AI is Reshaping Construction: Where Risks Start and How to Stay Ahead

Artificial intelligence integration is accelerating from pilot projects to day-to-day use across the construction industry. Owners, contractors, design professionals and subcontractors are using AI to support design review, cost estimating, scheduling, safety planning, document management, and project analysis. These tools can improve efficiency and speed, but they also create meaningful legal, compliance, and operational exposure. For construction companies, the question is no longer whether AI is being used. It is whether the business understands where AI-related risk begins, how that risk is allocated by contract, and what controls are in place before problems turn into claims, regulatory scrutiny, or avoidable project losses.

AI systems operate through a combination of data, models, and user inputs, and risk can arise at each stage. Businesses that want to use AI effectively must understand where those risks begin, how they move through the system, and where human review is needed before an AI-assisted output is used in a construction decision.

Where AI Risk Starts: Data, Models and User Behavior

The first source of risk is the data used to train or operate AI systems. That data may be incomplete, inaccurate, biased, or taken from sources the user does not control. If the data is flawed, the output will reflect those flaws. In a construction setting, those errors can affect design review, quantity takeoffs, cost estimates, schedule assumptions, safety planning, or claims analysis.

Data also raises ownership, confidentiality, and privacy concerns. If an AI system is trained on third-party material, or if users input proprietary project information, internal strategy documents, claims materials, or personal information, that use may expose the business to misuse claims, confidentiality breaches, privacy issues, or loss of trade secret protection.

The model itself creates a second layer of risk. Many AI systems operate in ways that are difficult to explain, test, or validate from the user’s perspective. Users may not understand how the system reached a result, whether it relied on sound inputs, or when it is likely to fail. If a business relies on a model without testing its limits, documenting acceptable use cases, or defining review checkpoints, it may deploy the tool in ways that create unexpected exposure.

The third—and often most immediate—source of risk is user behavior. Employees may input sensitive information into AI tools without understanding how those tools store, retain, or reuse that data. In open or third-party systems, that information may be preserved, disclosed, or used to improve the model. For construction companies, that can mean disclosure of proprietary means and methods, pricing data, bid strategy, design details, dispute analysis, or other confidential project information.

Risks Are Tied to AI Outputs

AI output creates its own set of concerns. Users may rely on results without checking their accuracy, assumptions, or fitness for the task. In construction, that risk can affect key areas such as:

• Design validation and coordination
• Cost estimating and bid review
• Schedule development and delay analysis and
• Safety compliance, incident review, and claims evaluation.

The output may also include content that reflects third-party intellectual property. If a business uses that output as its own work product without review, it may face claims for infringement. Even when no claim arises, uncertainty about how the output was created may make it difficult to establish ownership or defend the work later.

Another concern is overreliance. AI tools can produce detailed and confident responses that appear correct. But without human review, people may accept those results too quickly. This creates risk not only for errors but also for failures in professional judgment.

Internal and External Exposure

AI risks exist within the company and through outside relationships. Internally, businesses may use AI to support hiring, project analytics, design development, estimating, schedule analysis, and management decisions. These uses can improve efficiency, but AI-assisted decisions should be subject to human oversight, especially when they affect safety, cost, schedule, employment, or professional judgment.

Externally, many vendors now include AI in their platforms, particularly in cloud-based systems. Construction companies often rely on these tools without fully understanding how they use data. They must ask whether their data is used to train models, how outputs are generated, and who owns the results.

Where a vendor provides AI-driven tools or services to clients, the risk increases. In those situations, the vendor may face exposure not only for its own use of AI, but also for how customers rely on the output. From the construction company’s perspective, that makes contract drafting and vendor diligence critical, particularly with respect to confidentiality, ownership, performance disclaimers, indemnity, and limits of liability.

A Fragmented and Evolving Legal Landscape

The legal framework for AI remains fragmented, with most current activity occurring at the state and local level rather than through a single federal law. For construction companies that operate across jurisdictions—or work with national vendors—this creates a patchwork of requirements that can be difficult to track and apply in practice.

At the federal level, there is still no comprehensive statute that governs artificial intelligence. Instead, the current approach relies on executive action and agency guidance. Recent executive orders have shifted the focus toward promoting innovation and competitiveness in AI, rather than imposing broad, prescriptive regulation. As a result, federal agencies have not yet adopted uniform rules that apply across industries, including construction.

That said, guidance from the National Institute of Standards and Technology (NIST) continues to serve as a key reference point. The NIST AI risk management framework outlines best practices for governance, risk assessment, and oversight. While it is not binding, many organizations treat it as a benchmark for responsible AI use, and it may influence how regulators and courts evaluate conduct over time.

State Regulations Governing AI Use

In the absence of federal legislation, states have begun to fill the gap.

California has taken an early lead, though it does not have a single comprehensive AI statute. Instead, it has adopted a series of targeted laws. One example is the AI Transparency Act, which requires labeling of AI-generated content and provides mechanisms to assess whether content is machine-generated when labeling is not clear. California has also expanded its privacy regime through regulations tied to the California Consumer Privacy Act (CCPA). These rules address automated decision-making technology and require notice to individuals when AI is used in certain contexts, particularly in employment-related decisions. They also provide rights to access information about how those decisions are made and, in some cases, to opt out.

Colorado has also enacted legislation in this area, focusing on automated decision-making tools used for consequential decisions. While earlier versions of Colorado law were broader, the current framework narrows its focus to developers and deployers of these systems. As a result, many construction companies may not be directly affected unless they are actively using AI in ways that drive significant decision-making, particularly in areas like workforce management.

