Key AI Contract Clauses: What to Negotiate and What to Avoid

AI contracts differ fundamentally from traditional software agreements. Data rights, model training, performance guarantees, and liability allocation require specific attention. This guide helps legal and procurement teams navigate AI-specific contract provisions.

Executive Summary

• AI contracts require clauses traditional software agreements don't cover: data training, model ownership, algorithmic transparency
• Data rights are often the most contentious issue—vendors want training data; you want protection
• Performance guarantees are tricky for AI—accuracy varies; avoid unrealistic commitments
• Liability allocation for AI errors and bias is evolving—protect yourself now
• Audit rights become more important when AI makes consequential decisions
• Exit provisions must address data return, model ownership, and transition assistance
• Singapore/Malaysia PDPA compliance requirements should be explicitly addressed
• Don't accept vendor standard terms without review—AI provisions are often vendor-favorable

Why This Matters Now

AI contracts are written in an environment of rapid change and legal uncertainty:

• Regulatory requirements are evolving
• Liability frameworks are still developing
• Vendor leverage is high in hot markets
• Standard terms favor vendors

Accepting vendor contracts without negotiation leaves you exposed to risks that may only materialize years later.

Definitions and Scope

Master Service Agreement (MSA): The overarching contract governing the vendor relationship.

Data Processing Agreement (DPA): Addendum governing personal data handling per privacy regulations.

Service Level Agreement (SLA): Specific performance commitments with remedies for failure.

Scope of this guide: Key contract provisions for AI software/platform procurement—not custom development or consulting agreements.

Key Contract Clauses

1. Data Rights and Ownership

The issue: Who owns the data you provide? Can the vendor use it to train their AI? What happens to derived insights?

What vendors want:

• Broad license to use your data
• Right to use data for model training
• Ownership of derived insights and models
• Minimal restrictions on data use

What you should negotiate:

DATA RIGHTS - CUSTOMER FAVORABLE LANGUAGE

Customer Data Ownership
Customer retains all right, title, and interest in and to Customer 
Data. Vendor acquires no ownership rights to Customer Data.

Limited License
Vendor is granted a limited, non-exclusive license to use Customer 
Data solely for the purpose of providing the Services to Customer.

Model Training Restrictions
Customer Data shall not be used to train, improve, or develop 
Vendor's AI models, machine learning algorithms, or services for 
any third party without Customer's express written consent.

Data Segregation
Customer Data shall be logically segregated from data of other 
vendor customers and shall not be commingled.

Red flags to avoid:

• "Vendor may use Customer Data for any lawful purpose"
• Automatic consent to model training
• Vendor ownership of "insights" or "derived data"
• Unlimited sublicensing rights

2. Model Training and Learning

The issue: Does the AI learn from your data? Who owns improvements? Can you benefit from collective learning?

Key provisions:

MODEL TRAINING PROVISIONS

Opt-Out Rights
Customer shall have the right to opt out of any collective learning 
or model improvement programs at any time by written notice.

Notification Requirements  
Vendor shall notify Customer no less than 30 days in advance of any 
changes to data processing practices related to model training.

Benefit of Improvements
If Customer participates in model improvement programs, Customer shall 
receive access to improvements without additional charge.

Audit Rights
Upon request, Vendor shall provide documentation of how Customer Data 
has been used in any model training activities.

3. Performance and Accuracy Commitments

The issue: AI performance varies. Vendors resist hard guarantees. You need some accountability.

Balanced approach:

PERFORMANCE PROVISIONS

Performance Metrics
Vendor commits to the following performance targets:
- System availability: 99.5% uptime (excluding scheduled maintenance)
- Processing accuracy: [X]% accuracy on [defined test set]
- Response time: [X] seconds average for [defined operations]

Measurement and Reporting
Vendor shall provide monthly performance reports including accuracy 
metrics measured against Customer-provided ground truth data.

Performance Remediation
If accuracy falls below [X]% for any rolling 30-day period, Vendor shall:
(a) Investigate and provide root cause analysis within 10 business days
(b) Implement remediation plan within 30 days
(c) If not remediated, Customer may terminate without penalty

Performance Credits
For availability below 99.5%, Customer shall receive service credits 
per the following schedule: [schedule]

Avoid:

• Guarantees of specific accuracy without defined test methodology
• Vague commitments ("commercially reasonable accuracy")
• No accountability for performance degradation

4. Confidentiality and Data Protection

The issue: AI processing raises unique confidentiality concerns. Traditional confidentiality clauses may not cover AI-specific risks.

