When AI makes a mistake—and it will—who pays? The answer depends largely on what you negotiated in your contract. This guide helps legal teams navigate AI-specific liability issues and negotiate appropriate risk allocation.
Executive Summary
- AI creates liability scenarios not covered by traditional software contracts
- Key risk areas: AI errors, bias/discrimination, data breaches, IP infringement, regulatory violations
- Vendor standard terms typically minimize vendor liability—negotiation is essential
- Liability caps, indemnification, and carve-outs must be tailored for AI risks
- Insurance requirements may need adjustment for AI-specific coverage
- Regulatory liability trends favor organizations that deployed the AI, regardless of vendor fault
- Document your risk allocation decisions for governance and audit purposes
- As AI regulation evolves, contract terms may need updating
Why This Matters Now
AI liability is the emerging frontier of technology contracting:
- AI makes consequential decisions at scale
- Errors can affect thousands of people simultaneously
- Bias claims are increasing
- Regulators are clarifying expectations
- Litigation is testing liability boundaries
The liability frameworks that worked for traditional software are inadequate for AI. Organizations that fail to address AI liability contractually may find themselves holding all the risk.
Definitions and Scope
Liability Cap: Maximum amount of damages a party can be held responsible for under a contract.
Indemnification: Obligation to compensate another party for losses or damages.
Limitation of Liability: Contractual provisions limiting exposure to certain types or amounts of damages.
Scope of this guide: Liability allocation in commercial AI vendor contracts—not liability for internally developed AI or consulting engagements.
AI Liability Landscape
Types of AI-Related Liability
| Liability Type | Example Scenario | Typical Responsibility |
|---|---|---|
| AI Errors | AI gives incorrect recommendation causing harm | Vendor (defect) or Customer (use case) |
| Bias/Discrimination | AI systematically disadvantages protected group | Often Customer as deployer |
| Data Breach | AI system compromised, data exposed | Shared (depends on cause) |
| IP Infringement | AI output infringes third-party copyright | Unclear, evolving law |
| Regulatory Violation | AI violates sector-specific regulations | Customer as regulated entity |
| Privacy Violation | AI processing violates PDPA | Customer as controller |
Who Bears the Risk Today?
Current reality:
- Regulators hold deploying organizations responsible
- Vendor standard contracts limit vendor liability
- Customers often bear disproportionate risk
- Insurance coverage gaps are common
What this means: If AI causes harm, you'll likely be the first call from regulators, plaintiffs, and affected parties—regardless of whether the vendor's AI was defective.
Liability Allocation Framework
Step 1: Identify AI-Specific Risks
For each AI deployment, document:
- What decisions does the AI make?
- What's the impact of incorrect decisions?
- Who could be harmed?
- What regulations apply?
- What's the worst-case scenario?
Risk register format:
| Risk | Likelihood | Impact | Owner | Mitigation |
|---|---|---|---|---|
| AI denies qualified applicants | Medium | High | Customer | Human review, audit, vendor warranty |
| AI outputs biased against protected class | Medium | Very High | Customer | Bias testing, audit rights, indemnification |
| AI data breach | Low | High | Shared | Security requirements, breach notification |
| AI infringes copyright | Medium | Medium | Unclear | IP indemnification from vendor |
Step 2: Evaluate Vendor Standard Terms
Review vendor contract for:
Liability caps:
- How is the cap calculated? (Annual fees? Total fees?)
- What's excluded from the cap?
- Is it adequate for your risk exposure?
Indemnification:
- What does vendor indemnify you for?
- What are the conditions and exclusions?
- Is AI-specific indemnification included?
Disclaimers:
- What liability does vendor disclaim?
- Are these disclaimers appropriate for AI?
