using an automated decision tool is not a defense to a discrimination claim. Courts and the state's human-rights commission may, however, weigh an employer's anti-bias testing as a mitigating factor.

Notably—and consistent with most AI statutes—the CART Act has no private right of action; the Connecticut Attorney General enforces it. Core obligations phase in between October 1, 2026, and October 1, 2027.

That is the legacy-law lesson in a single statute: Connecticut did not just add a disclosure duty—it tied AI hiring tools straight back to the existing anti-discrimination regime. Read our analysis of Local Law 144's enforcement gap →

Whom we advise

Built for teams shipping AI with regulated data

AI & Tech

Companies building with agents, LLMs, and multi-agent architectures that need innovation to clear legal review without stalling the roadmap.

SaaS Providers

Post-product-market-fit teams managing data privacy and IP across their own product and the AI vendors they integrate.

Creative & DTC

Brands and agencies navigating copyright, likeness, and licensing in AI-generated content and campaigns.

Startups

Early or scaling teams building a governance foundation from day one—before a data-sharing workflow or a vendor clause becomes a problem.

How we help

From governance to signed contract

Governance & Risk Mapping

  • Build a risk taxonomy for your actual use case, across new AI laws and legacy statutes.
  • Stand up an AI acceptable-use policy and a cross-functional review team.
  • Run product and vendor AI reviews that engineering and product will actually use.

Product Counseling

  • Counsel new AI features before launch—what the model does, what data it touches.
  • Pressure-test scoring, ranking, and filtering features against discrimination and privacy exposure.
  • Translate legal risk into product decisions your team can ship around.

Commercial & AI Contracts

  • Draft and negotiate AI vendor, MSA, and data-sharing agreements.
  • Scope the license to your content, training-data use, and data-retention terms.
  • Calibrate reps, warranties, and indemnities to your real risk—not a template's.

Privacy, IP & Regulatory

  • Privacy programs that fit your data flows and marketing stack.
  • Copyright and likeness strategy for AI inputs and outputs.
  • EU AI Act, GDPR, and U.S. state-law readiness for products placed on those markets.

Free resource · The 2026 Edition

The AI Governance & Contracting Playbook

A legal risk-management and contracting playbook for GCs and founders at AI-native and AI-enabled B2B SaaS and consumer-tech companies—now rewritten for a world where software no longer just recommends outputs but acts.

Ask one question of every AI agreement: who is acting? The further the answer moves from your team and toward the machine, the less your SaaS template protects you. The Playbook walks the full spectrum—SaaS → generative AI → AI agents → agentic AI—and gives you:

  • a practical method to identify AI use cases and map them by risk;
  • contracting for AI agents—limitation of liability, indemnification, and audit/logging, with model language;
  • governing agentic AI—human-over-the-loop, coded boundaries, and audit rights that survive an incident;
  • contracting around the Model Context Protocol (MCP) and connected tools—scope, supply chain, and injection risk;
  • free, updated templates: an acceptable-use policy and a vendor-agreement playbook.

This guide is for general information only and is not legal advice.

Get the Playbook →

In the press

Quoted on AI, copyright, and privacy law

Reporters covering AI, copyright, and privacy regularly call on our founder, Yelena Ambartsumian, for analysis. A selection is below; the full record of our press is collected in one place.

