- News
- #standwithUkraine New
- Recovery Talks New
- Expert Opinion
(empowered by the UJBL) New - Interviews
- Editor's Preface
- League Tables
- Ukrainian Legal Market
-
Practice Areas and Industries Review
- AI Regulation
- Anti-Corruption
- Anti-Counterfeiting & Piracy
- Asset Recovery
- Bankruptcy
- Business Protection
- Climate Change
- Competition Investigations
- Construction and Development
- Copyright
- Criminal Process
- Customs
- Cybersecurity
- Defense
- Defense Technology
- Detention
- Due Diligence
- Electricity Market
- Energy
- Financial Restructuring
- Government Relations
- Green Recovery
- International Arbitration
- International Trade
- Investigations
- Investment
- IT Innovations
- IT Law
- Joint Ventures
- Land
- Litigation
- Marine Insurance
- Maritime & Shipping
- Mergers & Acquisitons
- Migration Law
- Natural Resources
- Non-Governmental Organizations
- Patents
- Private Claims
- Private Clients
- Public-Private Partnerships
- Real Estate
- Renewable Energy
- Role of Experts in International Arbitration
- Sanctions
- Tax
- Trade Remedies
- Trademarks
- Unfair Competition
- Urban Planning
- White-Collar Crime
-
Who Is Who Rankings
- Agribusiness
- Antitrust and Competition
- Banking & Finance, Capital Markets, and Fintech
- Bankruptcy
- Corporate and M&A
- Criminal Law (including White-Collar Crime, Anticorruption, War and Military Crimes)
- Energy & Natural Resources
- Infrastructure
- Intellectual Property
- International Arbitration
- International Trade: Trade Remedies and Regulatory Compliance, Commodities, Cross-Border Contracts and Customs
- IT and Telecommunications
- Labor and Employment, Immigration
- Litigation: Domestic and Cross-Border
- Military Law and Defense Industry
- Pharmaceuticals & Healthcare
- Real Estate, Construction, Land
- Tax and Transfer Pricing
- Transport: Aviation, Maritime & Shipping
- Law Firms Profiles
- Lawyers Profiles
- Archive
Due Diligence in the Age of AI: New Risks for Business
The conduct of Due Diligence is evolving today: in addition to performing a comprehensive audit, attention must be paid to the Due Diligence of business processes. This is a living mechanism that enables ongoing reviews of a company’s operational workflows to prevent financial and reputational losses.
In this article, we will discuss the Due Diligence of artificial intelligence, which is already embedded in nearly every business or actively used by company employees in their day-to-day work.
While AI helps to automate many processes, it can also introduce risks that businesses must be prepared for—from leaks of confidential information via generative AI services to reputational threats posed by deepfake technologies. We will focus on the practical aspects of identifying such risks during AI Due Diligence: what to watch for and how to respond.
AI & Data Confidentiality Risks in Business Models
With the integration of generative AI models (such as ChatGPT, Copilot, Claude, Gemini, Midjourney, DeepSeek, and others) into companies’ daily operations, a new layer of risks emerges.
It is crucial to pay attention to prompt leakage—situations in which employees, using public AI services, inadvertently share confidential or commercial information with the system, which may later become accessible to external users.
To prevent the loss of personal data, strategic plans, and proprietary information, companies should implement the following measures:
- If AI tools are to be used on an ongoing basis by employees, start by setting up an in-house, closed-access system. Store all data on dedicated on-premises or securely rented servers, or in trusted cloud environments. Only after this foundation is in place should you develop or deploy your own AI models for staff use.
- Implement the new policies within the company. Institute clear rules forbidding the upload of any documents that may contain confidential or commercial information to public AI services.
- Provide employees with instructions explaining the risks of prompt leakage and the potential penalties for violating the new policies.
- Update NDAs to cover AI interactions. Amend existing non-disclosure agreements to explicitly address the handling of confidential information when interacting with AI systems.
- Designate a responsible individual—such as an IT manager/AI-officer or in-house counsel—to oversee AI policy compliance and governance.
Below are a few illustrative cases that led to significant financial and reputational losses.
Samsung: Leakage of Internal Information via ChatGPT
Case summary: In 2023, Samsung employees unintentionally transmitted the company’s confidential data to ChatGPT on three occasions in one month. The data shared included fragments of source code, notes from internal meetings, and technical information about equipment. These actions occurred while using ChatGPT to solve work-related tasks.
Consequences: Samsung banned the use of public generative AI services for employees. The company began developing its own internal AI solution to prevent similar incidents in the future.
