Who Owns AI-Written Code? What CTOs, Developers, and Procurement Teams Need to Know

Generative AI is transforming how software is written. Tools like GitHub Copilot, Claude Code, Cursor, and OpenAI Codex are now capable of suggesting full functions, refactoring legacy modules, and scaffolding new features in seconds.

But as this machine-authored code finds its way into production, a critical question arises: Who owns it and who’s responsible if something goes wrong?

In this post, we’ll unpack the legal grey areas, highlight risks around licensing and attribution, and offer practical guidance on how teams can safely adopt AI-assisted development tools.

Four Leading AI Coding Tools And How They Differ

Let’s start with a quick overview of the most popular options on the market:

GitHub Copilot (powered by OpenAI by default)

• Suggests code directly in the IDE (VS Code, JetBrains)

• Trained on a large corpus of public GitHub repositories

• Copilot Enterprise allows integration with your private repos (e.g., on GitHub Enterprise)

• Offers limited indemnity for paid users, plus admin controls

Claude and Claude Code (Anthropic)

• Claude is available via web UI and API; excels at long-context reasoning and is widely used for code review, explanation, and refactoring

• Claude Code is Anthropic’s dedicated agentic coding tool. It operates directly in your terminal, can read your entire codebase, create and edit files, run tests, and execute multi-step engineering tasks autonomously

• Claude Code is increasingly used in professional development workflows alongside editors like Cursor and VS Code

• Anthropic’s terms of service state that you own the outputs Claude generates, though copyright protection depends on the level of human involvement (more on this below)

Cursor

• A developer-focused IDE based on VS Code with built-in AI chat

• Connects to your own codebase, enabling “context-aware” suggestions

• Supports multiple models (Claude, GPT-4, etc.)

• Keeps local context private by default (depending on model provider)

OpenAI Codex

• Powering tools like Copilot and the OpenAI API’s /v1/completions endpoint for code

• Developers can build their own apps or plugins using Codex directly

• Highly customisable, but offers no built-in safeguards or context management

Each tool differs in model transparency, context privacy, licensing protections, and enterprise readiness. These factors are key when choosing tools for production environments.

Who Owns AI-Generated Code?

In most jurisdictions:

• Only humans can own copyright, meaning code produced purely by an AI may not be legally owned at all.

• If a developer prompts the model and modifies the result, human authorship can be claimed.

• However, legal precedent is evolving, and different countries may interpret this differently over time.

This matters because unowned or ambiguous code could be:

• Freely copied or reused by others

• Unprotectable under IP law

• A risk in M&A, due diligence, or IP disputes

Claude Code: Copyright and Ownership

Claude Code has become one of the most widely adopted AI coding tools in professional software development. Understanding the copyright and ownership position is essential for any team using it in production.

What Anthropic’s terms say

Anthropic’s terms of service assign ownership of Claude Code outputs to the user. You retain the rights to code that Claude Code generates on your behalf. This is a contractual right between you and Anthropic, and it is clear and explicit.

However, contractual ownership is not the same as copyright protection. The distinction matters.

The copyright question

In the UK, US, and most other jurisdictions, copyright requires human authorship. Code produced entirely by an AI, with no meaningful human creative input, may not qualify for copyright protection at all.

This does not mean the code is worthless or unusable. It means a competitor could, in theory, reproduce identical output without infringing your copyright, because there may be no copyright to infringe.

What “substantial human involvement” means in practice

The good news for teams using Claude Code is that most real-world usage involves significant human direction. You are defining the requirements, reviewing the output, making architectural decisions, selecting what to keep, and modifying what needs changing. This level of involvement strengthens the case for human authorship considerably.

Where the position becomes weaker is when Claude Code generates large volumes of code with minimal review or modification. If a developer accepts multi-file output wholesale without meaningful editing, the human authorship argument is harder to sustain.

