Updated July 2026 · Attorney-led AI governance

AI Governance for Businesses Deploying AI

I am Sergei Tokmakov, a California attorney. I build the legal layer companies need when AI enters the business: employee AI-use policies, customer-facing AI disclosures, AI vendor terms review, output-ownership terms, and training-data protections. Fixed written fees, no hourly surprises.

7+
Major AI vendor terms reviewed in depth
3
Governance pillars: staff, customers, vendors
$575
Flat fee per policy or vendor agreement
Sergei Tokmakov, Esq.
Sergei Tokmakov, Esq.
California attorney
CA Bar #279869 →
Pricing

Three tiers, from a written answer to the full governance stack

Every tier is a flat or written-quoted fee agreed before work starts. The confirmed payment buttons below are the only two live prices on this page; the comprehensive tier is intentionally quote-first.

Entry
Written Attorney Consultation
$240 flat
Send your AI question, a short factual summary, and the key document or vendor terms. Get a written attorney response.
  • Main legal issues identified
  • Risks and leverage points
  • Practical next steps
  • Async and in writing, no call required
Request the written consultation
Comprehensive · quoted in writing
AI Governance Package
~$2,500 scoped & quoted
The full stack for a business deploying AI across staff, customers, and vendors, delivered in a private interactive workroom.
  • Employee AI-use policy
  • Customer-facing AI terms + disclosures
  • Key AI vendor agreements reviewed
  • Output-ownership terms
  • Training-data and confidentiality protections
  • Workroom delivery with revision rounds
Request this package
Why the comprehensive tier has no payment button

The document count, vendor stack, and industry overlay vary too much between companies for one honest sticker price. I scope it from your intake, quote it in writing, and only then does anything get paid. Anything outside the written scope, for example a specialist regulatory question or an extra negotiated agreement, is a $240 written consultation or a re-quote agreed before any added work.

Not sure which tier fits? The $240 Written Attorney Consultation is the lower-friction entry point, and I will tell you in writing if the smaller tier is enough.

AI Legal Analyst

Ask my AI Legal Analyst about your AI governance stack?

Tap a question for an instant answer (no email needed), or describe how your company uses AI and the analyst routes you to the right next step. Answers draw on the employee-policy, disclosure, vendor-terms, output-ownership, and training-data material on this page.

Common AI governance questions, instant answers

Loading the AI Legal Analyst...
AI Governance Stack Scoper8 quick questions, then a likely document + review list. Informational, not legal advice.

Informational only, simplified scoping logic, not legal advice and not a scope of representation. A real matter is confirmed in writing.

Start here

What AI governance actually requires

Every section on this page is folded. Open only what you need. The short version is below; the detail is one click away.

Short answer

AI enters a business from three directions: the tools employees use, the AI the company exposes to customers, and the models and vendors the company buys. Each direction needs its own paper: an employee AI-use policy, customer-facing disclosures and terms, and reviewed vendor agreements. Sitting across all three are two recurring questions: who owns the output, and what happens to the data that goes in, including whether the vendor may train on it. I am Sergei Tokmakov, a California attorney (CA Bar #279869). I draft each of those documents at $575 flat, answer the threshold questions in a $240 written consultation, and build the full stack as a comprehensive package scoped and quoted in writing.

🧠 The 60-second overviewThree directions AI enters the business, and the documents that follow from each

Most companies do not adopt AI once; it seeps in. Staff quietly use consumer chatbots. Product adds an AI feature. Procurement signs an AI vendor's click-through terms. Each path carries its own legal exposure, and none of the three documents substitutes for the others.

1Employee AI-use policyControls what goes INTO third-party AI tools: approved tools, data rules, review duties.
2Customer-facing AI disclosures and termsControls what comes OUT to customers: disclosure, disclaimers, reliance limits.
3AI vendor agreements, reviewedControls the vendor relationship: training rights, retention, IP, indemnity, tier selection.
4Output-ownership termsWho owns AI-assisted work product, across vendor, employment, and customer contracts.
5Training-data and confidentiality protectionsNo-training clauses, retention limits, and privacy-law alignment for the data that flows in.

