Legal Insights
The dealmaking world runs on confidentiality. Whether you are executing a billion-dollar acquisition, negotiating a commercial lease for a flagship property, or structuring a joint venture, the non-disclosure agreement (NDA) sits at the foundation of nearly every transaction. It is the first document signed and the last one anyone revisits – until something goes wrong. Today, a vulnerability is emerging that most NDAs do not adequately cover, and that dealmakers have not fully considered.
AI Has Entered the Deal Room
Across every deal-intensive industry, professionals have embraced generative AI tools with remarkable speed. Associates use large language models to summarize due diligence materials. Analysts feed financial projections into AI-powered platforms to stress-test assumptions. Brokers ask chatbots to draft lease abstracts or compare comparable sales data. Tools like ChatGPT, Microsoft Copilot, and Google Gemini have become as routine as email in many professional workflows.
The productivity gains are real. However, the risks are substantial, and most organizations have not accounted for them in the agreement intended to protect sensitive data.
The Hidden NDA Gap
The vast majority of NDAs in circulation today were drafted before generative AI entered the mainstream. Their confidentiality obligations typically restrict disclosure to “third parties” or limit use to a defined “purpose.” These agreements are written with human recipients in mind—employees, advisors, affiliates—and sometimes require that those recipients be bound by obligations of confidentiality.
What they do not address is the involvement of machines. When a professional inputs deal-sensitive information into an AI tool, that information leaves the organization’s control and enters a third-party system.
Even if an NDA is silent on AI, this act may constitute a breach. The information is shared outside the circle of permitted recipients, transmitted to infrastructure owned and operated by a technology company, and becomes subject to that company’s terms of service, which the disclosing party never agreed to.
Silence in an NDA does not resolve the issue. It introduces uncertainty that neither party should be comfortable with.
The Training Data Problem
The risk increases significantly with AI models that train on user inputs. When confidential information is entered into such a system, it does not simply disappear after a response is generated. It may be retained in logs, incorporated into the model’s training data, and, in the most concerning scenarios, could be revealed in responses to unrelated users.
Consider the implications in an M&A context. If a buyer’s advisor inputs target company financials into a consumer-grade AI tool to generate a summary, that data could theoretically influence the model’s future outputs, making proprietary information accessible to competitors, counterparties, or the public. In this situation, the receiving party has not only breached its confidentiality obligations but has also created an exposure that is effectively irreversible. Once a model is trained on confidential data, it cannot be “untrained.”
The Rise of AI-Specific NDA Provisions
Proactive organizations and their counsel have begun responding to this gap. A new generation of NDA provisions is emerging, designed specifically to address AI-related disclosure risks. These provisions typically include one or more of the following:
• Express prohibitions on inputting confidential information into any AI tool, whether or not the tool trains on user inputs. This is the most protective approach and eliminates ambiguity entirely.
• Expanded definitions of disclosure that expressly encompass submission of information to automated systems, machine learning models, or AI-powered platforms, in each case, ensuring that AI use is captured regardless of how the underlying technology is characterized.
• Permitted use carve-outs for enterprise-grade AI tools that maintain strict data isolation, disable training on user inputs, and comply with specified security standards. These provisions allow parties to benefit from AI productivity without assuming uncontrolled risk.
• Representations regarding internal AI policies, requiring the receiving party to confirm that it maintains organizational controls governing employee use of AI tools in connection with confidential information.
These provisions are no longer aspirational. They are becoming standard in sophisticated transactions, and parties that fail to include them are accepting risk by omission.
Practical Steps for Businesses
Organizations that regularly handle confidential information under NDAs should take immediate action on several fronts. First, audit your existing NDA portfolio. Identify agreements that are silent on AI use and assess whether current employee practices create exposure under those agreements. Second, update your standard-form NDA templates to include AI-specific provisions appropriate to your risk tolerance and industry. Third, train your people. Employees and advisors need to understand that entering confidential information into an AI tool may breach obligations they have assumed on the organization’s behalf. Finally, align your internal AI governance policies with your NDA obligations. An AI acceptable-use policy that permits broad use of consumer tools is in direct tension with confidentiality commitments that prohibit third-party disclosure.
Looking Ahead
AI capabilities will continue to advance, and the ways professionals use these tools will only expand. The NDA (a document that has remained largely static for decades) must evolve in step. Business leaders who engage legal counsel to proactively address the intersection of technology and confidentiality will be best positioned to protect their organizations. Waiting until a breach occurs to involve counsel means reacting to problems rather than preventing them (and often at a much higher cost). Proactive guidance ensures that your company stays ahead of evolving risks and maintains a strong, defensible position as technology continues to advance.
——————————————————————–
This DarrowEverett Insight should not be construed as legal advice or a legal opinion. This Insight is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. Please reach out to us if you need help addressing any of the issues discussed in this Insight, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.
This Insight does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.