The New York Times
April 2026 · Copyright
"All of the resources you put into being able to protect your copyrightable human expression—does it really matter if in a second or two hours that expression can be copied and then changed?"
Read at NYT →
Bloomberg Law
September 2025 · AI Litigation
On Disney and Universal v. Midjourney: filtering technology that blocks "adult content" could just as readily enforce copyrights—moving the company closer to Sony's legal VCR and further from Grokster.
Read at Bloomberg Law →
Forbes
May 2025 · Copyright Office
"The Copyright Office outright rejected the most common argument that big tech companies make. But paradoxically, it suggested the larger and more diverse a training set, the more likely the use is transformative. That seems to invite more copying, not less."
Read at Forbes →
Built In
April 2026 · Privacy & Wearables
"Nothing has changed with respect to privacy law that would bless this. Even if only people who opted into 'Name Tag' can be identified, that does not solve the problem of having to collect and process data to determine whether a person has opted in."
Read at Built In →
Reader's Digest
January 2026 · Biometric Privacy
"The most stringent laws on the collection and processing of biometric data are in Illinois and Texas, as well as in Portland, Oregon—the latter of which bans facial-recognition technology by private entities in places of public accommodation."
Read at Reader's Digest →
Financial Planning
October 2025 · GLBA
"Financial advisers may not realize it, but when they share their customers' information with a generative-AI tool, they are in fact sharing that information with a third party."
Read at Financial Planning →
Investopedia
June 2025 · EU AI Act
"U.S. companies must ensure their AI systems meet the EU's transparency and documentation standards, including detailed technical documentation and proper human oversight. Failure to comply could result in penalties, market restrictions, and reputational damage."
Read at Investopedia →
Law360 Pulse
May 2026 · Legal Tech
"Now a small law firm, if it has someone who's even maybe a little bit tech savvy, can essentially create the same thing that the big law firms are billing for."
Read at Law360 →
Reworked
July 2025 · Enterprise AI
"Companies in highly regulated industries are expecting to run local versions of foundation models. If they can't, they are very selective about data minimization, and they're deploying auditing tools to confirm compliance regardless of vendor promises."
Read at Reworked →

See the full press record →

Thought leadership & teaching

We write and teach the law we practice

Harvard International Law Journal

"Why the Obsession with Human Creativity? A Comparative Analysis on Copyright Registration of AI-Generated Works"—a comparative look at the human-authorship requirement across the United States, EU, UK, China, and Japan.

Read the article →
Women in AI · Legal Insights

"Is it Too Late to Govern Agentic AI? Best Practices to Mitigate Risk and Leverage Benefits"—concrete governance, privacy, and safety practices for autonomous, multi-agent AI systems.

Read the article →
IAPP

"Even exempt organizations need to be data mapping: Here's why"—why data mapping matters even when a legal regime would otherwise exempt you. Authored by our associate, Maria Cannon.

Read the article →
LexVid · CLE Faculty

Our founder received LexVid's 2025 Excellence in Legal Instruction Award for the on-demand series "Generative AI and Copyright"—courses on copyrightability of outputs and copyright infringement, with 2,300+ combined views.

See the award →

Frequently asked questions

AI governance, answered plainly

What is AI governance, and how is it different from "AI compliance"?

AI governance is the practice of mapping the laws and risks that apply to a specific AI use case and building a workable approach across your product, engineering, and legal teams. "Compliance" tends to mean a checklist against a single named law. Governance is broader: it asks what your product actually does—what it scores, ranks, filters, or generates—and then evaluates every law that touches that conduct, new and old. Done right, it is practical, not performative.

Do I need to worry about new AI laws, or do existing laws already apply to my product?

Both—and the existing ones are often the bigger exposure. We call them legacy laws: statutes that predate AI by decades, with a developed body of case law, that apply directly to what your product does. In Mobley v. Workday, an AI hiring tool was sued under the Age Discrimination in Employment Act of 1967, not under any AI-specific statute; the Court certified a class. If your product scores, ranks, or filters people, a legacy anti-discrimination statute may apply—the ADEA for age in hiring, the Fair Housing Act for housing, the Equal Credit Opportunity Act for credit—alongside privacy laws like BIPA, GLBA, and COPPA, before you ever reach the headline AI regulations.

We use AI vendors. What should our contracts actually cover?