Who this page is for

  • Companies whose staff already use ChatGPT, Claude, Copilot, or similar tools, with or without permission.
  • Businesses shipping an AI feature or chatbot to customers.
  • Teams building on AI vendor APIs who need the vendor paper to hold up.
  • Agencies and creators commercializing AI-assisted output.
Create or redline one document · $575
Pillar 1 · Inside the company

Employee AI-use policy

The highest-frequency AI risk is not the model. It is an employee pasting something they should not into a consumer-tier chatbot. A written policy is how that stops being an unmanaged habit.

💼 What a working AI-use policy actually coversApproved tools, data rules, human review, disclosure, and IP hygiene
  • Approved tools and tiers. Which AI tools staff may use, and on which account tier. A business or enterprise tier with no-training commitments is a different risk animal than a personal free account.
  • Data classification rules. What may never be entered (trade secrets, customer personal data, credentials, privileged material), what may be entered only into approved tiers, and what is fair game.
  • Human review before reliance. AI output that reaches a customer, a regulator, code in production, or a legal document gets human review, with the reviewer accountable.
  • Internal disclosure. When AI-assisted work must be flagged internally so downstream users know what they are relying on.
  • IP hygiene. Rules for AI-generated code and content: license scanning, provenance notes, and not feeding third-party confidential material in.
  • Consequences and ownership. Who owns the policy, how exceptions are approved, and what happens on violation.
⚠️ Shadow AI is the default, not the exception
Surveys consistently find a large share of employees using AI tools without telling anyone. A ban usually drives use underground; a realistic policy with approved tools channels it. The policy is also where training-data risk (Pillar 5) gets operationalized: staff can only follow data rules that exist in writing.

Want a starting draft to react to? My free AI Usage Policy Generator assembles an educational first cut. The $575 engagement is where it becomes a policy drafted around your actual tools, tiers, and data.

Draft or redline my AI-use policy · $575
Pillar 2 · Facing customers

Customer-facing AI disclosures and terms

When your customers interact with AI you deploy, three questions follow: do you have to tell them, what must the fine print say, and what happens when the AI is wrong.

📢 Disclosure, disclaimers, and marketing claimsBot disclosure, output disclaimers, reliance limits, and AI-washing risk

Several states have enacted bot-disclosure and AI-specific statutes, consumer-protection regimes can treat undisclosed AI interactions or overstated AI capabilities as deceptive, and sector rules add their own overlays. Which statute reaches your deployment is fact-specific, and it is exactly the kind of question the written consultation resolves. Independent of any statute, three pieces of paper do most of the work:

  • The disclosure itself. A clear, timely statement that the customer is interacting with AI, placed where the interaction starts, not buried in the terms.
  • Output disclaimers and reliance limits in the ToS. AI output can be wrong; the terms should say so, define what the customer may rely on, and route disputes sensibly.
  • Marketing-claims discipline. Regulators have moved against companies whose AI claims outran the product. The claims review keeps the landing page honest against the architecture.
⚠ The chatbot that promises things
Courts and regulators have shown little sympathy for the argument that a company is not responsible for what its own customer-facing AI tells people. Treat chatbot output as company communication: scope what the bot may discuss, log it, and align the terms with reality.

Quick screen: do you likely need an AI disclosure?

1. Do customers or the public interact with your AI directly (chat, voice, generated content presented as a service)?
ⓘ Screening only
This tree is a starting point, not a determination. Whether a specific statute reaches your deployment depends on your users' states, your industry, and the feature's design, which I confirm with sources in an engagement.

Building platform terms for an AI product? The free AI Platform Terms of Use Generator gives you an educational starting draft, and the AI-tools terms scanner shows the clauses that go wrong.

Draft my AI disclosures and terms · $575
Pillar 3 · The vendor stack

AI vendor terms review

Every AI vendor relationship is a contract you probably did not negotiate. I read them for a living: my ToS Watchdog series dissects the major AI vendors' terms clause by clause, and the $575 review applies the same lens to the specific agreement and tier your business is on.