OpenAI: ChatGPT User Data Leak
Case summary: In March 2023, due to a bug in ChatGPT, some users were able to see the chat titles and portions of personal information belonging to other users. The leak included names, email addresses, payment information, and chat histories. OpenAI temporarily disabled ChatGPT to fix the issue.
Consequences: The incident raised concerns about data security in AI services. OpenAI strengthened its security measures and improved its user data handling processes.
DeepSeek: Transmission of User Data Without Consent
Case summary: In 2025, South Korea’s regulator discovered that the Chinese AI start-up DeepSeek had been transmitting users’ personal information—including prompts and technical metadata—to companies in China and the United States without proper consent. The data transmitted included the content of prompts, device information, network details, and application data. Following the findings, South Korea suspended new downloads of the DeepSeek app.
Consequences: DeepSeek ceased transmitting prompt content as of 2025. The regulator recommended that the company delete previously transmitted data and establish a legal basis for any future international data transfers.
General Findings: studies have shown that employees often input confidential information into ChatGPT, which can lead to data leaks. According to Cyberhaven research, 11 % of the data entered into ChatGPT by employees is confidential.
Before defining the scope of the audit, it is worth beginning with the identification of AI usage in business processes. First and foremost, you must check whether AI is being used for:
- Marketing and content — is content (posts, texts, banners, SEO materials) being created using ChatGPT, Jasper, Midjourney, etc.?
- HR — is candidate screening or initial resume evaluation being carried out using AI solutions?
- Legal support — is AI used to generate documents, contract templates, or memoranda?
- Software development — do engineers use GitHub Copilot or similar tools that can automatically generate code?
- Internal communications — are AI-bots used to respond to employee or client inquiries?
- Accounting, CFO — is AI used for calculations or to provide financial analyses?
- Other structural units/departments, depending on the company’s industry.
Next, begin assessing the presence of risks in order to subsequently minimize them.
Review of AI model Documentation
If we have a closed system you need to check: How and where are the algorithms stored (own server, cloud)? What security measures are in these solutions, reputation. Who has access? It is necessary to clearly understand, if this is your server, in whose name the ownership right is registered and who has the right to manage and access it. It is recommended to have at least two people. A similar procedure is recommended when storing information in the cloud.
Public AI models:
Who uses them, what data is uploaded, is there any personal/confidential information?
Legal Status and Intellectual Property Rights (who owns the code and the data)
Ownership of the AI system’s source code should be reviewed: Does the company fully own the rights to the code? Are there contractual relationships with the developers and rights to transfer intellectual property?
Ownership of the data: Who owns the data used for training? What agreements have been concluded regarding the use of this data?
Backup Copies
Even a well-protected system can fail—due to hardware malfunction or a hacker attack. Therefore, it is necessary to implement the storage of backup copies of your models and data. Check exactly where the backup will be stored, at what frequency be do the copy, and who has access.
It is better to keep copies in two locations at once (for example, on two different servers or in different cloud). If one location becomes “white noise,” you can instantly switch to the other and minimize downtime.
Personal Data
Be attentive if employees use AI for processing/storing personal data. In the event of a violation of personal data usage rules, the company may incur both reputational and financial losses.
Case: Blocking of ChatGPT in Italy
In 2023, the Italian regulator stopped ChatGPT’s operation because it found that the service stores and processes personal data without sufficient consent. This led to the platform being temporarily unavailable in Italy and additional reviews by OpenAI.
Fine and Further Consequences
In December 2024, the Garante (Italian Data Protection Authority) imposed a fine of €15 million on OpenAI for violating personal data processing rules. In addition, the company was required to conduct a six-month information campaign in Italy regarding the collection and use of data in ChatGPT.
For many businesses, this became a lesson: even global products can be blocked in a single country. Check your AI processes for compliance with local regulations before they lead to fines or bans.
Reputational Risk and Crisis Management
Media and Social Media Monitoring
Create a simple alert system: check leading media and social networks once a week for mentions of your brand alongside “AI,” “leak,” or “error.”
This way, you will identify negative trends at an early stage and can react quickly—issue a press release, clarification, or apology. Do not wait for outraged customers to start posting harsh comments.
Ethical Aspects Assessment (Amazon Monitoring)
Even if an AI system operates without technical failures, it can spoil reputation through ethical missteps. For example, Amazon faced criticism for monitoring warehouse employees and created tension in the media.
Assess what ethical questions they may raise: employee surveillance, use of video and audio data, discrimination. Involve HR and PR departments in this assessment—their perspective will help to avoid conflicts.