Connecticut has taken a broader approach with its recently enacted AI Responsibility and Transparency Act. This law applies across three categories: developers, integrators and deployers—and places obligations on each group. The law rolls out in phases. Initial requirements include risk management, governance measures and impact assessments. It also makes clear that use of AI is not a defense to discrimination claims. Future phases will add requirements for employee notice in hiring decisions and labeling of AI-generated content.

Texas has adopted a more limited approach. Its Responsible Artificial Intelligence Governance Act focuses on prohibiting certain uses of AI rather than creating broad compliance obligations. For most construction firms, the direct impact of the Texas law is likely to be less significant than in states with more detailed regulatory schemes.

Keep in mind, local regulation is also developing. New York City has been a leader in this space with its automated employment decision tool law. That law regulates AI use in hiring and promotion decisions and requires bias audits, notice to candidates and transparency around how decisions are made. Importantly, it applies based on where the job or candidate is located. This means that a construction company headquartered elsewhere may still be subject to the law if it hires for roles tied to New York City.

One notable feature across many of these state and local laws is that they do not yet provide a broad private right of action. Instead, enforcement typically rests with state attorneys general or local regulators. However, this does not eliminate risk. Existing legal frameworks—such as anti-discrimination laws, consumer protection statutes and privacy regimes—remain in place and may be used to challenge the use of AI.

The overall trend is clear. Regulation will continue to expand, particularly in areas involving automated decision-making, data use, transparency, and employment-related AI. For construction companies, the practical takeaway is equally clear: AI should be treated as both a business opportunity and a legal-risk issue. Companies that identify their use cases, control their data, tighten their contracts, and define review responsibilities now will be better positioned to capture value from AI without absorbing avoidable liability later.

Core Legal Theories of Liability

Even without a comprehensive AI statute, businesses face exposure under existing legal theories. For construction companies, these claims are likely to arise through ordinary project activity, vendor relationships, employment decisions, and the handling of sensitive business information.

Contract risk plays a central role. Agreements with software vendors, consultants, subcontractors, and clients may not fully address whether AI is permitted, how project data may be used, who owns inputs and outputs, or how risk is allocated if an AI-assisted deliverable is wrong. Poorly drafted terms can leave a company responsible for losses tied to tools it does not control.

Reliance-based claims may also arise where others act on AI-assisted outputs. If a client, project team member, or internal decision maker relies on AI-driven analysis, recommendations, summaries, or forecasts and suffers harm, the company may face claims tied to that reliance, particularly if the output was used without appropriate review or qualification.

Trade secret loss remains a key risk. If employees input proprietary pricing, means and methods, internal legal analysis, dispute strategy, or other protected information into AI systems without safeguards, that information may lose protected status or be exposed in ways that damage the business and create follow-on claims.

Negligence claims present another area of concern. If a firm uses AI in a way that falls below what is viewed as reasonable practice, fails to validate a material output, or allows AI-assisted recommendations to drive decisions without appropriate professional review, it may face liability for resulting harm.

Data Control Drives Risk Management

Data is central to every AI-related risk. Construction firms handle valuable information, including pricing data, design plans, schedules, and proprietary methods. Feeding that information into AI systems without proper controls can lead to loss of ownership or misuse.

People should understand how each AI tool handles data. They should review whether vendors use that data for training, whether it is stored securely, and whether it remains confidential. Ownership of output should also be clear. Without clear terms, companies may not control the results generated by these systems.

Tracking inputs and outputs can also play an important role. Logs or other tracking tools may help establish how a decision was made and who contributed to it. This can support quality control and provide a record for use in disputes.

AI and the Evolving Standard of Care

AI is beginning to shape expectations across the construction industry. As these tools become more common, the standard of care may shift. Companies that refuse to adopt widely used tools may fall behind industry practice. At the same time, firms that rely on AI without proper oversight may also face exposure.

The key challenge is balance. Companies should adopt AI where it adds value but should not rely on it without validation. Human oversight remains critical, especially in areas that affect safety or professional judgment.

This pattern is not new. Technologies such as CAD and BIM followed a similar path. Early adoption involved risk, but over time, those tools became part of standard practice. AI is likely to follow the same trajectory, which makes thoughtful adoption essential.

Practical Steps to Manage Risk

Companies can reduce AI-related risk through a practical governance framework built for construction operations, legal review, and executive oversight.

• Inventory where AI is already being used across the business, including internal tools, pilot projects, and third-party platforms embedded in estimating, scheduling, design, document management, safety, and HR workflows.
• Adopt written rules for acceptable use. Those rules should address what data may be entered into AI systems, when human review is mandatory, which use cases require legal or management approval, and which uses are prohibited.
• Train employees, project teams, and managers on both the value and the limits of AI. They should understand confidentiality risks, output validation, recordkeeping expectations, and when escalation is required.
• Update vendor diligence and contract terms. Businesses should evaluate how vendors build and test their systems, whether company data is used for training, who owns outputs, what disclaimers apply, and how indemnity, confidentiality, and liability provisions address AI-related risk.
• Establish review checkpoints for high-risk uses, especially where AI may affect safety, employment, claims analysis, design decisions, or other matters involving legal exposure or professional judgment.
• Use a recognized framework, such as the NIST AI Risk Management Framework, to structure governance, accountability, and ongoing review as tools and laws continue to evolve.

Please contact Drew Patty or any member of the Phelps Artificial Intelligence or Construction/Design teams for guidance.