Step 3: Negotiate Risk Allocation
Principles for AI liability allocation:
- Control principle: Party with more control should bear more risk
- Knowledge principle: Party with better information should bear more risk
- Benefit principle: Party benefiting more should bear proportional risk
- Insurability principle: Party better able to insure should bear risk
Application to AI:
| Risk Type | Control | Knowledge | Allocation |
|---|---|---|---|
| AI defects | Vendor | Vendor | Vendor |
| Use case design | Customer | Customer | Customer |
| Training data quality | Both | Both | Shared |
| Output accuracy | Vendor | Vendor | Vendor (with limits) |
| Regulatory compliance | Customer | Both | Customer (with vendor support) |
Key Contract Provisions
Liability Caps
Standard vendor position:
TYPICAL VENDOR CAP (unfavorable)
Vendor's aggregate liability shall not exceed the fees paid by
Customer in the 12 months preceding the claim.
Negotiated improvement:
IMPROVED LIABILITY CAP
Vendor's aggregate liability for general claims shall not exceed
the greater of:
(a) [2-3x] the annual fees paid or payable; or
(b) $[minimum floor amount]
The following are excluded from any limitation of liability:
(a) Breach of confidentiality obligations
(b) Breach of data protection obligations
(c) Indemnification obligations
(d) Gross negligence or willful misconduct
(e) Death or personal injury caused by negligence
Indemnification
Standard vendor position:
TYPICAL VENDOR INDEMNIFICATION (limited)
Vendor shall indemnify Customer against claims that the Software
infringes third-party intellectual property rights.
AI-enhanced indemnification:
ENHANCED AI INDEMNIFICATION
Vendor shall indemnify, defend, and hold harmless Customer from:
(a) Intellectual Property: Claims that the AI, including its
outputs, infringes third-party intellectual property rights
(b) AI Defects: Claims arising from defects in the AI system
that Vendor knew or should have known about
(c) Bias and Discrimination: Claims that the AI exhibited
discriminatory behavior where Vendor failed to implement
commercially reasonable bias detection and mitigation
(d) Data Breaches: Claims arising from security incidents caused
by Vendor's failure to implement agreed security measures
Indemnification Conditions:
- Customer provides prompt notice
- Vendor has control of defense
- Customer provides reasonable cooperation
- Customer doesn't admit liability without consent
Exclusions:
- Claims arising from Customer's misuse contrary to documentation
- Claims arising from Customer modifications to AI
- Claims arising from Customer-provided training data
Performance Warranties
Balanced warranty:
PERFORMANCE WARRANTY
Vendor warrants that:
(a) The AI will perform substantially in accordance with
documentation
(b) Vendor has implemented commercially reasonable measures to
detect and mitigate algorithmic bias
(c) Vendor has conducted reasonable testing of AI accuracy and
will provide accuracy metrics upon request
(d) Vendor will promptly address material performance
degradation
DISCLAIMER:
Vendor does not warrant that AI outputs will be error-free or
achieve specific accuracy in all circumstances. AI systems
are probabilistic in nature.
