HR must have a say in AI policy to forestall legal risks

ORLANDO, Fla. -- The legal risks of using AI in HR processes, such as bias in hiring, performance management and promotions, are well known. But organizations face a bewildering array of other risks from AI, from data privacy litigation to loss of trade secrets and contractor disputes. Regulatory environments are numerous, vary widely by jurisdiction and change often.

Attorney Deepa Menon helps organizations and their HR departments understand the nuances of the legal risks they face when applying AI to their workforces. While many problems predate AI and tread familiar legal territory, the technology adds new complications with which most organizations are unfamiliar.

Menon is a partner based in the Washington, D.C. office of Eversheds Sutherland, a global law firm. She was interviewed right after giving a presentation on the topic at the 2026 annual meeting of the Society for Human Resource Management (SHRM). The interview was edited for length and clarity.

Deepa Menon

Why are the legal risks of AI so important right now?

Deepa Menon: In the United States, it is very important for multiple reasons. One is that we have a patchwork of laws. AI implicates so many different laws on so many fronts, each of which has a patchwork of laws associated with it. The compliance framework gets that much more complicated. The second reason is the kind of litigation risk we're seeing with AI. The minute you've removed the human component, there is more of a litigation risk. It raises the bar because trying to defend something that runs in an automated way is definitely harder than defending something where human beings are involved and specific directives are being given and risk assessments are done.

Can you summarize the risks?

Menon: When you think about AI and HR, the first risk is that of litigation -- claims based on bias or discrimination: This tool has an inherent bias, it was deployed and therefore I was adversely impacted because it had nothing to do with my qualifications or objective criteria that could have been at play.

The second risk is to a company's information. We live in a time where more AI tools are accessible, so if the enterprise doesn't have its own AI tool, employees are likely to use public tools. That means potential leakage of confidential information or trade secrets. AI models are often trained using data, and if you're using my company's data to train another company's model, there's potential leakage. This happened. We saw this with the Samsung case where an engineer put some code into a public GPT platform.

Companies are afraid their data is being used to train other models. Is data getting mixed up, or are vendors able to keep it separate? How does the company know the data is being kept separate?

There is also intellectual property risk. If companies are developing their own AI models and bringing contractors in, it accelerates the risk. What if a contractor's data is being used to train the AI model? Does the contractor now have rights to the model itself? Can they say their data was used to train this model, and therefore they have IP rights over it?

Lack of documentation then becomes a real risk, whether it's lack of contract documentation or policies that clearly tell employees how to use AI.

In your presentation, you called HR leaders' attention to a huge number of risks. Is it possible to name two or three to tackle first?

Menon: The thing that makes this a little complicated is it could be sector specific: small company versus big company versus nonprofit versus publicly traded company versus which sector they sit in and the kind of data they tend to deal with.

That said, the first risk to look out for is any automated system that completely removes the human component. You want to ensure there is a human component in there somewhere, because that will be your biggest defense if there is a claim.

Second is the risk that HR is simply not involved when an HR AI tool is adopted. We have seen that go south very quickly because of tech innovation that doesn't take into consideration the real-world implications of deployment in their workforce, and the communication, disclosures and compliance that have to go with it. We've generally seen companies run into major challenges when HR was not in the room. 

This is one place where legal counsel and HR have to work together. There are so many legal ramifications to every AI rollout. It could look like it's just an employment issue, but there could be an IP issue or unfair trade practice issue behind it. There could be so many other implications because the data that's being used and the far-reaching impact of the AI output could go beyond just the contours of employment.

Given the patchwork of regulations at the U.S. federal, state and even city level, plus in other countries, should organizations take a wait-and-see approach? For example, in the federal government, there's been a lot of back and forth and a lot of question marks.

Menon: Two things. One, this is not an area where you want to be a trailblazer and the first to have implemented something. The second is that 100% compliance with every single global AI and privacy law is impossible. It's true of GDPR and U.S. laws. You can only do so much. You have to pick the big battles and comply with specific pieces to the greatest extent you can.

There are upsides and downsides to the wait-and-see approach. Where you have an unsettled area of law, you probably want to see how things go before you pour a lot of money into AI implementation. That said, the risk -- and this is especially true in the U.S. -- is if there is an impact on the employee, it could be fodder for litigation.

