The licensing terms attached to open-source models carry compliance implications that extend beyond intellectual property law into the regulatory domain. The AISDP must document the licence under which each open-source component is used and confirm that the terms are compatible with the system’s commercial context, distribution model, and regulatory requirements.

Common licensing considerations include whether the licence permits commercial use, whether it imposes copyleft obligations that would require the organisation to open-source its own modifications or the broader system, whether it restricts the model’s use in specific domains (some model licences prohibit use in surveillance, military, or law enforcement applications), and whether the licence terms conflict with the organisation’s data processing obligations under GDPR.

Automated licence compliance scanning (as part of the CI pipeline) should cover all model dependencies, including ML framework versions, third-party libraries, and pre-trained model components. The SBOM (Software/ML Bill of Materials) generated using SPDX or CycloneDX standards documents these dependencies with their licence terms, enabling both vulnerability scanning and licence compliance checking.

Where licence terms are ambiguous or potentially incompatible, the Legal and Regulatory Advisor should review the specific provisions and document the organisation’s interpretation and risk acceptance. This analysis is retained in the evidence pack as part of the IP and Licensing Analysis artefact.

Key outputs

• Licence compatibility assessment per open-source component
• SBOM with licence terms
• Legal review of ambiguous licence provisions (where applicable)