Artificial intelligence is often perceived as a tool for operational simplification. However, in the provision of services, AI does not reduce the liability of the company that uses or offers it: it expands its perimeter. Automating decisions, processes or assessments means introducing new sources of risk that must be governed on a technical, organizational and legal level.
From a legal point of view, responsibility cannot be “offloaded” on the algorithm. Even when the output is generated by an AI system, the responsibility remains with the entity that designs, trains, integrates or uses that system in the context of a service. This applies both in the contractual field (liability towards the customer) and in the regulatory and compliance areas.
A central point is the relationship between AI and GDPR. Many AI systems process personal data during training, testing or operation. Even when data is pseudonymised, the risk of re-identification or indirect inferences requires careful evaluation. In these cases, tools such as:
- DPIA (Data Protection Impact Assessment)
- clear definition of roles (owner, manager, sub-processors)
- principles of data minimisation, purpose limitation and privacy by design
- traceability of automated decisions and the possibility of human intervention, where required by art. 22 GDPR.
On an organizational level, the adoption of AI requires a structured mapping of internal risks and responsibilities. It is necessary to clarify:
- who is responsible for the governance of the model
- who validates and monitors outputs
- How errors, model drift, and security incidents are handled
- what controls are in place on third-party technology providers and models.
AI, in fact, increases the attack surface: more data, more integrations, more technological dependencies. This is why it is essential that companies that offer AI-based services adopt an information security management system, such as that required by ISO/IEC 27001, and also extend it to AI-driven processes (logging, access control, incident management, supplier assessment).
Conclusion
Trakti’s approach is based precisely on this principle: AI is a technology to be governed, not a neutral element. Governance means integrating AI into a contractual, security and compliance framework, defining clear rules both internally and in relationships with customers and cloud providers or AI providers.
This also sends a clear message to end customers: choosing AI providers without certifications, security policies, and accountability exposes them to significant legal and operational risks. Innovation does not eliminate responsibility. It makes it more complex, more distributed and, precisely for this reason, more strategic to manage.
Would you like specific consulting on the legal implications of AI for your business?