🔎 What I check in an AI vendor agreementTraining rights, retention, IP, indemnity, tier gaps, and exit
Clause areaThe questionWhy it bites
Training rightsMay the vendor use your inputs or outputs to train models?Consumer tiers often say yes by default; business tiers usually say no. The tier you are on decides.
Data retentionHow long are prompts and files kept, and can you get deletion?Retention windows and abuse-monitoring copies survive longer than most teams assume.
ConfidentialityDoes the vendor owe you confidentiality, or just security?Security promises are not confidentiality obligations; the difference matters for trade secrets and privilege.
Output ownershipWhat rights do you get in outputs, and are they exclusive?Vendors typically assign their rights, but identical outputs to other users and thin copyright limit what that is worth.
IndemnityWho stands behind the output if it infringes?Some vendors offer copyright indemnities on paid tiers, with conditions that are easy to void in practice.
Liability + disputesCaps, arbitration, class waivers, forumThe remedy you think you have is usually capped at fees paid, with arbitration in the vendor's forum.
Change of terms + exitCan the vendor change terms unilaterally? What happens to your data at exit?AI vendor terms change frequently; the review sets a re-check cadence and an exit path.
Review one AI vendor agreement · $575
🐕 My published AI vendor reviews (ToS Watchdog)OpenAI, Anthropic, Gemini, Perplexity, Midjourney, GitHub Copilot, Character.AI
Pillar 4 · The work product

Who owns AI-generated output

The most-asked AI question, and the most misunderstood: the contract answer and the copyright answer are different questions, and a business needs both handled.

🛠️ The two-layer answer: contract rights vs copyrightVendors can assign you their rights; the Copyright Office decides what those rights are worth

Layer one, contract. Major AI vendors generally assign their rights in outputs to the customer under their terms, subject to conditions and to the reality that similar prompts can produce similar outputs for other users. That assignment is real and worth securing on the right tier.

Layer two, copyright. Under current US Copyright Office guidance, material generated wholly by AI without sufficient human authorship is generally not registrable, while human selection, arrangement, and modification can support protection of the human-authored contribution. So a business can hold contractual rights in output that carries thin or no underlying copyright, which changes how you protect it: contracts, confidentiality, and trademark or trade-dress strategies do work copyright cannot.

⚠️ Where this bites in practice
Agencies delivering AI-assisted work to clients, companies commercializing AI-generated content or code, and teams assuming "we prompted it so we own it" all need the ownership chain written down: vendor terms, employment and contractor agreements, and customer contracts saying the same thing.

I maintain a full library on this: the AI output rights hub compares ownership terms across the major generators (ChatGPT, Claude, Gemini, Midjourney, GitHub Copilot, Stable Diffusion, and more), and my long-form analysis Who owns Claude's outputs and how can they be used? walks the Anthropic terms in depth.

Draft my output-ownership terms · $575
Pillar 5 · The data going in

Privacy and training-data risk

Everything your company types, uploads, or pipes into an AI tool is a disclosure to a vendor. The training clause decides whether it is also a contribution to someone else's model.

🔐 No-training clauses, retention, and privacy-law alignmentThe contractual and regulatory layer under every prompt
  • No-training terms. Whether a vendor may train on your inputs is a contract question, not a default you can assume. Business and API tiers usually commit not to train on customer content; consumer tiers often reserve the right unless the user opts out. The review pins down which regime actually applies to your accounts.
  • Retention and deletion. Prompts, files, and logs persist beyond the chat window. The terms should give you a retention answer, a deletion path, and clarity about abuse-monitoring copies.
  • Confidentiality and privilege. Feeding privileged or trade-secret material into a tool without confidentiality terms risks the protection itself. The employee policy (Pillar 1) and the vendor terms have to agree on this.
  • Privacy-law alignment. If personal data flows into AI tools, your privacy policy, vendor DPAs, and state privacy-law obligations (California's CCPA/CPRA among them) need to describe that flow honestly. AI does not get a carve-out from the disclosures you already owe.
  • Licensing your data TO AI companies. The reverse deal exists too: if an AI company wants your dataset, that is a training-data license with its own economics. My free AI training data license generator shows the moving parts.
✓ The one-page fix that does the most work
A vendor-tier inventory: every AI tool in use, the tier, whether the terms permit training on inputs, and what data classification is allowed in. It is the first artifact I build in the comprehensive package, and most companies are surprised by their own list.
Get a written read on my training-data exposure · $240
How I deliver this

Not just Word files: an AI governance workroom

For the comprehensive package, I deliver the documents inside a private, interactive workroom that maps the legal terms to your actual AI stack: which tools touch which data, vendor tiers and training postures, disclosure placement, output-ownership chains, and the review gates before AI output ships. The Word documents are still delivered; the workroom adds the operational layer that keeps the policy alive after signing.

