Good morning. I’ve been thinking about how different the AI risk conversation looks depending on which side of the table you’re on.
For most in-house teams, the starting question has been: what are we deploying, and is it compliant? This week adds a second track - what can be done to those systems, and what legal constraints apply when they act in the world. Both questions landed in the same news cycle. 🎯
— Philip
If you read one thing this morning, read the Briefing Room. Everything else is optional.
BRIEFING ROOM
Consent isn’t authorisation
Readers will be familiar with how agentic AI is pitched in products. An agent sits between the user and every app, platform and service they touch, acting on their behalf. The platforms on the other side were built for humans, with terms of service, authentication flows and commercial arrangements that assume a person, not a proxy. Last week produced the first serious judicial test of what happens when those terms meet a non-human agentic user.
A federal US court granted Amazon a preliminary injunction blocking Perplexity’s Comet AI browser agent from accessing Amazon’s systems, including Prime accounts. Comet had the user’s permission to act on their behalf; it did not have Amazon’s authorisation to access Amazon’s systems. A likely violation of the federal Computer Fraud and Abuse Act. Perplexity was ordered to destroy collected Amazon data and appealed the same day.
The case history is cat-and-mouse. Amazon first asked Perplexity to stop in November 2024. Perplexity allegedly complied but resumed in August 2025 - this time allegedly masking agents as Chrome browser users - and released a new version when Amazon blocked it technically. Amazon interpreted these steps as strategic product decisions. Perplexity is appealing.
The disintermediation logic
Perplexity CEO Aravind Srinivas had argued that AI agents should have “all the same rights and responsibilities” as human users. The ruling directly counters that framing, focusing on how a user cannot transfer rights they do not hold: platform access is not a personal entitlement that can be delegated.
The day after the injunction, Perplexity published its full platform philosophy. Under the headline “Everything is Computer”, it launched “Personal Computer”. Picture a Mac mini running 24/7 as what Perplexity calls a “digital proxy” for the user. A more trustworthy OpenClaw?
Amazon CEO Andy Jassy has previously confirmed “conversations” with third-party agent builders - a licensing path may follow.
Whose login is it anyway?
Every platform with a terms-of-service architecture and a direct commercial relationship with its users is now looking at the same question Amazon just put to a court. These questions on agents “dis-intermediating” platforms will keep being tested. For now, legal teams will start to consider how AI agents are accessing their own platforms.
🔹 User consent isn’t platform authorisation. A user’s delegation to an agent does not transfer the access rights they hold as a party to the platform’s terms, according to the US federal court’s interim decision.
🔹 Masking agent identity compounds exposure. Agents that obscure their artificial nature face increased risk under existing computer fraud frameworks.
🔹 Platform terms of service are a live compliance signal. Amazon updated its Business Solutions Agreement six days before the injunction. Platform terms are moving in real time. Agent deployments across external commercial systems warrant a Terms of Service check.
Most enterprise frameworks ask what an agent can do. This ruling adds a second question: on whose platform, and with whose authorisation? Procurement tools, vendor automations, and any agent interacting with external commercial systems sit within the same risk frame.
The disintermediation question has its first real legal answer now. It is not the last time it will be asked.
RISK RADAR
🇪🇺 EU AI Act clock moving again. The EU AI Act is still scheduled to be fully applicable on 2 August, subject to some exceptions. Tracking those exceptions remains a moving target. On Friday, the EU Council agreed its mandate on the “Omnibus VII” package, proposing fixing the delayed application of rules to 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for those embedded in products. The Council also reinstated the obligation to register potentially exempt AI systems in the EU database, and added a prohibition on so-called “nudification”: generating non-consensual intimate or sexual content. This is the Council’s position, not final law - trilogue with the European Parliament now begins.
Why it matters: The headline is deadline relief, but classification and documentation requirements remain and deployment timelines need to be ready by the new backstop dates. The “nudification” ban was added in response to the Grok/xAI incident of last December (Edition 6, Edition 7), and the European Parliament has already adopted a mirrored version, making it one of the few elements of this mandate near-certain to survive trilogue. The obligations are deferred, not removed; on the Grok provision, the direction of travel is already settled.
