The intellectual property strategy for AI startups no longer ends with "Can we patent our model?" With the enforcement of the "Act on the Promotion of Artificial Intelligence Development and Trustworthy Creation, etc." on January 22, 2026, AI services have entered a phase where, along with technological protection, data provenance, transparency, safety, trade secret management, and outsourcing contracts must all be examined.
Especially for generative AI, AI applied in sensitive areas such as healthcare, finance, recruitment, education, and transportation, or SaaS-type AI services that continuously utilize customer data for training, IP and compliance cannot be viewed separately from the outset. Patents are a means to disclose technology and secure rights, while trade secrets maintain their value through non-disclosure. Training data and model operation policies dictate a company's risk between these two.
This article provides a practical checklist for AI companies to review before product launch.
AI companies often have a mix of assets with different characteristics.
First, technologies that can be disclosed. These include technologies like specific model structures, data preprocessing methods, inference speed improvement techniques, and industry-specific application systems that can be patented. This area requires a review of whether to file for a patent before disclosure.
Second, technologies whose value diminishes upon disclosure. This category includes model training pipelines, data labeling standards, hyperparameter tuning know-how, prompt chains, evaluation sets, and customer-specific optimization rules. This area should first be assessed for its potential to be managed as a trade secret.
Third, external assets that the company cannot freely use. This includes crawled data, customer-provided data, open-source code, external APIs, public datasets, modules created by partners, and experimental code created by employees using personal accounts. This area requires an initial check of ownership and usage conditions.
AI disputes typically arise when the third category of assets is treated as if it were the first or second. The statement "We trained it, so it's ours" only holds meaning after navigating issues related to contracts, licenses, personal information, copyrights, and trade secrets.
The AI Basic Act mandates a separate management system for AI that can significantly affect human life, physical safety, and fundamental rights. The enforcement decree also requires confirmation of application areas such as energy, drinking water, healthcare, medical devices, nuclear energy, criminal investigation/arrest, recruitment/loan screening, transportation, public services, and education.
Even if a startup considers its service a "simple recommendation service," issues related to high-impact AI can arise if actual clients use it for recruitment, loan applications, insurance, medical evaluations, or educational assessments. Therefore, it is advisable to clearly delineate the AI's permissible and prohibited usage areas, as well as the scope of customer responsibility, in product descriptions and contracts.
Checklist Questions:
AI companies often need a data source table more than technical documentation. A data source table is not an elaborate document but rather a table summarizing what data came from where and under what conditions it is used.
The minimum required items are as follows:
Without this table, explanations can falter during investment due diligence, customer security reviews, large enterprise PoCs, or public sector adoption processes. Notably, "publicly available data" and "data that can be freely used for training" are not synonymous.
In workflows using generative AI, the ownership of the output is often unspecified. When an external vendor delivers UI, marketing copy, code, images, or reports created by AI, ambiguity regarding who can use the output and to what extent can lead to future problems.
The contract should include the following clauses:
Simply including clauses prohibiting AI use may not be practical. More importantly, it is crucial to define "what data should not be included" and "what information must be disclosed if it is used."
For AI technology, patenting everything is not always the best approach. Patents are granted based on public disclosure, while trade secrets rely on non-disclosure. Therefore, a distinction must be made even within the same AI service.
Subjects for Patent Review:
Trade Secret Management Subjects:
To manage something as a trade secret, access controls, export restrictions, confidentiality markings, log management, retrieval from departing employees, and NDAs with partners must be effectively implemented. Merely considering something "important" is insufficient.
AI products are often built by rapidly integrating open-source models, vector databases, frameworks, evaluation tools, and external APIs. The issue arises when libraries used during the PoC phase are incorporated into commercial products without modification.
Before launch, at a minimum, the following should be verified:
Disclosure of open-source software and adherence to license obligations become even more critical when delivering on-premises solutions or SDKs to enterprise clients.
Rather than protecting the model itself, the protection can extend to aspects like the model structure, training methods, data processing flows, system configurations that solve specific industry problems, and technical means for improving inference speed or accuracy. However, a distinction must be made between aspects that are easily replicable upon disclosure and those that must be kept secret.
The terms of service are merely a starting point. Depending on the nature of the data, issues related to personal information, trade secrets, copyrights, and contractual confidentiality obligations may arise. For B2B services, it is safer to separate the use of customer's internal data for retraining through separate consent or contracts.
This depends on the terms of service of the AI tool used, the ownership of the input data, the similarity of the output, and the rights attribution in outsourcing contracts. Logos, characters, advertising images, code, and datasets, in particular, require separate review.
Before product launch, AI companies must consider patentability, data usage rights, trade secret management, open-source licenses, and customer contracts holistically. Focusing on only one area can lead to overlooking actual risks.
Pine IP Firm offers strategies to differentiate between technologies to be disclosed and those to be kept confidential, by examining not only the patentability of AI technology but also the structure of data, trade secrets, and contracts.