Virtually every SaaS provider is coming out with some new-fangled AI-related feature or service. The introduction of AI-related services, and generative AI-related (“GenAI”) services by a vendor necessitates the inclusion of certain contract terms particular to this type of service. Because many SaaS contracts were signed prior to the current GenAI boom, enterprises that rely on AI product offerings should consider creating an AI addendum to existing contracts, i.e., contractual modifications designed to clarify AI usage, define responsibilities and mitigate legal exposure. The vendor providing the AI tool is likely to be reluctant to amend an existing agreement, but this is really about protecting the enterprise end user.

Prior Consent

While AI has the potential to enhance efficiency and automate complex tasks, it also comes with complex risks. The first issue to consider is whether the enterprise wants its software vendors to use GenAI programs in the first place. Enterprises relying on AI should have the option to understand, evaluate and control when and how AI is implemented in their platforms and services. Without clear contractual limitations, a vendor may introduce AI features that process or store sensitive data or perform critical business functions without sufficient—if any--oversight. If a customer requires the vendor it is paying for a product to obtain prior consent before putting the product to work in the field, AI ensures that its use aligns with internal policies and risk tolerance, provides an opportunity to assess compliance with relevant regulations, and prevents sensitive data from being unintentionally processed, analyzed or stored by AI tools. If an AI tool is introduced mid-contract without proper vetting, an organization could find itself exposed to unexpected risks, including regulatory violations, biased decision-making or unreliable outputs, or all three.

If it is determined that an addendum is warranted, the addendum should include language that the vendor may not use GenAI capabilities in connection with the provision of services to the enterprise or feed company data into a GenAI program. Alternatively, guardrails can be created that reflect explicitly permitted and forbidden types of uses.

Intellectual Property Ownership

Another key issue is the ownership and use of data processed by AI systems. With AI models generating insights, text, images, video and other forms of content, it is critical to establish who owns the AI-generated outputs – the vendor providing the AI-powered tools or the customer combining their original data with those tools to address customer-specific business objectives? , raising concerns about intellectual property ownership and confidentiality. Enterprise users should ensure contracts explicitly define which party owns the AI-generated outcomes of using the vendor’s services or platforms, particularly in creative or strategic applications. At a minimum, a savvy enterprise should make sure that its vendor assigns any rights it may have in the output to the enterprise. In some cases, vendors attempt to retain certain rights to AI-generated outputs or certain types of outputs.

Training GenAI Systems with Customer Data

Closely related to data ownership are concerns over whether customer data is being used to train vendor AI models. A number of AI providers are leveraging customer data to refine and improve their own machine learning systems, sometimes without clearly disclosing this practice. In fact, there has been recent litigation on this very issue. While some organizations may be comfortable with anonymized data – if the data is being anonymized at all – being used for model improvements, other organizations cannot afford to take such risks. The use of proprietary or sensitive data to train AI models can create significant legal exposure, particularly if the AI system produces biased or inaccurate results or results in the disclosure of sensitive information. The best practice is to add language to the AI addendum that precludes the vendor from using company data to train its models, and only permits the vendor to use that data for purposes of performing its obligations under the contract. This restriction is particularly crucial in industries such as health care, finance, and legal services, where improper data use could result in data privacy breaches, compliance violations, regulatory penalties or breaches of confidentiality.

Indemnification and Limitation of Liability

Another crucial aspect of AI-related vendor agreements is who will be liable in the event that a claim is made regarding intellectual property infringement. Large language models are trained using massive amounts of publicly available data, much of which may be subject to copyright. AI-generated outputs may infringe third-party copyright or other intellectual property rights. Companies should seek indemnification clauses that protect them from lawsuits or regulatory penalties arising from, for example, third-party IP infringement claims based on a violation of applicable law resulting from the use of the AI model as authorized by the vendor. Without such protections, companies may find themselves exposed to significant risks without recourse against the vendor.

Compliance with AI-Related Laws

Beyond data usage, organizations must also ensure vendors remain compliant with evolving AI-related laws and regulations. The legal landscape surrounding AI is rapidly changing, with governments and regulatory bodies worldwide introducing new frameworks to address concerns such as data privacy, algorithmic transparency and bias mitigation.

Given the difficulty inherent in passing comprehensive AI legislation on the federal level, states are likely to step in to fill the gap, much as they have done in the context of data privacy. The European Union has taken the lead in creating and enforcing AI rules and regulations that apply when enterprise customers exist beyond U.S. borders. Companies should ensure AI-related contract provisions mandate vendor compliance with all applicable laws and industry standards. This includes adherence to major data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as state and sector-specific laws governing AI applications in areas such as financial services, health care and employment.

Additionally, and optimally, contracts should require vendors to implement ongoing monitoring and assessments of their AI tools to ensure they remain compliant as legal standards evolve. Without these provisions, organizations could find themselves liable for AI-related regulatory infractions, even if a third party is responsible for the underlying technology.

Bias

Any vendor that touts its products as unbiased does not understand what bias is. In fact, ethical and responsible AI use is a critical area that may require explicit contractual safeguards. AI-driven decisions can be opaque, and in some cases, biased or discriminatory. As enterprises increasingly rely on AI for decision-making, vendor agreements should establish clear expectations around transparency, bias identification, mitigation and accountability. Optimally, and depending on the type of GenAI product being provided, enterprises deploying AI should include language requiring vendors to disclose information about how their AI systems operate. They should also provide explanations for automated decisions and offer mechanisms for organizations to audit outcomes. Bias identification and mitigation are particularly important in AI applications involving hiring, lending, health care and other high-stakes decision-making processes.

In Conclusion

As AI technology continues to evolve, preexisting software vendor contracts must keep pace with these changes. A well-drafted AI addendum is critical for minimizing risk and ensuring that companies maintain control over when and how their vendors employ AI solutions. These addendums should address the following considerations:

Prior consent: where and how the customer is notified of AI use and how they can opt in and opt out

Intellectual property ownership: Who owns the AI-generated product generated via the vendor’s tools and the company’s data and prompts

Use of company data: the circumstances under which the vendor can use company data and what the limits on that data use are

Indemnification and Limitation of Liability: how the customer is protected from lawsuits or regulatory penalties arising from the vendor’s design or implementation of AI

Compliance with regulations: what the vendor plans to do to comply with state or regional data regulations

Bias identification and mitigation measures: where and how the customer establishes how the vendor addresses possible bias in its AI products

By proactively addressing AI-related risks through clear contractual provisions in an AI addendum, companies can better leverage AI’s benefits while minimizing exposure to unforeseen legal and operational challenges.