It's almost a risk-benefit analysis. I've had companies say there's a DSAR [Data Subject Access Request] in California and we know this employee is going to sue us. Do we comply with CCPA [California Consumer Privacy Act] or give this person free discovery? Which penalty is greater?

There is a constant risk-benefit analysis of whether to comply and make immediate disclosures. Or do you limit your disclosure and wait and see how much disclosure will be required in the particular jurisdiction? There are risks associated with over-disclosure and under-disclosure.

HR historically has been reactive to AI and blocked things IT wanted to do because they were too risky. You say HR's role has drastically changed and should change, and the new model is for HR to work with legal counsel and IT to create a framework before implementing anything.

Menon: When new technology comes out, you're going to have either joy or disgruntlement in how employees react to it. We often forget when we do AI rollouts, especially in the workforce, that these are people, and people have people reactions to things.

We often forget when we do AI rollouts, especially in the workforce, that these are people, and people have people reactions to things.

HR is the first line of defense for a company when there are people reactions. HR must be able to explain why, but also how a tool works and what the benefit is. HR must first be convinced that a tool is important. It's a human trait to have to understand the technology and be convinced about it before you can defend it in front of an employee. When HR is not in the room when these workforce AI tools are being adopted, it is put at a disadvantage because the line of communication with employees is impacted.

It especially becomes an issue with a global rollout because we don't live in a world where people are siloed by jurisdiction. Organizations have to realize that they have cross-border sharing of information between employees on what tools are being deployed and their impact.

Your presentation mentioned reductions in force (RIFs) and the Worker Adjustment and Retraining Notification (WARN) notices companies must give about layoffs. Legal issues aside for the moment, what is the role of HR in helping employees with their fears about job loss? Part of their role is to train people to use AI and help them move into roles that AI could free them to do. At the same time, HR is the people you never want to see in the room when a big, unexpected meeting is called. HR is in all sorts of difficult positions here.

Menon: With most of the job loss or reskilling issues it comes down to one single factor: trust. Do they trust the company? It's not very different from when you have an investigation and ask an employee if you can have their phone for forensic investigation. If trust exists, the employee will say take my phone; I know you're not going to do anything with it.

When there's an AI tool rollout, if trust exists, there is less concern among employees because there is an innate understanding the company is trying to make things better for them. Often, when employees raise concerns, it's because that underlying trust is already fractured. It could come down to things like whether pay equity exists in the company and decisions are fair and objective, or whether there is a clear path to employment decision making and the complaint process is clear.

If there's an issue with AI, it tells you there is a cumulative trust deficit. When companies are able to work on the trust deficit, we see these issues start to reduce.

Bringing legalities back in, if employees suspect layoffs are AI-driven, what are the potential legal issues?

Menon: It's less of a problem when you have a whole plant closing, but if you have selective mass layoffs and AI has been deployed, you have clear litigation risk because the question is whether the AI tool is somehow selecting or not selecting people in a protected category.

How about when certain tasks or jobs were clearly automated with AI? Are there legal implications if employees suspect they were replaced with AI?

Menon: Say there are two departments that do similar things, and AI is only deployed in one department that just happens to have more women. They might ask: Why did you deploy it here and choose us for termination?

It's case by case. Anything could be a litigation risk if it's not implemented uniformly.

Care to make any predictions about where this is going at the federal level?

Menon: I think we're going to see more of a hands-off approach. That said, the Title VII protections against discrimination continue to exist. Say there's an AI tool that scrapes the internet for background information and gives you all the things an individual has done or pulls all their social media. There's a huge question whether that is a background check bound by the FCRA [Fair Credit Reporting Act]. At the federal level, they've said they're probably not going to pursue it, but there is litigation being advanced based on that exact same theory.

The federal government has always stepped away from privacy law, and not just this administration. We've always kind of left it to the states to regulate. Pending state legislation is on a huge uptick. While the federal piece might not exist, companies will essentially end up in the same place if the litigation risk and state privacy statutes continue the way they have.

David Essex is an industry editor who creates in-depth content on enterprise applications, emerging technology and market trends for several Informa TechTarget websites.