AI Indemnities Won’t Protect Your Code

Enterprises are embracing AI assistants to move faster, but indemnity is not a substitute for good governance. OpenAI’s business terms set clear limits: “This indemnity does not apply where: (i) Customer or Customer’s End Users knew or should have known the Output was infringing or likely to infringe… (vi) the allegedly infringing Output is from content from a Third Party Offering.” (OpenAI, 2025) In short, if your controls are weak, the indemnity may not apply when you need it most.

Recent research shows LLMs can reproduce existing open source with notable similarity, creating licence and provenance exposure, not just security issues. A 2025 study by Oscar Enrique Goñi, PhD, scanned 10,000 instances of LLM-generated code against the SCANOSS knowledge base and found ~30% had matches at a 10% similarity threshold, with >1% still matching at a 30% threshold, evidence that undeclared open source can slip into production as a result of gen-AI.

Regulators and standards bodies stress transparency and provenance: the EU AI Act has entered the Official Journal, and NIST’s Generative AI Profile extends the AI Risk Management Framework with concrete controls for generative systems.

Here is how exclusions could play out in real life. A senior engineer merges a 12-line AI suggestion that replicates a GPL-licensed snippet. Safety filters were off. A contractor later fine-tunes with code they don’t own. Weeks on, the snippet ships inside a proprietary SDK. That chain hits four exclusions: knew/should have known, ignored safety features, no rights to inputs, combined with other products.

This is where SCANOSS fits. It scans your source at file and snippet level, matches fragments against the SCANOSS knowledge base, and returns origin, licence, version and known issues. That means undeclared open source detection works even when AI reproduces small pieces of code, and legacy components are flagged before they ship. The same engine runs as a fast check in IDEs and pull requests, so only real conflicts block a merge, and can enrich SBOMs so provenance is recorded without manual effort.

Imagine that same scenario with SCANOSS. A pull request adds a 12-line snippet. The SCANOSS check finds a high-similarity match to a GPL-licensed project and fails the merge with a clear licence conflict. The developer replaces the snippet with a permissive alternative, the PR passes, and the pipeline emits an updated SBOM plus AI-attribution fields. This all happens inside normal DevSecOps scanning so delivery speed is unchanged.

If you want to show exactly what matched and why, open the SCANOSS Code Compare. It displays your snippet side-by-side with the upstream source, shows similarity, licence and version, and lets reviewers record a decision (include / omit / replace) that persists across future scans—useful for audit and faster re-reviews.

Use AI smarter, not less: add invisible guardrails and evidence. Review the AI Management use case and request a demo