This is not legal advice. It is a practical list of decision points where professional legal counsel is genuinely needed. See NOTICE.md.
Rule of thumb
If your AI product touches employment, money, health, minors, safety, or personal data at scale, consult a lawyer before significant deployment. The cost of a short legal engagement is small relative to the cost of getting it wrong.
A typical initial consultation with a technology or employment lawyer in the UK (2026) is GBP 250 to GBP 500 per hour. Two to four hours of focused review of your highest-risk use cases will probably prevent more cost than it creates.
Specific decision points
Before deploying AI into hiring or employment decisions
Why: most jurisdictions have specific rules here. UK Equality Act, US state laws (Illinois, New York, Colorado), EU AI Act high-risk classification. Penalties for getting it wrong are individual (tribunal) and collective (class action in the US).
What to ask: bias audit requirements, documentation obligations, candidate notification, right to human review.
Before AI touches credit, insurance, or regulated financial decisions
Why: regulated industry with strict consumer protection. FCA in the UK, equivalent regulators elsewhere.
What to ask: adviser qualifications required, liability for AI-driven recommendations, customer notification requirements, record-keeping obligations.
Before AI interacts with minors
Why: enhanced consent requirements, safeguarding obligations, age verification rules, jurisdictional variance.
What to ask: age verification standards for your jurisdictions, Ofcom guidance (UK), COPPA (US), specific protection frameworks.
Before AI handles health information
Why: HIPAA in the US, UK Data Protection Act, medical devices regulation, clinical governance.
What to ask: whether your AI is a medical device, data processor obligations, clinical oversight requirements.
Before AI creates or decides anything with legal consequence
Why: AI-generated contracts, decisions with property implications, content that creates obligations.
What to ask: attribution of legal effect, who is the legal author, enforceability, documentation requirements.
Before scale deployment in the EU
Why: EU AI Act full high-risk enforcement from 2 August 2026. Fines up to EUR 15m or 3% of global turnover.
What to ask: whether your system is high-risk under the Act, conformity assessment requirements, documentation, post-market monitoring.
Before you publish a study piece, position paper, or public stance
Why: the kind of thing you are reading now. Public positions can create liability.
What to ask: disclaimer sufficiency, licence implications, attribution requirements, jurisdictional exposure.
When a user reports harm
Why: even if you do not think you are liable, how you respond shapes what happens next. Early mishandling is expensive.
What to ask: appropriate response, disclosure requirements, insurance implications, reporting obligations.
When a regulator contacts you
Why: self-explanatory. Do not respond to a regulator without legal counsel if the matter is substantive.
When considering acquisition, investment, or IP transfer
Why: AI-related diligence is complex and evolving. Rights to training data, model outputs, user data, and derived works need explicit handling.
What you can handle without a lawyer
- Using freely-licensed open source tools appropriately
- Standard privacy notices and terms of service for simple products (though qualified review is wise)
- General staff training on responsible AI use
- Applying public regulatory guidance to straightforward cases
- Internal policy documents for your own team
What you should not try to handle without a lawyer
Anything on the "specific decision points" list above. Also:
- Responding to a pre-action letter
- Drafting material that will become contractual
- Handling an employee grievance involving AI
- Making public statements about AI-related incidents
- Cross-border deployment where you do not know the rules
Who to consult
Different situations need different specialisation:
- Technology and commercial lawyers for product and licensing questions
- Employment lawyers for workforce integration questions
- Data protection specialists for GDPR and privacy
- Regulatory specialists for specific industries (FCA, MHRA, Ofcom, etc.)
- Intellectual property specialists for training data and output rights
If you have a general commercial lawyer, they will often know who to refer you to. Ask for the referral rather than expecting one adviser to cover every specialism.
Not a substitute for reading
Lawyers advise on specific questions. They do not read the whole regulatory landscape for you. Reading the relevant regulatory guidance (we keep pointers in jurisdictional-landscape.md) is still your responsibility.
Final reminder
This file is not legal advice. It is a list of when to get legal advice. The distinction matters.