Practical steps to protect your IP when using Claude Code

1. Review and modify all AI-generated code before committing. Even small modifications strengthen the human authorship position.

2. Document your process. Record that a human developer directed the work, reviewed the output, and made editorial decisions. This creates an audit trail that supports an authorship claim.

3. Treat Claude Code as a contributor, not the author. Your internal policies should make clear that the developer, not the tool, is the author of record.

4. Address it in contracts. If you are building software for clients, include clear terms about AI tool usage, IP ownership, and indemnity. See our guidance on software source code ownership and intellectual property in software development for more.

5. Scan for open-source contamination. Claude Code, like all LLM-based tools, may produce output that resembles existing open-source code. Run licence scans as part of your CI/CD pipeline.

For teams that want the productivity benefits of Claude Code with the confidence that their IP is protected, working with an experienced Claude Code development team ensures the right governance is in place from the start.

The Real Risk: Training Data and Open Source Contamination

Most LLMs used for code generation were trained on public datasets, often including open source code. That creates two primary legal risks:

1. Inadvertent Inclusion of Copied Snippets

• Some AI tools have reproduced exact or near-exact copies of open source code

• This may expose you to GPL or SSPL licence obligations

2. Lack of Attribution

• Licences like MIT or Apache require giving credit

• AI tools don’t include attribution headers unless prompted

GitHub Copilot, for example, has faced criticism for potentially emitting code identical to snippets from public repos. While rare, it’s possible, and puts the onus on developers to check.

Enterprise Features That Reduce Risk

If you’re planning to use AI tools across a team or organisation, prioritise features that mitigate compliance and legal exposure:

Private Codebase Integration

• Copilot Enterprise and Cursor can restrict model access to your own repos only

• This improves relevance while avoiding training-data surprises

Prompt Isolation and Data Privacy

• Claude and OpenAI’s API offer controls to disable data logging or sharing

• Some platforms allow you to run models in a fully private environment

Reference Transparency

• Cursor and some LLM wrappers can show source URLs for completions

• This allows developers to manually validate licences

Indemnity and Commercial Terms

• GitHub Copilot for Business offers limited indemnity against claims

• For critical IP, look for signed contracts with your vendor, not just terms of service

How to Use AI Code Generators Safely

Whether you’re using Copilot, Claude, or any other tool, these principles apply:

1. Treat AI as a third-party contributor

• Review, test, and document AI-generated code just as you would with open source

• Avoid direct copy-paste of long completions without editing

2. Scan for licensing risk

• Run code scans (e.g. FOSSA, Snyk, or GitHub Advanced Security) to identify similarities to existing OSS

• Watch for suspicious patterns or license headers

3. Maintain usage policies

• Define when AI tools can and cannot be used (e.g. not in core IP or patented code)

• Track model usage and train teams to review AI output critically

4. Address it in contracts

For client work or commercial products, ensure deliverables include:

• Warranties of originality

• Indemnity for IP issues

• Disclosure of AI involvement if relevant

When to Avoid AI-Generated Code

Use extra caution when:

• Developing core IP, patents, or client-critical software

• Operating in regulated industries like finance or healthcare

• Building software where open source obligations would be unacceptable

In those cases, consider disabling AI suggestions or using them only for exploratory work, not production code.

Legal Landscape: Still Evolving

The law is trying to catch up:

• The EU AI Act includes provisions on traceability and transparency

• In the US and UK, copyright regulators are investigating AI authorship

• Lawsuits (e.g. against GitHub and OpenAI) could shape how AI training and output are regulated

For now, you carry the risk. So policies and process matter more than ever.

DMCA Takedowns and AI-Generated Code

The Digital Millennium Copyright Act (DMCA) adds a specific enforcement mechanism to the copyright risks outlined above. Under the DMCA, a copyright holder who believes their work has been reproduced without permission can file a takedown notice with the hosting platform (GitHub, GitLab, Bitbucket, or any other host). The platform must remove or disable access to the material, and the burden shifts to you to file a counter-notice if you believe the claim is wrong.

