Update risk-mitigation.mdx (#643)

shell1 · web-flow · commit cdf58ba7ca25 · 2024-10-21T15:24:24.000Z
diff --git a/docs/workflow/implementing/risk-mitigation/risk-mitigation.mdx b/docs/workflow/implementing/risk-mitigation/risk-mitigation.mdx
@@ -10,5 +10,6 @@ Experiments and Rollouts are making remote changes to the experience of live use
 - **Brand**: If the public, users, or press were to discover this experiment and description, could it negatively impact their perception of our brand?  This includes when that perceptions is unfounded.  Example: We offered recommendations in a client-side, privacy respecting way, but the method of recommending could have been misconstued.  Instead of an incident, when the question came up (reddit, hackernews, etc) it was good press because we quickly pointed people to the well-written SUMO description of how we were respecting user privacy when making recommendations.  
 - **Revenue**: Impact from changes related to Search, New Tab, Ads, Pocket, etc should follow the VP Sign-off guidance.  
 - **Partnerships**: If a partner is involved in any way, it raises risk and you should follow the Legal sign-off guidance. A partner could also be affected indirectly, for example if search functionality or presentation is altered.  Considerations can include: revenue, licensing, partner privacy policy, contractual obligations, trademark usage, etc. 
-- **Encryption**:  Encryption in your technoology is subject to export control laws and you need Legal Sign-off.  Releasing to other countries could put our users at risk of criminal punishment and result in the country sanctioning our browser use.  Even code shipped preffed off, could manually be activated. It is critical to NOT deliver encryption into these countries. 
 - **Sensitive Data**: If you are using [Category 3 or 4 data](https://wiki.mozilla.org/Firefox/Data_Collection#Data_Collection_Categories) you need to work with legal and data.  Follow the Legal Sign-off guidance.
+- **AI data use**: If your change relies on AI (e.g. ML, chatbot) in any way, it will need a legal product review.  
+- **Encryption**:  Encryption in your technoology is subject to export control laws and you need Legal Sign-off.  Releasing to other countries could put our users at risk of criminal punishment and result in the country sanctioning our browser use.  Even code shipped preffed off, could manually be activated. It is critical to NOT deliver encryption into these countries. 
