IP, Data, and Trade Secret Checklist for Startups After the AI Act Implementation

Pine IP Firm
May 13, 2026

The intellectual property strategy for AI startups no longer ends with "Can we patent our model?" With the enforcement of the "Act on the Promotion of Artificial Intelligence Development and Trustworthy Creation, etc." on January 22, 2026, AI services have entered a phase where, along with technological protection, data provenance, transparency, safety, trade secret management, and outsourcing contracts must all be examined.

Especially for generative AI, AI applied in sensitive areas such as healthcare, finance, recruitment, education, and transportation, or SaaS-type AI services that continuously utilize customer data for training, IP and compliance cannot be viewed separately from the outset. Patents are a means to disclose technology and secure rights, while trade secrets maintain their value through non-disclosure. Training data and model operation policies dictate a company's risk between these two.

This article provides a practical checklist for AI companies to review before product launch.

Three Assets to Distinguish First

AI companies often have a mix of assets with different characteristics.

First, technologies that can be disclosed. These include technologies like specific model structures, data preprocessing methods, inference speed improvement techniques, and industry-specific application systems that can be patented. This area requires a review of whether to file for a patent before disclosure.

Second, technologies whose value diminishes upon disclosure. This category includes model training pipelines, data labeling standards, hyperparameter tuning know-how, prompt chains, evaluation sets, and customer-specific optimization rules. This area should first be assessed for its potential to be managed as a trade secret.

Third, external assets that the company cannot freely use. This includes crawled data, customer-provided data, open-source code, external APIs, public datasets, modules created by partners, and experimental code created by employees using personal accounts. This area requires an initial check of ownership and usage conditions.

AI disputes typically arise when the third category of assets is treated as if it were the first or second. The statement "We trained it, so it's ours" only holds meaning after navigating issues related to contracts, licenses, personal information, copyrights, and trade secrets.

Items to Check After the AI Basic Act

1. Determine if Our Service is Close to High-Impact AI

The AI Basic Act mandates a separate management system for AI that can significantly affect human life, physical safety, and fundamental rights. The enforcement decree also requires confirmation of application areas such as energy, drinking water, healthcare, medical devices, nuclear energy, criminal investigation/arrest, recruitment/loan screening, transportation, public services, and education.

Even if a startup considers its service a "simple recommendation service," issues related to high-impact AI can arise if actual clients use it for recruitment, loan applications, insurance, medical evaluations, or educational assessments. Therefore, it is advisable to clearly delineate the AI's permissible and prohibited usage areas, as well as the scope of customer responsibility, in product descriptions and contracts.

Checklist Questions:

  • Does the customer use these AI results for human recruitment, loan applications, diagnoses, or safety judgments?
  • Are the AI results close to automated decision-making, or are they reference materials?
  • Does the customer have logs and explanatory materials to interpret and verify the results?
  • Is the product description exaggerating actual features?

2. Create a Data Source Table for Training Data

AI companies often need a data source table more than technical documentation. A data source table is not an elaborate document but rather a table summarizing what data came from where and under what conditions it is used.

The minimum required items are as follows:

Item Details to Check
Data Name Internal identifiable name
Source Self-generated, provided by customer, public data, purchased data, crawled, outsourced delivery
Basis for Use Contract, terms of service, license, consent, legal basis
Permitted Scope Training, verification, display within product, resale, provision to third parties
Restrictions Non-commercial use, attribution, prohibition of redistribution, prohibition of model training, etc.
Personal Information Status Included, de-identified, anonymized, not included
Response to Deletion Requests Possibility of removal upon customer termination or rights holder request

Without this table, explanations can falter during investment due diligence, customer security reviews, large enterprise PoCs, or public sector adoption processes. Notably, "publicly available data" and "data that can be freely used for training" are not synonymous.

3. Include Ownership of Generative AI Outputs in Contracts

In workflows using generative AI, the ownership of the output is often unspecified. When an external vendor delivers UI, marketing copy, code, images, or reports created by AI, ambiguity regarding who can use the output and to what extent can lead to future problems.

