Before You Vibe Code, Read This Startup Founder's Guide To IP And Security Risks

AI coding agents are fast, but can increase your chances of exposure. Experts from Ballard Spahr offer tips to protect your company before you ship.

AI coding agents have advanced rapidly, enabling startups to generate wireframes, prototypes and even fully functioning applications with much less time and effort than ever before. Even founders with zero coding experience can build functioning applications within a few minutes. 

But speed can come with hidden exposure.

While these off-the-shelf tools can be extremely useful, they present unique legal risks that founders should understand before diving in.

Depending on how you use a coding agent (and what you share with it), you can face liability around intellectual property, confidentiality, open source and cybersecurity. And these issues might not show up until fundraising diligence, a potential client’s security review or an acquisition process. Here are some tips to keep in mind.

Please note: This article focuses on generic, off-the-shelf coding agents and does not address enterprise-level tools.

Protect your IP and trade secrets

Most software companies rely on copyright and trade secret protection to defend proprietary software. AI-generated code can complicate both.

Copyright protection for AI-generated works is an unsettled area of the law. Although AI-generated works are not automatically rendered uncopyrightable, the use of AI raises a risk that some of a startup’s proprietary software could fall outside copyright protection. The US Copyright Office has determined that the mere selection of prompts does not by itself yield a copyrightable work. Additionally, applicants must disclose to the Copyright Office if a work contains more than a negligible amount of AI-generated material. If software is entirely created by an AI coding agent without original human authorship, the Copyright Office may determine it is not copyrightable. 

Trade secret protection is also challenged here. Defined as economically valuable information that is not generally known and has been subject to reasonable efforts to be kept that way, trade secret protection relies heavily on maintaining the confidentiality (secrecy) of that information. (For example, the formula for the Coca Cola recipe.) Using an AI coding agent can introduce a risk of disclosure to third parties — namely, the provider of the coding agent — that undermines the foundations of maintaining a trade secret. 

To safeguard against this, founders and developers should review the terms of service of any AI system to understand what rights the provider has to use your prompts and output code to train its models or serve other customers. If there are broad rights in the terms of service to share or use output code, trade secrets coded with the applicable AI system could be compromised from a trade secret or merely from a confidentiality perspective, undermining trade secret rights.

Patent protection for software might also be available, but few startups pursue it given the expense of patent prosecution and the requirements to show a novel, non-obvious and useful technical improvement. Code, algorithms and abstract ideas alone are not sufficient to receive patent protection for software inventions. 

Mitigate employment IP risks

The intellectual property protections above matter only if your business owns the IP in the first place. Every employee and independent contractor who interacts with your company’s material intellectual property should have an agreement in place that assigns their IP rights to your company. Without an agreement, an employee or contractor may own important IP, which can reduce company value and create risk during diligence.

AI coding agents can make this issue easier to miss. Employees or contractors could unknowingly create material IP that your company relies on. During due diligence, investors and buyers commonly ask for evidence that every employee and contractor signed proper invention assignment agreements. Many startups discover that some personnel, especially those not traditionally involved in product development, never signed such agreements. With powerful coding agents, even someone in a minimal role could create material IP without proper invention assignment protections. 

In general, startups should ensure all personnel sign appropriate invention assignment agreements, and the use of coding agents makes the need for proper documentation even more important.

Manage open source risk

Any company that deploys software faces open source risk, and AI coding tools can accentuate it. Open source software is often publicly available and subject to license terms that can impose real obligations. For example, open source licenses may limit modifications or commercial use, require attribution to the original developer, or, in the event of a “copyleft” license, require disclosure of software used in connection with the open source software. 

AI-generated software may inadvertently copy open source code in violation of the license terms, since publicly available open source tools may be common training data. Without running an open source scan such as a Black Duck report, which can be time-consuming and expensive, a startup may have no way of knowing if its software violates an open source license. 

If an open source software risk is discovered later, it could lead to unexpected costs to rewrite the proprietary software to remove the open source components or, in the worst case, require the disclosure of the startup’s proprietary software.

Originally published by Technical.ly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.