This matters for AI-generated code because the training data behind most code-generation models includes millions of public repositories. When an AI tool produces output that closely resembles existing copyrighted code, the original author has a viable path to force its removal.

How DMCA risk shows up in practice

A DMCA takedown does not require a court ruling. It requires a good-faith belief that infringement has occurred, a written notice, and a hosting provider that follows the safe harbour provisions of DMCA section 512. GitHub processes thousands of DMCA notices every year, and repositories are taken down routinely.

For enterprise teams, the risk is not theoretical. If AI-generated code in your production repository triggers a takedown, you face:

• Immediate removal of the affected repository or files from your hosting platform
• Disruption to CI/CD pipelines, deployments, and team workflows
• Legal exposure if the code has already been delivered to clients or deployed in production
• Reputational risk, particularly if the takedown becomes public

Fair use is not a reliable defence

Some teams assume that AI-generated code qualifies as fair use under US copyright law. Fair use is a fact-specific defence evaluated on four factors: the purpose of the use, the nature of the copyrighted work, the amount used, and the effect on the market for the original. Courts have not yet ruled definitively on whether AI-generated code that resembles training data qualifies as fair use. Relying on fair use as your primary defence is a gamble, not a strategy.

Reducing DMCA exposure

The practical mitigations are the same ones that reduce open-source contamination risk:

• Run licence and similarity scans on every pull request. Tools like FOSSA, Snyk, and GitHub Advanced Security detect code that matches known open-source projects.
• Review AI output before committing. Developers who read, understand, and modify AI-generated code are less likely to ship verbatim reproductions.
• Enable duplicate-detection filters where available. GitHub Copilot’s filter blocks suggestions that match public code above a similarity threshold.
• Maintain an incident response plan. Know who handles a DMCA notice, how quickly you can respond, and where your counter-notice process is documented.

For UK-based teams, the DMCA is US legislation, but it applies to any code hosted on US-based platforms (including GitHub and GitLab.com). Even if your team and clients are entirely UK-based, your hosting platform’s DMCA obligations still apply.

The Future: Trusted AI Tools with Built-In Governance

As adoption grows, the winners in this space will be those who offer:

• Clear audit trails

• Transparent model training disclosures

• Enterprise licensing and indemnity

• Private deployment options

• Fine-tuned models trained only on your codebase

This is where tools like GitHub Copilot Enterprise, Cursor, and self-hosted models (e.g. using Azure OpenAI with your own vector database) are gaining traction.

In Summary: Build with AI, But Build Smart

AI-powered coding tools are here to stay. They boost velocity, improve quality, and reduce boilerplate, but they don’t remove your responsibilities.

• Own your process

• Validate your output

• Secure your rights

• Protect your clients

With the right governance, AI can be a powerful co-pilot, not a legal landmine. For a look at how this plays out in practice, read about how we ship AI in real-world delivery. For a broader view of what goes wrong when AI-generated code lacks human oversight, read why we don’t let AI ship code unsupervised.

Frequently Asked Questions

Going deeper: UK law specifically

If your development team is based in the UK, or you are procuring software from UK suppliers, the legal position on AI-generated code has some important differences from the US and EU. The UK’s Copyright, Designs and Patents Act 1988 includes a specific provision for computer-generated works that no other major jurisdiction has matched. Our companion article on AI code ownership under UK law covers the CDPA section 9(3) provision in detail, along with employment contract clauses and a practical IP policy template for enterprise teams.

Work with a team that takes AI governance seriously

Talk Think Do builds production software using Claude Code, with clear governance around IP, code ownership, and human oversight built in from day one. Every project delivers full source code, with our developers directing and reviewing AI output to maintain strong human authorship.

If you are adopting AI coding tools and want confidence that your IP is protected and your code is production-ready, book a consultation to talk it through with our team.