Employee AI Policy Vendor Tier Inventory Training-Terms Map Disclosure Placement Output Ownership Chain Review Gates
Preview the demo inline

Fictional demo data. Built by Sergei Tokmakov, Esq., a California attorney who also builds the workroom logic. Client workrooms are customized to the actual product, documents, data flows, and legal scope.

Free tools

Generators and scanners

Free starting drafts and clause checks. The paid engagements are where these become documents drafted around your facts.

🧰 Open the AI legal tool libraryPolicy generators, platform terms, training-data licenses, and clause risk checks
Avoid these

7 AI governance mistakes I keep seeing

The recurring, expensive ones. Open the list.

🚩 The seven most common mistakesFrom consumer-tier accounts to "we prompted it so we own it"
Mistake 1
Running the business on consumer-tier AI accounts
Staff use personal accounts whose terms may permit training on inputs, with none of the admin controls or commitments the same vendor sells to businesses.
Fix: Inventory the accounts, move company use to business or API tiers, and write the tier rule into the AI-use policy.
Mistake 2
Banning AI instead of governing it
Blanket bans push use underground, where there is no tier control, no data rule, and no review gate. The risk goes up, not down.
Fix: Approve specific tools and tiers, define data rules, and give staff a sanctioned path.
Mistake 3
Assuming "we prompted it, so we own it"
Contract rights from the vendor and copyright in the output are different questions. Purely AI-generated material may carry thin or no copyright.
Fix: Write the ownership chain into vendor, employment, and customer contracts, and protect thin-copyright output contractually.
Mistake 4
Shipping a customer-facing AI feature on generic SaaS terms
Terms written before the AI feature existed rarely disclose the AI, disclaim output reliance, or allocate responsibility when the model is wrong.
Fix: Add AI-specific disclosure, disclaimer, and reliance terms before launch, not after the first complaint.
Mistake 5
Letting marketing write the AI claims
Overstated AI capabilities are a deception theory waiting for a plaintiff or regulator, and they undercut your own disclaimers.
Fix: Run AI claims through the same review as the product terms; say what the system actually does.
Mistake 6
Treating the vendor's DPA as covering the AI feature
A general data processing addendum may say nothing about training, model improvement, or AI-specific retention. Silence favors the vendor.
Fix: Check the AI terms specifically; where they are silent, get the training and retention posture in writing.
Mistake 7
Writing the policy once and never re-checking the terms
AI vendor terms change frequently. The tier that did not train on your data last year may have new terms, new features, and new defaults today.
Fix: Put a re-review cadence in the policy: vendor terms checked on a schedule and on every major feature adoption.
Sequencing

90-day AI governance rollout

A practical order of operations for a company formalizing its AI use. Open the phases.

📅 Inventory, paper, and operateWhat to do first, what can wait, and what keeps it alive
Days 1-30Inventory and triage
Inventory every AI tool in use, the account tier, and what data flows into it.
Read the training and retention terms for the top tools; move sensitive use to protected tiers.
Identify the customer-facing AI surfaces and what they currently promise.
Days 31-60Paper the three pillars
Adopt the employee AI-use policy and brief the team on it.
Add AI disclosures, disclaimers, and reliance terms to the customer-facing surfaces.
Redline or paper the key vendor agreements: training, retention, IP, indemnity.
Days 61-90Operate and maintain
Stand up review gates for AI output that reaches customers, code, or filings.
Align the privacy policy and any DPAs with the real AI data flows.
Set the re-review cadence: vendor terms re-checked on schedule and on each new tool adoption.
Reference

AI governance glossary

Tap a card to flip it for the definition. Open the deck.

🔖 Flip-card glossaryNo-training clause, shadow AI, output assignment, AI addendum, and more
Questions

Frequently asked questions

Each answer is folded. Open the ones you need.

What is an AI governance legal stack for a business deploying AI?

A working set of documents that controls how AI enters the business from three directions: an employee AI-use policy for the tools staff use, customer-facing AI disclosures and terms for the AI the business exposes to users, and reviewed AI vendor agreements for the models and tools the business buys. On top of those sit output-ownership terms and training-data protections. Which documents a specific company needs depends on how it actually uses AI, which is what I confirm before drafting.

Do my employees need an AI-use policy?

