As artificial intelligence becomes  an integral part of companies’ daily operations, it brings not only  opportunities but also new questions and risks. In particular, issues related to data usage, decision-making processes, and liability are gaining greater importance for companies  In this context, we sat down with  Lawyer Özlem Kurt, Founding Partner of Kurt Gürler Partners and Founder  of KG AI, to discuss how artificial  intelligence is used in companies,  the risks it entails, and the impact  of European regulations on Türkiye.

Artificial intelligence has not changed the law itself; however, the way it is applied is undergoing a fundamental transformation. The law is no longer merely a mechanism that kicks in only when a problem arises; it is evolving into a framework that anticipates and manages risks even as systems are being established. In this context, we spoke with Lawyer Özlem Kurt, Founding Partner of Kurt Gürler Partners and Founder of KG AI, to discuss the issue from all angles. Özlem Kurt emphasized that the issue isn’t using artificial intelligence but rather it’s structuring and managing it in a legally sound manner.

  • Artificial intelligence has become quite widespread in recent years. In which areas and how are companies using this technology today?

Artificial intelligence is not actually a technology that emerged on its own; it represents the newest and most critical phase of a transformation that has been ongoing since the Industrial Revolution. From production to marketing, from sales to after-sales services, and from supply chain management to decision support systems, all of a company’s processes are now being reshaped by data and technology. The fundamental goal of this transformation is very clear: to establish processes that are more efficient, more data-driven, more strategic, and, most importantly, provide a cost advantage. For this reason, the use of artificial intelligence is no longer a choice for companies; it has become a direct component of competitive strength and, in fact, a necessity. However, there is a crucial difference that sets artificial intelligence apart from previous technologies. This technology is not merely a tool that accelerates or automates processes; it is also a system that learns, generates recommendations, and is directly integrated into decision-making processes. Consequently, artificial intelligence has evolved from being a tool for a specific function to becoming an integral part of all business processes. Companies are using this technology across a wide range of areas, from contract and document management to customer service, and from data analysis to human resources. However, a critical transformation is taking place here. Artificial intelligence is no longer merely a supporting tool; it has evolved into a system that generates decisions, develops recommendations, and in some cases, can take action in place of humans.

At this point, the issue goes beyond mere “use of technology.” This is because every decision-making system directly produces legal consequences. At the same time, these systems create the following architectures;

  • Systems whose decision-making basis cannot be fully explained
  • Systems capable of propagating errors at scale
  • Complex structures involving multiple actors

Therefore, the use of artificial intelligence today is not merely a technological investment; it is also a matter of law, risk, and governance. The real need is not simply to use this technology, but to structure it properly and manage it within a controllable system.

“The risk primarily arises within the framework of contract law and data protection law”
  • What legal risks do companies most commonly face when using artificial intelligence?

Today, companies use artificial intelligence in two different ways, and each model creates distinct legal risks. The first is when companies adopt AI by purchasing AI-based products and services from external providers. The second is when employees or teams use open-source AI tools in an uncontrolled manner.

In the first model, namely when a ready-made artificial intelligence solution is purchased, the risk primarily arises within the framework of contract law and data protection law. Companies often evaluate these systems as an “IT product”; however, artificial intelligence is not conventional software. We are dealing with a structure that is fed by data, learns, and produces outputs. For this reason, the following issues must be clearly regulated in contracts: how the data will be used, whether it will be transferred to the model, who owns the output, and who will be responsible in the event of a possible error or violation. When these elements are not clearly defined, companies may unknowingly face both data breach risks and contractual liability. In addition, data protection law is also a critical area. Artificial intelligence systems often process personal data, learn from it, and even incorporate it into the model itself. This creates significant obligations, particularly under Personal Data Protection Law and GDPR. Where the data is stored, how it is processed, and whether it is transferred to third parties are no longer merely technical issues but directly legal ones. However, in practice, the greatest risk arises in the second model, namely the uncontrolled use of open-source AI tools. Today, in many companies, employees actively use systems like ChatGPT; they draft contracts, perform data analysis, or input internal company information into these systems. In most cases, the scope of this use, which data is being shared, and whether this data is being learned by the model are not clearly known.

