By the Shadow AI Policy team
**Real estate firms are walking into AI governance blind — and the exposure isn't theoretical.** This post covers the five areas where AI use creates the sharpest legal and compliance risk for real estate companies: how to restrict client PII and financial data inputs, what your policy needs to say about MLS data, why AI-generated property descriptions are a fair housing liability, how to handle transaction documents, and how to extend your policy to agents and contractors who aren't W-2 employees.The biggest AI risk in real estate isn't a data breach from a hacker — it's an agent pasting a buyer's financial profile into a free AI chatbot to draft a pre-approval summary. Your policy needs to name that scenario explicitly, not just prohibit "sensitive data" in the abstract.
By the Shadow AI Policy team
Real estate transactions generate a dense collection of personally identifiable information: Social Security numbers, tax returns, bank statements, credit reports, employment records, and purchase history. Much of this lands in an agent's inbox or CRM well before a deal closes. The risk is that employees or agents paste this data into general-purpose AI tools — ChatGPT, Claude, Gemini — that are not covered by a data processing agreement and that may use submitted content to train future models.
Your policy needs to do three things on this point. First, create an explicit prohibited data list — not just a vague reference to "sensitive information." Second, specify which AI tools are approved for which data tiers. Third, require that any AI tool handling client financial data be covered by a signed Data Processing Agreement (DPA) that prohibits training on your data. Most consumer-tier AI tools don't offer this by default; you need the enterprise or API version.
A practical data tiering approach for real estate looks like this:
| Data Type | Examples | Approved AI Use | Prohibited AI Use |
|---|---|---|---|
| Tier 1 — Public | Neighborhood data, public listing info, market reports | Any approved tool | None |
| Tier 2 — Internal | Agent notes, internal commission records, draft contracts | Approved tools with DPA only | Consumer-tier AI tools |
| Tier 3 — Client PII | SSNs, tax returns, bank statements, credit scores | Prohibited without explicit compliance review | All general-purpose AI tools |
| Tier 4 — Protected Class Data | Race, religion, familial status (even inferred) | Never — input or output | All AI tools |
Under the California Consumer Privacy Act (CCPA/CPRA), real estate firms serving California consumers must disclose how personal information is processed by third-party vendors — which includes AI tools. Sharing client PII with a non-contracted AI tool without disclosure isn't just a policy gap; it's a potential CCPA violation. If your firm operates in multiple states, check whether your states have enacted similar consumer privacy laws, as many have since 2023.
MLS data isn't public data. Access to MLS feeds is governed by licensing agreements with the regional MLS, and those agreements typically restrict how the data can be used, redistributed, and processed. Using MLS listing data as input to train, fine-tune, or feed a third-party AI tool almost certainly violates your MLS subscriber agreement — but most agents and brokers haven't thought about it in those terms.
The practical risk: an agent exports a bulk listing dataset to feed into an AI analysis tool to spot pricing trends. The MLS agreement prohibits redistribution to third parties. The AI vendor's terms classify submitted data as user-provided content, which may be stored on their servers. You've now transferred MLS-licensed data to an unauthorized third party. Your policy needs to explicitly name MLS data as a restricted data type and require that any AI tool consuming MLS data be reviewed against your subscriber agreement before use.
Some AI-integrated tools are built specifically for real estate and have MLS data agreements in place — Zillow's internal tools, certain CRM platforms. If your firm uses these, document that the vendor has the appropriate data agreements and note approved use cases. Don't assume that because a tool is marketed to real estate professionals, it's compliant with your specific MLS agreement.
This is the area where real estate firms face the most immediate legal exposure from AI use, and it's the one most likely to go unaddressed in a generic AI policy.
The Fair Housing Act (42 U.S.C. § 3604) prohibits making, printing, or publishing any notice, statement, or advertisement that indicates a preference, limitation, or discrimination based on race, color, religion, sex, familial status, national origin, or disability. Courts and HUD have interpreted this broadly — including in advertising copy and property descriptions. An AI-generated description that uses coded language ("quiet, family-oriented neighborhood," "walking distance to churches," "great for young professionals") can trigger fair housing scrutiny even if the agent didn't intend discrimination.
Every AI-generated property description must be reviewed by a human before publication. This isn't optional due diligence — it's a required step in your policy, with the reviewing agent's name logged for the record.