The contract should include the following clauses:

  • Availability of AI tool usage
  • Whether customer's trade secrets or personal information can be input
  • Liability if the output includes elements infringing third-party rights
  • Rights to modify, reuse, or create derivative works from the output
  • Disclosure of licenses for used open-source software and external models
  • Whether reuse of training data in delivered products is prohibited

Simply including clauses prohibiting AI use may not be practical. More importantly, it is crucial to define "what data should not be included" and "what information must be disclosed if it is used."

4. Differentiate Between Trade Secrets and Patentable Inventions

For AI technology, patenting everything is not always the best approach. Patents are granted based on public disclosure, while trade secrets rely on non-disclosure. Therefore, a distinction must be made even within the same AI service.

Subjects for Patent Review:

  • When the model structure or training method creates technical effects
  • When there is a data processing flow that solves a specific industry problem
  • When combined with technical configurations such as hardware, sensors, control, diagnostics, or security
  • When competitors can infer the implementation to some extent by observing the product

Trade Secret Management Subjects:

  • Data cleaning standards
  • Labeling manual
  • Prompt templates and evaluation sets
  • Customer-specific tuning parameters
  • Failure response logs and operational know-how
  • Pricing algorithms and internal benchmarks

To manage something as a trade secret, access controls, export restrictions, confidentiality markings, log management, retrieval from departing employees, and NDAs with partners must be effectively implemented. Merely considering something "important" is insufficient.

5. Manage Open Source and External APIs Separately

AI products are often built by rapidly integrating open-source models, vector databases, frameworks, evaluation tools, and external APIs. The issue arises when libraries used during the PoC phase are incorporated into commercial products without modification.

Before launch, at a minimum, the following should be verified:

  • List of open-source software in use
  • Types of each license
  • Whether modifications were made
  • Whether the product is distributed or SaaS
  • Whether installation files or containers are provided to customers
  • Obligations to disclose source code, provide attribution, or supply license copies
  • Whether terms of external APIs permit storage, retraining, or resale of output

Disclosure of open-source software and adherence to license obligations become even more critical when delivering on-premises solutions or SDKs to enterprise clients.

Internal Pre-Launch Checklist

  • Is there a data source table?
  • Are the terms of service clear about whether customer data is used for training?
  • Are ownership and liability for generative AI outputs included in the contract?
  • Has the applicability to high-impact AI been reviewed?
  • Has technical data been disclosed before filing a patent application?
  • Are there access controls and export controls for data managed as trade secrets?
  • Has a list of open-source licenses been created?
  • Are there provisions for rights transfer for code and models created by external developers?
  • Does the explanatory material provided to customers exaggerate actual features?
  • Are the terms of service updated to reflect liability for failures, errors, or hallucinations?

Frequently Asked Questions

Can AI models themselves be protected?

Rather than protecting the model itself, the protection can extend to aspects like the model structure, training methods, data processing flows, system configurations that solve specific industry problems, and technical means for improving inference speed or accuracy. However, a distinction must be made between aspects that are easily replicable upon disclosure and those that must be kept secret.

Is a terms of service agreement sufficient to use customer data for training?

The terms of service are merely a starting point. Depending on the nature of the data, issues related to personal information, trade secrets, copyrights, and contractual confidentiality obligations may arise. For B2B services, it is safer to separate the use of customer's internal data for retraining through separate consent or contracts.

Can generative AI outputs be commercially used by the company immediately?

This depends on the terms of service of the AI tool used, the ownership of the input data, the similarity of the output, and the rights attribution in outsourcing contracts. Logos, characters, advertising images, code, and datasets, in particular, require separate review.

Practical Proposals from Pine IP Firm

Before product launch, AI companies must consider patentability, data usage rights, trade secret management, open-source licenses, and customer contracts holistically. Focusing on only one area can lead to overlooking actual risks.

Pine IP Firm offers strategies to differentiate between technologies to be disclosed and those to be kept confidential, by examining not only the patentability of AI technology but also the structure of data, trade secrets, and contracts.