This situation can lead, often without awareness, to data leakage, the transfer of trade secrets to third-party systems, and the generation of legally problematic content. More importantly, since most of these processes are not traceable, the risk is usually only recognized once an issue arises. Therefore, the most critical legal risk in the use of artificial intelligence today stems not from the technology itself, but from its uncontrolled and unstructured use. Companies are using artificial intelligence, but the legal framework governing this use is often undefined. For this reason, in order to properly assess AI-related risks, it is necessary to evaluate not only technical risks but also the dimensions of contract law, data protection law, liability law, and intellectual property law together. This is because risk in artificial intelligence does not arise in a single area; it develops in a multilayered manner within the relationship between data, the model, and the output.

“Legal assessment and final decision-making must always be carried out by a human”
  • How can the balance between artificial intelligence and legal professionals be ensured?

The balance between artificial intelligence and legal professionals is not merely a matter of choice, but a legal necessity. The international approach is also aligned in this direction. OECD principles and European Union regulations clearly establish that human oversight is indispensable, especially in processes that produce legal consequences. For this reason, leaving the law entirely and uncontrolled to artificial intelligence is not a legally defensible model today. The correct approach is to position artificial intelligence not as a substitute for legal professionals, but as a system that supports their decision-making processes. Artificial intelligence provides significant efficiency in data analysis, contract review, and operational processes. However, legal assessment and final decision-making must always be carried out by a human. Therefore, the model accepted today is the “artificial intelligence + human oversight” approach. However, balance is not achieved solely by ensuring that humans have the final say. How artificial intelligence is used, within what kind of data structure, and under which security framework are also decisive factors. Uncontrolled use of open-source tools, the model learning from the data, or the use of outputs without verification can lead to serious legal risks without being noticed. Ultimately, the issue is not how much we use artificial intelligence, but how controlled, transparent, and legally structured the system within which we use it is.

“The correct approach is not to restrict artificial intelligence, but to create a controlled usage model”
  • How should employees’ use of artificial intelligence be managed within a company? What consequences can uncontrolled use lead to?

Today, the greatest risk in the use of artificial intelligence actually exists within companies themselves. Employees are extensively using open-source artificial intelligence tools, but this usage is often not bound to a corporate framework and cannot be properly monitored. This can lead to serious consequences such as unintentional data leakage, transfer of trade secrets to external systems, and the inclusion of incorrect outputs in business processes. Moreover, there is a critical challenge here: it is practically very difficult for companies to completely prevent or continuously monitor this usage in real time. Therefore, the issue is not about banning artificial intelligence, but about structuring its use correctly. First of all, the selection of AI tools is highly important. Relying on open and uncontrolled systems without adopting corporate, secure, and data-governed solutions directly increases risk. However, choosing the right tool alone is not sufficient. Companies need to establish clear, written, and enforceable policies regarding the use of artificial intelligence. These policies are now being introduced in many organizations; however, a policy without an enforcement mechanism does not provide real protection in practice. Ensuring traceability of usage, restricting data inputs, and requiring human oversight in specific processes are the core elements of this structure. This area is also rapidly becoming important from an employment law perspective. The tools used by employees, the data they share, and the content they generate can directly affect the employer’s liability. For this reason, the use of artificial intelligence is no longer just a technological issue; it is a new legal field that must be managed together with employee behavior, corporate policy, and control mechanisms. In conclusion, the correct approach is not to restrict artificial intelligence, but to create a controlled usage model by combining policy, technology selection, and enforcement mechanisms.

  • Who owns the copyright in AI-generated content, and what legal risks should companies consider when using such content?

The issue of copyright in AI-generated content is one of the most controversial areas today. This is because existing legal systems are still built upon the assumption that ‘the author is human.’ Consequently, whether content produced entirely automatically by artificial intelligence can benefit from copyright protection in the traditional sense remains a subject of debate in many countries. The current general approach is as follows: if there is human creative contribution to the content, a certain degree of protection may be possible. However, the matter of ownership in content generated entirely by AI is not clear. For this reason, in practice, this field is often regulated through contracts. In other words, the terms of the AI system used, service agreements, and terms of use are becoming the primary elements that determine ownership rights.

