Who Owns AI-Written Code? What CTOs, Developers, and Procurement Teams Need to Know

Generative AI is transforming how software is written. Tools like GitHub Copilot, Claude, Cursor, and OpenAI Codex are now capable of suggesting full functions, refactoring legacy modules, and scaffolding new features, in seconds.

But as this machine-authored code finds its way into production, a critical question arises:
Who owns it and who’s responsible if something goes wrong?

In this post, we’ll unpack the legal grey areas, highlight risks around licensing and attribution, and offer practical guidance on how teams can safely adopt AI-assisted development tools.

---

Four Leading AI Coding Tools And How They Differ

Let’s start with a quick overview of the most popular options on the market:

🧠 GitHub Copilot (powered by OpenAI by default)

• Suggests code directly in the IDE (VS Code, JetBrains)
• Trained on a large corpus of public GitHub repositories
• Copilot Enterprise allows integration with your private repos (e.g., on GitHub Enterprise)
• Offers limited indemnity for paid users, plus admin controls

💬 Claude (Anthropic)

• Available via web UI and API; excels at long-context reasoning
• Often used with code pasted in for review, explanation, or refactoring
• Less IDE-native, but powerful for complex code analysis or design feedback

🖥 Cursor

• A developer-focused IDE based on VS Code with built-in AI chat
• Connects to your own codebase, enabling “context-aware” suggestions
• Supports multiple models (Claude, GPT-4, etc.)
• Keeps local context private by default (depending on model provider)

⚙️ OpenAI Codex

• Powering tools like Copilot and the OpenAI API’s /v1/completions endpoint for code
• Developers can build their own apps or plugins using Codex directly
• Highly customisable, but offers no built-in safeguards or context management

Each tool differs in model transparency, context privacy, licensing protections, and enterprise readiness. These factors are key when choosing tools for production environments.

---

Who Owns AI-Generated Code?

In most jurisdictions:

• Only humans can own copyright, meaning code produced purely by an AI may not be legally owned at all.
• If a developer prompts the model and modifies the result, human authorship can be claimed.
• However, legal precedent is evolving, and different countries may interpret this differently over time.

This matters because unowned or ambiguous code could be:

• Freely copied or reused by others
• Unprotectable under IP law
• A risk in M&A, due diligence, or IP disputes

---

The Real Risk: Training Data and Open Source Contamination

Most LLMs used for code generation were trained on public datasets, often including open source code. That creates two primary legal risks:

1. Inadvertent Inclusion of Copied Snippets

• Some AI tools have reproduced exact or near-exact copies of open source code
• This may expose you to GPL or SSPL licence obligations

2. Lack of Attribution

• Licences like MIT or Apache require giving credit
• AI tools don’t include attribution headers unless prompted

GitHub Copilot, for example, has faced criticism for potentially emitting code identical to snippets from public repos. While rare, it’s possible, and puts the onus on developers to check.

---

Enterprise Features That Reduce Risk

If you’re planning to use AI tools across a team or organisation, prioritise features that mitigate compliance and legal exposure:

✅ Private Codebase Integration

• Copilot Enterprise and Cursor can restrict model access to your own repos only
• This improves relevance while avoiding training-data surprises

✅ Prompt Isolation and Data Privacy

• Claude and OpenAI’s API offer controls to disable data logging or sharing
• Some platforms allow you to run models in a fully private environment

✅ Reference Transparency

• Cursor and some LLM wrappers can show source URLs for completions
• This allows developers to manually validate licences

✅ Indemnity and Commercial Terms

• GitHub Copilot for Business offers limited indemnity against claims
• For critical IP, look for signed contracts with your vendor, not just terms of service

---

How to Use AI Code Generators Safely

Whether you’re using Copilot, Claude, or any other tool, these principles apply:

🧾 1. Treat AI as a third-party contributor

• Review, test, and document AI-generated code just as you would with open source
• Avoid direct copy-paste of long completions without editing

🔍 2. Scan for licensing risk

• Run code scans (e.g. FOSSA, Snyk, or GitHub Advanced Security) to identify similarities to existing OSS
• Watch for suspicious patterns or license headers

📚 3. Maintain usage policies

• Define when AI tools can and cannot be used (e.g. not in core IP or patented code)
• Track model usage and train teams to review AI output critically

🛡 4. Address it in contracts

• For client work or commercial products, ensure deliverables include:
  • Warranties of originality
  • Indemnity for IP issues
  • Disclosure of AI involvement if relevant

---

When to Avoid AI-Generated Code

Use extra caution when:

• Developing core IP, patents, or client-critical software
• Operating in regulated industries like finance or healthcare
• Building software where open source obligations would be unacceptable

In those cases, consider disabling AI suggestions or using them only for exploratory work—not production code.

---

Legal Landscape: Still Evolving

The law is trying to catch up:

• The EU AI Act includes provisions on traceability and transparency
• In the US and UK, copyright regulators are investigating AI authorship
• Lawsuits (e.g. against GitHub and OpenAI) could shape how AI training and output are regulated

For now, you carry the risk. So policies and process matter more than ever.

---

The Future: Trusted AI Tools with Built-In Governance

As adoption grows, the winners in this space will be those who offer:

• Clear audit trails
• Transparent model training disclosures
• Enterprise licensing and indemnity
• Private deployment options
• Fine-tuned models trained only on your codebase

This is where tools like GitHub Copilot Enterprise, Cursor, and self-hosted models (e.g. using Azure OpenAI with your own vector database) are gaining traction.

---

In Summary: Build with AI, But Build Smart

AI-powered coding tools are here to stay. They boost velocity, improve quality, and reduce boilerplate—but they don’t remove your responsibilities.

• Own your process
• Validate your output
• Secure your rights
• Protect your clients

With the right governance, AI can be a powerful co-pilot—not a legal landmine.

Control your own destiny

Talk Think Do is an industry-leading cloud application development company, offering application innovation services that support clients from project discovery to post go-live support. Our expertise extends to developing software for various operating systems, ensuring seamless integration and performance across different platforms.

During the discovery phase, we work alongside clients to fully define and clarify the goals of the project, to ensure that they receive an application that meets all of their unique business requirements. We can advise on whether you might benefit from owning the source code of your application, helping to minimise risks in delivery and ensure that every decision is made with your best interests at heart. This source code is crucial for creating and managing computer programs that drive cloud-native applications. Book a consultation today to discuss how our application innovation service could help you.