With a decade of technology legal experience, Palo Alto Networks’ managing senior counsel, Christine Neptune, explains why legal must be embedded in cybersecurity from product design to customer contracts, how to write AI clauses with real teeth, and why transparency is the new trust currency in the channel.
Cass Cooper sat down with Christine Neptune, managing senior counsel at Palo Alto Networks, to explore where legal fits in modern cybersecurity. From GDPR/CCPA, data protection addendums (DPAs), and AI governance, to the practical realities of partner contracts, Neptune argues that legal is not a blocker but the thread that ties compliance, product, and customer relationships together.
A lot of partners still ask where legal fits in cybersecurity. What is legal’s role today?
Christine Neptune: Cybersecurity is no longer just IT. It is compliance, legal risk, and business continuity. Legal sits across all of it. We negotiate the deals, shape product guardrails with product and privacy counsel, and make sure customer promises are accurate and enforceable. Ideally, involve legal from cradle to completion—from product ideation through customer relationship management.
You mentioned “guardrails.” What are non-negotiables right now?
Data privacy and data protection. Know your GDPR and CCPA obligations and use a Data Protection Addendum (DPA) that spells out: what data you collect, why you collect it, who your sub-processors are, and how data flows. None of this is meant to stop innovation. It is about transparency and giving customers choices, including the ability to opt out when appropriate.
Partners are experimenting with AI, but many do not know how to add an AI clause. Where should they start?
Start by making AI a corporate priority, not an afterthought. Then put it in writing. Your AI clause should state:
- What data is collected for AI and machine learning,
- How inputs are used for model improvement,
- What will never be exposed in outputs or shared with third parties, and
- How customers can exercise rights or opt out when applicable.
This belongs in your DPA and your commercial terms. The negotiation happens here, and clarity earns trust.
What about personal use of AI versus corporate use?
There is a clear line. Individuals may use AI tools in daily life, but corporate use must follow policy. Many companies sanction a specific platform and prohibit unsanctioned tools for work content. If your company approves a platform, use it inside that controlled environment. If a tool is not sanctioned, do not paste company or customer information into it. Ask general questions only. Protect identifiers and confidential material.
So we do not need to reinvent cybersecurity because of AI?
Exactly. Extend the governance you already have—privacy by design, least privilege, vendor due diligence—to AI. Transparency, consent, data minimization, and secure processing still apply. AI raises the stakes, but the principles are familiar.
One resource you recommend for leaders who want to build smarter?
The podcast “How I Built This.” It offers practical lessons on how products and companies come together, including the messy middle that most of us operate in.
Four Practical Moves for Channel Partners
- Ship with a DPA, not afterthoughts.
Attach a clear DPA to every agreement. List data categories, purposes, retention, sub-processors, and customer choices. Consistency across deals reduces cycle time and surprises. - Publish a plain-language AI policy.
State approved tools, prohibited uses, red-line data types, and escalation paths. Train everyone. Audit quarterly. If a tool is not sanctioned, employees do not use it for work data, period. - Write an AI clause that customers can say yes to.
Cover input use, output controls, third-party sharing, model improvement boundaries, security commitments, and customer rights. Map the clause to your internal policy so legal promises match reality. - Involve legal at product kickoff.
Privacy and security by design are faster and cheaper than retrofitting. Bring legal, privacy, and security into backlog planning so requirements become features, not blockers.