If employees use AI tools at work, with or without permission, the company usually benefits from a written AI-use policy. Unmanaged use means confidential information, customer data, and code can flow into consumer-tier tools whose terms may permit training on inputs. A practical policy defines approved tools and tiers, data rules, human-review requirements, and internal disclosure. The right scope depends on your data and industry.

Do I have to tell customers they are talking to AI?

Sometimes, and the trend is toward more disclosure. Several states have enacted bot-disclosure and AI-specific statutes, some consumer-protection regimes treat undisclosed AI interactions or overstated AI claims as deceptive, and sector rules can add requirements. Even where no statute squarely applies, clear disclosure plus output disclaimers reduces deception and reliance claims. Whether a specific deployment triggers a specific statute is a fact question I confirm in an engagement.

🔐Can AI vendors train their models on my company data?

It depends on the tier and the terms. Consumer tiers often permit the provider to use inputs to improve models unless the user opts out, while business, enterprise, and API tiers typically commit not to train on customer content by default. The protection lives in the contract, so the vendor review checks the training clause, retention, confidentiality, and subprocessor terms for the product and tier you are actually on.

🛠️Who owns AI-generated output?

Two different questions hide in there. Contractually, major AI vendors generally assign their rights in outputs to the customer, subject to each vendor's terms. Under US copyright law, purely AI-generated material without sufficient human authorship is generally not copyrightable, so a business may own the contractual rights while holding thin or no copyright in the raw output. The practical answer is drafted: output-ownership terms in vendor agreements, employment policies, and customer contracts, matched to how the output is used. See the AI output rights hub for the vendor-by-vendor comparison.

📊Do AI vendor terms differ between consumer and enterprise tiers?

Substantially. Training rights, data retention, confidentiality, admin controls, indemnification, and dispute terms often differ between a consumer subscription and a business, enterprise, or API agreement from the same vendor. A company that lets staff use consumer accounts may have none of the protections its vendor's enterprise customers get. Tier selection is one of the first things I check in a vendor review.

📄What does the $575 create-or-redline engagement cover?

One AI-related document, drafted from scratch or redlined: an employee AI-use policy, an AI vendor agreement or addendum review, customer-facing AI terms or disclosures, or a similar single document. It includes up to three rounds of email-based revisions, with drafts back within two business days after I receive the necessary documents. Unusually long or complex work beyond that scope bills at $240 per hour, agreed in writing first.

✉️What does the $240 written attorney consultation cover?

You send your question, a short factual summary, and the key document or vendor terms. You receive a written attorney response identifying the main legal issues, risks, leverage points, and practical next steps for your AI use. It is the lower-friction entry point when you want an attorney read before committing to drafting. It is not a full redline, policy draft, or comprehensive document review unless separately agreed.

📦What is in the comprehensive AI governance package?

The multi-document engagement for a business deploying AI across the organization: employee AI-use policy, customer-facing AI terms and disclosures, review of the key AI vendor agreements, output-ownership terms, and training-data protections, delivered in a private interactive workroom. Because the document count and vendor stack vary by company, this tier is scoped and quoted in writing before any work starts, typically around the $2,500 mark for a full stack.

🤖Is the AI Legal Analyst on this page legal advice?

No. It is attorney-supervised AI that provides legal information, not legal advice, and using it does not create an attorney-client relationship. For advice tailored to your facts, the paid engagement is where that happens.

Put your AI use on paper before it papers you

One document at $575 flat, a written attorney answer at $240, or the comprehensive stack scoped and quoted in writing. Fixed fees agreed before work starts, revisions included, drafts within two business days on the single-document tier.

Create or Redline One AI Document · $575 flat

Sergei Tokmakov, Esq., CA Bar #279869. Attorney advertising. Prefer a written opinion first? The $240 Written Attorney Consultation is the lower-friction entry.

General information, not legal advice. Everything on this page, including the scoper, the decision tree, and the AI Legal Analyst, is general information current as of July 2026, prepared by Sergei Tokmakov (CA Bar #279869). AI statutes, regulator positions, and vendor terms change frequently, and the application to your business depends on facts I would confirm in an engagement. Nothing here creates an attorney-client relationship, and no outcome is guaranteed. Published vendor reviews describe public terms as of their writing; your controlling terms are the ones you actually agreed to.
One AI document · $575