Start by treating your data as more than one thing. In a generative-AI deal, your content can appear as input, output, training data, synthetic data, and observation data—and the vendor often wants a license to all of it. So scrutinize three things. First, the license to your inputs and prompts: you should retain ownership, and a license for the vendor to host and process your content is fine if it is bounded to operating the service and under your control—but a perpetual, transferable, sublicensable license to "fully exploit" your content to train the vendor's models, even after termination, is not. Second, data retention: the vendor should delete or return your data after termination, and watch the word "aggregated," which is not the same as "de-identified" or "anonymized." Third, third-party sharing—error reports and "report a problem" buttons quietly route your prompts to third parties, even on enterprise plans. Beyond the vendor's terms, your own customer contracts make reps and warranties about your tool and may indemnify customers against third-party suits like Mobley—so the contract has to follow from your real risk taxonomy, not a template. We cover this provision-by-provision in the AI Contracting Playbook.

Our product uses AI agents or MCP. How is contracting different from a SaaS deal?

Ask one question of every AI agreement: who is acting? A SaaS contract assumes the software runs and a human acts, so it measures uptime and SLAs. A generative-AI product produces and a human reviews—so the contract has to address data licensing and variance. An agent acts and a human supervises; agentic AI pursues its own goals. As you move up that spectrum, three provisions have to be rewritten rather than expanded: limitation of liability, indemnification (keyed to "misuse," not "use"), and a defined scope of authorized actions—plus audit rights and logging that survive an incident. The Model Context Protocol adds scope, supply-chain, and prompt-injection risk to manage. Our 2026 Playbook covers each with model language.

Are the outputs of generative AI protected by copyright?

Generally, no—not the raw output alone. U.S. copyright law requires human authorship: a person must be responsible for the creative expression. The U.S. Copyright Office has refused or limited registration for purely AI-generated works (see Zarya of the Dawn and the Théâtre D'opéra Spatial decisions), and the courts have agreed (Thaler v. Perlmutter). Where a human meaningfully selects, arranges, or modifies AI-generated material, some protection may attach to those human contributions. We walk clients through where the line sits for their specific workflow.

Can we train an AI model on copyrighted data?

It depends, and the law is unsettled. In Bartz v. Anthropic and Kadrey v. Meta, judges in the Northern District of California found certain training uses "transformative" and therefore fair use—but those rulings are narrow, and Bartz drew a hard line at the pirated libraries the defendant downloaded and retained. Anthropic later agreed to a proposed $1.5 billion settlement over those works. Training on data you do not have rights to is a live litigation risk; we help you assess provenance, licensing, and the safeguards to put in place before deployment.

We're a U.S. company. Does the EU AI Act apply to us?

It can. The EU AI Act reaches providers and deployers placing AI systems on the EU market, regardless of where the company sits. Obligations for general-purpose AI models carried a compliance deadline of August 2, 2025, covering transparency, technical documentation, and copyright requirements such as publishing a training-content summary. If you sell into or deploy in the EU, we assess which obligations attach and on what timeline.

How is this different from your Fractional GC program?

The work overlaps; the structure differs. This practice covers discrete, project-based AI governance, product counseling, and contracting engagements. Our Fractional GC program embeds that same support on a predictable monthly plan, so legal becomes a continuous strategic lever rather than a one-off memo. If you are not sure which fits, the fit call will tell you.

How do we start working with you?

Book a 20-minute fit call or e-mail info@ambartlaw.com. We will learn about your company, your use cases, and your governance needs, and then recommend a plan to move forward—or tell you if we are not the right fit.

Reach out

Let's pressure-test your AI roadmap

In a 20-minute fit call, we'll assess where you are, identify where governance and contracting create the most leverage, and recommend a plan.

Book a 20-minute fit call Contact us Get the Playbook

AMBART LAW PLLC

387 Park Avenue South, 5th Floor, New York, NY 10016 · info@ambartlaw.com

Attorney Advertising. This page is for general information only and does not constitute legal advice, nor does it create an attorney-client relationship. Prior results do not guarantee a similar outcome. Yelena Ambartsumian, AMBART LAW PLLC, New York, NY.