Development of a PR Strategy in Case of a Scandal
Every company must have a “Plan B” in case of bad news. This can be a short press release template, prepared key messages, and contact information of responsible persons.
In a crisis situation, fast and transparent communication often saves reputation: public acknowledgment of the issue, explanation of causes, and specific steps to address it—all of this helps reduce damage and restore customer trust.
Above, we reviewed a list of elements that can be part of an AI audit in a company’s operations. Of course, taking into consideration the request and specifics, the components can and should change.
Creation of a Simplified Review System
Important! If you do not have the ability to deploy secure environments for AI models, we would suggest creating a system of filters or a risk matrix.
Creating filters or a risk matrix can consist of the following steps:
- Structure the information with a list of departments or employees and the information and documents they work with.
- Classify documents and information by type and mark them with different levels of risk.
- Identify what categorically cannot be used in public AI models.
- Organize information and documents by category. For example: information related to government contracts, information subject to client NDAs, confidential agreements, documents containing personal data.
- Extract risky information and documents into a separate list and create an obligation for employees not to upload them to public AI models.
- Amend internal policies and NDAs. Re-sign the documents, and also explain the new rules to employees.
These recommendations are general, and when reviews are being conducted the creation of a roadmap is recommended in accordance with the current business model, number of employees, and other factors. Conducting an audit will enable you to manage risks rather than merely mitigating consequences.
-
Eleonora Yemets
Counsel, Attorney, Head of White-Collar Crime Practice, ADER HABER
Eleonora Yemets specializes in the protection of businesses in criminal proceedings involving economic and international criminal offenses.
Her expertise covers fraud investigations, money laundering, illicit enrichment, misappropriation and theft of assets, tax evasion, fictitious bankruptcy, abuse of power, political persecution of public figures, and legal representation of victims in cases involving grievous bodily harm and homicide.
As part of her white-collar crime practice, Eleonora effectively represents corporate clients in criminal proceedings, aiming to minimize legal risks and mitigate potential negative consequences.
Under her leadership, ADER HABER’s White-Collar Crime team has developed significant expertise in working with Interpol. The firm assists clients at all stages—from the removal of Interpol red notices to active participation in extradition procedures, including appeals against extradition arrests and release from custody.
Eleonora Yemets has been recognized by The Legal 500 as a Next Generation Partner in White-Collar Crime and is also listed among The Legal 500 Leading Individuals in the Private Client practice.
She serves as the First Deputy Chairperson of the Coordinating Council of Young Lawyers under the Ministry of Justice of Ukraine, and is a member of ASIS International and the International Compliance Association.

Address:
7 Klovsky Uzviz, 14th Floor,
Business Center Carnegie Center,
Kyiv, 01021, Ukraine
Tel: +380 44 280 88 87
E-mail: office@aderhaber.com
Web-site: www.aderhaber.com
ADER HABER is a recognized leader in the provision of comprehensive legal services in Ukraine and is in the TOP 4 leading law firms in Ukraine.
We confidently take a leadership role in business protection, GR, commercial and administrative law, bankruptcy, real estate, construction, land, retail, energy & natural Resources, corporate and M&A, WCC, labor law, private clients, tax controversy and litigation practice.
Our team has both legal knowledge and experience, as well as industrial insight. This allows us to take into account forecasts, trends and possible risks of the industry, in which the client works, at all stages of project planning and implementation.
Our services are based on the three basic needs of each business: the creation of a business and the launch of operational processes, the development and reliable operation of the company’s system, and risk management.
We focus on spheres that form the country’s economic stability: industry, agriculture, service sector, wholesale and retail trade.
We have 20 years of successful work with foreign and local corporations, governments, state-owned companies, and public sector organizations, investors, banking institutions and private clients.
ADER HABER lawyers represent the interests of flagships of the national economy and international companies in national courts and international arbitration. We manage real estate portfolios of national and international brands.
Our experts advise on tax risks and protect the interests of large businesses in tax disputes. We provide comprehensive legal assistance to banks, financial institutions and investors.
In addition, to the services covered by our practices and specialization, we provide advice on issues that have become relevant due to the armed aggression of the Russian Federation: business relocation, protection and return of assets, restructuring of credit obligations, taxation and insurance during martial law, issues of labor law, mobilization , migration.
Additionally, ADER HABER lawyers conduct analytical and practical work on issues of business functioning in force majeure circumstances and reconstruction of Ukraine after the war.