🇬🇧 Indefinite is not perpetual. The UK Court of Appeal overturned a High Court ruling in Zaha Hadid Limited v The Zaha Hadid Foundation, which had held that a licence described as continuing “shall continue indefinitely, unless terminated earlier” could be terminated on reasonable notice. The trade mark licence in question, which allowed Zaha Hadid’s architecture firm to use the ZAHA HADID name, passed to the Zaha Hadid Foundation after Hadid’s death. The licence contained no express termination right available to the Foundation. The judgment states: “to describe the duration of a contract as indefinite is a fundamentally different thing from describing it as perpetual. They are not synonyms.” Applying the two-stage test from Winter Garden Theatre, the court implied a bilateral right to terminate on reasonable notice, opening the door to renegotiation or exit and concluding legal fees which had surpassed £21.4 million since 2018.
Why it matters: In-house lawyers pressed for time can be forgiven for not spending time philosophising over the difference between “indefinite” and “perpetual”. The words are common across supplier contracts and IP arrangements. While this ruling feels like a victory for common sense, it prompts legal teams to bear it in mind when reviewing legacy contracts, such as those predating a key individual’s death, departure or corporate restructuring, to understand if a clause is genuinely open-ended or whether a termination right may now be implied. A clause intended to signal longevity may carry an unintended exit.
🔐 The prompt layer is the new attack surface. Last week, red-team security startup CodeWall published an account of hacking McKinsey’s Lilli, an internal AI platform used by 43,000+ employees for strategy, client work and M&A analysis. Industry commentators described it as a “David and Goliath” hack. An autonomous agent exploited a SQL injection flaw in an unauthenticated API endpoint, gaining full read-write access to the production database in under two hours, with no credentials and no prior knowledge of McKinsey’s systems. Access ran to 46 million chat messages, 728,000 files and 95 writable system prompts. McKinsey patched within 24 hours of responsible disclosure and found no evidence of prior unauthorised access.
Why it matters: GCs who have deployed enterprise AI platforms — legal research tools, contract analysis systems, document review platforms — now have a widely picked up news item to justify a specific question for vendor IT teams: has this system been tested against AI-specific attack surfaces, not just standard application security frameworks? The silent prompt rewriting risk is especially acute: an altered system prompt could change how an AI operates, with no audit trail. Legal teams involved in AI procurement will find this case useful in pushing for contractual requirements around AI-specific penetration testing and prompt integrity monitoring.
FROM THE SIDEBAR
Quick signals worth clocking (optional reading)
POLL OF THE WEEK
When geopolitical risk emerges, how early is Legal involved?
Results so far:
🟩🟩⬜⬜⬜ 🔭 Early: we actively monitor geopolitical developments
🟧⬜⬜⬜⬜ ⚠️ Once business exposure becomes plausible
🟩🟩⬜⬜⬜ ⚖️ When contracts or sanctions questions arise
⬜⬜⬜⬜⬜ 🚨 Usually after the issue has escalated
Reassuring. The interesting divide is between teams that treat geopolitical risk as an upstream monitoring issue and those that pull Legal in at the point of a defined legal trigger. Both imply some structural involvement. The absence of any responses at the escalation end is interesting. Either our readers are unusually well-positioned, or nobody likes admitting they are late.
Enjoying the signal?
If you know someone who might find this useful, feel free to forward it along.
💬 Forward to a colleague
🧠 Was this forwarded to you? Subscribe here to get it every Wednesday.
When you’re ready, here’s how I can help
I’m a General Counsel helping tech and SaaS scale-ups navigate digital regulation. I work with a small number of leadership teams as a Fractional GC or through targeted advisory sprints focused on:
AI & Regulatory Strategy: Translating regimes like the EU AI Act into design-level guardrails.
Strategic Triage: Making high-stakes calls with imperfect information to keep decisions moving.
Investor-Ready Foundations: Hardening your commercial architecture and contracts for the next funding round.
I work with 3-4 leadership teams at a time. If you’re navigating AI deployment, regulatory exposure or investor scrutiny, reply directly to this email.
- Philip
Too much legal content is dull and jargon-filled. Profiles in Legal is for lawyers who want to think clearly, sound credible in the room and get promoted.
This newsletter is for general information only and does not constitute legal advice. Seek professional advice for specific situations.