Your policy should require that:
HUD's Office of Fair Housing and Equal Opportunity has pursued advertising discrimination cases for decades. The fact that an AI generated the language is not a legal defense — your firm published it. For a deeper look at how shadow AI use creates compliance blind spots, see our overview of what shadow AI is and why it matters for compliance teams.
Purchase agreements, closing disclosures, title documents, and mortgage paperwork contain some of the most sensitive data your firm handles. AI tools are increasingly used to summarize contracts, extract key dates, and draft addenda — all useful functions that carry real risk if the wrong tool is used.
The core policy requirement here is straightforward: no transaction document — draft or final — goes into an AI tool that isn't covered by a DPA, and no AI-generated contract language goes out to a client without attorney or broker review. The second rule matters because AI tools hallucinate. A clause that looks legally coherent may misstate contingency terms, deadlines, or legal requirements in your jurisdiction. An agent sending an AI-drafted addendum to a client as if it were reviewed legal language creates both liability and professional licensing risk.
For firms using platforms like Dotloop, SkySlope, or similar transaction management systems that are building AI features into their products, review whether those AI features are covered by your existing vendor agreement, or whether they require a new or updated DPA. Don't assume that because the platform is approved, the new AI feature is automatically approved under your existing policy.
If your firm uses e-signature platforms or document automation tools, this is also covered in our AI acceptable use policy template guide, which includes document handling provisions you can adapt.
Most real estate agents are independent contractors, not employees. This creates a genuine policy enforcement gap: your AI acceptable use policy, if written only for employees, doesn't legally bind your 1099 agents. But those agents are accessing your MLS feeds, handling your clients' financial data, and publishing listing descriptions under your brokerage's license.
The solution is to build AI policy requirements into your independent contractor agreements and your agent onboarding documentation. This doesn't require a lengthy addendum — a two-page AI use annex that defines approved tools, prohibited data inputs, and required review steps for AI-generated content is sufficient. Require agents to sign it as a condition of MLS access under your brokerage.
Your policy extension for agents and contractors should cover:
Brokerages are liable for the actions of their agents in most states under the doctrine of respondeat superior, even for independent contractors in some contexts. Don't let the contractor classification be a reason to skip the policy extension — it's exactly the gap regulators will look for. To put together a policy that covers both employees and contractors in one document, you can generate a tailored policy kit that addresses the specific structure of your firm.
About Shadow AI Policy: We build AI acceptable use policy tools for HR and operations teams at 50–500 person companies. We publish guides on shadow AI, acceptable use policies, and AI governance, updated as regulations and AI tools change.
No general-purpose consumer AI tool — free ChatGPT, Claude.ai, Gemini — is safe for client PII or financial data without a signed Data Processing Agreement (DPA) that explicitly prohibits training on your data. Enterprise tiers of these same tools often do offer DPAs, but you need to contract for that tier specifically. The practical standard: if you can't point to a signed DPA from the vendor, treat the tool as off-limits for anything beyond Tier 1 public data. Platform-native AI features in your existing real estate software may already be covered by your vendor agreement — check before assuming.
Yes. The Fair Housing Act (42 U.S.C. § 3604) applies to any published statement or advertisement related to the sale or rental of housing, regardless of how it was produced. If your brokerage publishes an AI-generated description that contains language suggesting a preference for or against a protected class — even unintentionally — you're the publisher and you're liable. The fact that an AI tool produced the language is not a legal defense HUD or a court will accept. Every AI-generated description needs human review against HUD's fair housing advertising guidelines before it goes live.
Yes, but only if you make it a condition of their contractor relationship. An AI acceptable use policy that covers only W-2 employees doesn't automatically bind 1099 agents. You need to add AI use requirements to your independent contractor agreements or agent onboarding documents and require agents to sign them as a condition of brokerage-sponsored MLS access. Brokerages can face liability for agent conduct in many states, so treating independent contractor status as a reason to skip policy coverage creates real legal exposure.
Yes, with the right guardrails. AI summarization of contracts and extraction of key dates and terms is a legitimate use case — but only with tools that have signed DPAs prohibiting training on your data, and only with a human review step before any AI-extracted information is acted on or sent to clients. Never send AI-drafted contract language to a client as if it's been reviewed without actually having a licensed broker or attorney check it. AI tools hallucinate specific terms, deadlines, and legal requirements, and a misstatement in a real estate contract can create significant liability.
Tailored to your industry and the AI tools your team uses. Free preview, $79 one-time or $149/mo with monthly updates.
Generate my policy kit →