Compliance Support
Regulatory cooperation clause:
REGULATORY COOPERATION
Vendor shall:
(a) Provide reasonable cooperation with Customer's regulatory
compliance efforts, including responding to regulatory
inquiries within [X] business days
(b) Provide documentation sufficient for Customer to understand
AI decision-making logic for regulatory purposes
(c) Notify Customer promptly of any regulatory inquiry directly
to Vendor concerning the AI services
(d) Maintain certifications and compliance posture consistent
with representations made at contract signing
Risk Register Snippet: AI Liability Risks
| Risk | Impact | Mitigation | Contract Provision |
|---|---|---|---|
| AI produces discriminatory outputs | Regulatory fines, litigation, reputation | Bias testing, human review | Bias indemnification, audit rights |
| AI error causes financial harm | Customer losses, liability | Human oversight, accuracy SLAs | Performance warranty, remediation |
| Data breach via AI system | PDPA fines, customer losses | Security requirements | Breach indemnification, notification |
| AI infringes third-party IP | Injunction, damages | Vendor warranties | IP indemnification |
| Regulatory violation | Fines, sanctions | Compliance design | Regulatory cooperation clause |
Common Failure Modes
1. Accepting Vendor Standard Caps
Problem: Standard caps (12 months' fees) inadequate for AI risk Prevention: Negotiate higher caps with appropriate carve-outs
2. Missing AI-Specific Indemnification
Problem: Traditional IP indemnification doesn't cover AI bias, errors Prevention: Explicitly include AI-specific indemnification provisions
3. Over-Reliance on Vendor Liability
Problem: Expecting vendor to absorb all risk Prevention: Realistic risk allocation; maintain appropriate insurance
4. Ignoring Regulatory Liability
Problem: You, not vendor, will face regulator Prevention: Ensure compliance support obligations in contract
5. Inadequate Insurance
Problem: Traditional tech E&O may not cover AI Prevention: Review insurance with broker; require vendor coverage
Implementation Checklist
Risk Assessment:
- Documented AI-specific risks
- Evaluated worst-case scenarios
- Identified regulatory requirements
- Assessed current insurance coverage
Contract Review:
- Analyzed vendor standard liability terms
- Identified gaps and inadequacies
- Prepared negotiation positions
- Consulted legal counsel
Negotiation:
- Negotiated improved liability caps
- Obtained AI-specific indemnification
- Secured compliance support obligations
- Addressed carve-outs and exclusions
Documentation:
- Documented risk allocation decisions
- Filed contracts for governance review
- Updated risk register
- Communicated to relevant stakeholders
FAQ
Q: Can vendors really be held liable for AI bias? A: Liability law is evolving, but increasingly yes. Vendors who fail to implement reasonable safeguards may face liability. However, deploying organizations often bear primary regulatory responsibility.
Q: What's a reasonable liability cap for AI contracts? A: Depends on risk exposure. 2-3x annual fees is common for general liability. Higher caps or uncapped for specific risks (data breach, indemnification).
Q: How do I ensure vendor carries adequate insurance? A: Require proof of coverage (certificate of insurance) and specify minimum coverage amounts. Include cyber/AI coverage requirements.
Q: What if the vendor won't accept liability for AI bias? A: Document the gap in your risk assessment. Consider whether you have other mitigations (human review, your own testing). Factor risk into vendor selection.
Q: How does regulatory liability work? A: You (as deployer) are typically the regulated entity. Regulators will hold you responsible for AI you deploy, regardless of who built it. Contract terms affect your ability to recover from vendor, not your regulatory exposure.
Disclaimer
This guide provides general information about AI liability considerations and is not legal advice. Liability allocation should be reviewed by qualified legal counsel familiar with your jurisdiction and specific circumstances.
Next Steps
AI liability allocation requires careful attention to risks that traditional software contracts don't address. Work with legal counsel to evaluate your exposure and negotiate appropriate protections.
Need help assessing AI vendor liability provisions?
Book an AI Readiness Audit to get expert guidance on risk assessment and vendor contracting.
References
- World Economic Forum: "Responsible AI Procurement Playbook"
- IAPP: "AI Liability and Accountability"
- Singapore IMDA: "Model AI Governance Framework"
- Harvard Law School: "AI and Liability: A Primer"
Frequently Asked Questions
Liability allocation depends on contract terms, the nature of the error, and applicable law. Typically, vendors limit liability while customers bear operational risk. Negotiate appropriate balance.
Address liability for accuracy errors, bias claims, data breaches, and compliance failures separately. Consider insurance requirements, indemnification terms, and liability caps.
Seek indemnification for IP infringement, data breaches caused by vendor, and regulatory violations due to vendor non-compliance. Understand carve-outs and limitations.
References
- Responsible AI Procurement Playbook. World Economic Forum
- AI Liability and Accountability. IAPP
- Model AI Governance Framework. Singapore IMDA
- AI and Liability: A Primer. Harvard Law School