For companies, the primary concern is not just the question “who owns the rights?” but also “what risks does this create?” One of the most critical risks is the lack of transparency regarding the data used to train AI systems. If a model was trained on copyright-protected content, the resulting outputs may indirectly carry a risk of infringement. This situation has already materialized through recent lawsuits. Furthermore, whether AI-generated content is original, bears a resemblance to another work, or mimics a specific style constitutes a distinct risk area. While using this content commercially, companies may unintentionally infringe upon the intellectual property rights of third parties. Consequently, companies must pay special attention to three points when using AI-generated content: the data source and operational structure of the system used, the verification of the generated content, and the clarification of ownership and liability through contracts

  • How do the artificial intelligence regulations that have come into force in Europe affect Turkish companies?

Artificial intelligence regulations in Europe directly affect not only European companies but also many companies operating in Türkiye. This is because AI activities are, by their very nature, cross-border. Companies that do business with Europe, provide services to European customers, or process the data of European citizens may become subject to these regulations, even without realizing it. The most critical issue here is data flow. AI systems often transfer data across borders, where it is processed and used for learning. This creates a significant risk area in terms of both European regulations and Turkish law. Specifically, the uncontrolled transfer of personal data abroad is a matter that can lead to serious sanctions in both legal systems.

However, the primary approach of these regulations is not merely to intervene when an infringement occurs. Both European Union and Turkish law address the use of artificial intelligence through a risk-based approach. That is, the goal is not to solve a problem after it arises, but to prevent risk from the very beginning by determining data usage, system design, and how processes will function. Therefore, for companies, the issue is not just the question of ‘which rule am I subject to,’ but understanding within which data flow the AI usage takes place, what risks it creates, and how these risks will be managed from the start. Consequently, AI regulations in Europe are more than just a matter of compliance for Turkish companies; they are a direct matter of risk management. For this reason, the use of AI is as much a matter of law and governance that must be structured from the outset as it is a technical decision.

“Data usage, liability, and the ownership of outputs must be clearly regulated within contracts”
  • What should be the initial legal steps for a company that wants to use artificial intelligence?

The most common mistake companies make is viewing artificial intelligence solely as a technology investment and addressing the legal dimension as an afterthought, whereas this process must be properly structured from the very beginning. The first step is to clarify the purpose for which the AI will be used, because the field of application directly determines the risk level. Different use cases, such as production, customer relations, or decision support, generate different legal consequences. Secondly, a risk analysis must be conducted regarding the data and the system as early as the design phase. Which data will be used, how this data will be transferred to the system, and how the output will be monitored must be evaluated from the start. When this stage is skipped, managing subsequently arising risks becomes much more difficult. Contracts are the most critical part of this structure. In AI systems, data, models, and outputs operate in tandem; therefore, data usage, liability, and the ownership of outputs must be clearly regulated within contracts. It is essential that both those drafting the contract and those purchasing the service understand how the system works and what risks it entails. Finally, it must be remembered that artificial intelligence does not always produce predictable results. For this reason, the established legal framework should be planned to cover not only existing risks but also potential emerging risks to the greatest extent possible. In short, the use of AI is more than a technological decision; it is a risk and legal management process that must be correctly structured from the outset.

“Responsibility always lies with the human or the company”
  • How is responsibility determined in the event of an AI-related error or damage? Are there grey areas in this regard?

When damage arises from artificial intelligence, the fundamental rule under current legal frameworks does not change. Responsibility always lies with the human or the company. However, because AI systems involve multiple actors, it is not always clear who exactly bears that responsibility. A distribution of liability emerges between the developer, the provider, and the company using the system, and this creates grey areas. Today, the most important way to manage this uncertainty is through contracts. In AI systems, when data usage, the nature of outputs, and liability in the event of an error are not clearly defined, the risk is often directly shifted to the company using the system.

However, there is a more critical point here. In artificial intelligence, the main issue is not determining responsibility after a harm occurs, but managing the risk correctly from the very beginning. In other words, when the system is being designed, the following issues need to be legally structured;

  • Which data will be used
  • How the model will operate
  • How the output will be controlled