Enhanced provisions:

AI-SPECIFIC CONFIDENTIALITY

Prompt and Input Protection
Customer prompts, queries, and inputs to the AI system are 
Confidential Information and shall not be stored, logged, or 
used beyond the immediate processing purpose without consent.

Output Confidentiality
AI outputs generated from Customer Data are Customer's 
Confidential Information and shall be treated accordingly.

Inference Protection
Vendor shall not use Customer Data or patterns derived from 
Customer's use of the Services to make inferences about 
Customer's business, strategies, or operations.

5. Liability and Indemnification

The issue: Who's responsible when AI makes errors, causes harm, or exhibits bias?

Key provisions:

LIABILITY PROVISIONS

AI-Specific Indemnification
Vendor shall indemnify, defend, and hold harmless Customer from 
claims arising from:
(a) Violation of third-party intellectual property rights by the AI
(b) Bias or discrimination in AI outputs where Vendor failed to 
    implement commercially reasonable safeguards
(c) Data breaches caused by Vendor's failure to implement 
    appropriate security controls

Limitation of Liability Carve-Outs
The following are excluded from any limitation of liability:
(a) Indemnification obligations
(b) Breach of confidentiality or data protection obligations
(c) Gross negligence or willful misconduct
(d) Infringement of intellectual property rights

Minimum Liability Cap
Vendor's aggregate liability shall not be less than [X times] 
the annual fees paid or payable in the year in which the 
claim arises.

See (/insights/ai-liability-contracts-allocating-risk) for detailed AI liability guidance.

6. Audit Rights

The issue: AI decisions may need explanation for regulatory, legal, or business reasons.

Audit provisions:

AUDIT RIGHTS

Security Audit
Upon reasonable notice, Customer or its designated third party 
may audit Vendor's security practices no more than once per year. 
Vendor shall provide reasonable cooperation and access.

Algorithmic Audit
Upon request, Vendor shall provide documentation of AI decision-making 
logic, training data sources, and testing methodology sufficient for 
Customer to understand how outputs are generated.

Regulatory Cooperation
Vendor shall cooperate with audits or inquiries from Customer's 
regulators regarding the AI services, at no additional charge.

7. Exit and Transition

The issue: What happens to your data and access when the contract ends?

Exit provisions:

TERMINATION AND TRANSITION

Data Return
Upon termination, Vendor shall, at Customer's election:
(a) Return all Customer Data in a standard, usable format; or
(b) Securely delete all Customer Data and certify deletion

Transition Assistance
Vendor shall provide transition assistance for up to 90 days 
following termination notice, at then-current hourly rates.

Data Portability
Customer Data shall be returned in [specific format] compatible 
with common industry systems.

Model Export
Where technically feasible, Customer shall have the right to 
export any custom-trained models developed using Customer Data.

8. IP Ownership for AI Outputs

The issue: Who owns content generated by AI using your prompts and data?

Clarity provisions:

INTELLECTUAL PROPERTY - AI OUTPUTS

Output Ownership
AI outputs generated in response to Customer prompts and using 
Customer Data are owned by Customer. Vendor retains no rights 
to specific outputs.

No Conflicting Grants
Vendor shall not grant any third party rights to outputs that 
conflict with Customer's ownership.

Input Ownership
Customer retains all rights to prompts, inputs, and training 
data provided to the AI system.

Policy Template: AI Contract Review Checklist

AI CONTRACT REVIEW CHECKLIST

Data Rights
□ Customer owns Customer Data
□ Model training restrictions in place
□ Data segregation requirements
□ Clear license scope and limitations

Security and Privacy
□ Encryption requirements specified
□ Access control requirements
□ PDPA compliance addressed
□ Data breach notification timeline
□ Sub-processor requirements

Performance
□ Accuracy/performance metrics defined
□ Measurement methodology specified
□ Remediation obligations
□ SLA credits

Liability
□ Indemnification for AI-specific risks
□ Appropriate liability cap
□ Carve-outs from limitations
□ Insurance requirements

Audit and Compliance
□ Security audit rights
□ Algorithmic explanation rights
□ Regulatory cooperation obligations

Exit
□ Data return provisions
□ Deletion certification
□ Transition assistance
□ Data portability format specified

Common Failure Modes

1. Accepting Vendor Standard Terms

Problem: Vendor contracts protect vendor interests Prevention: Review and negotiate every AI contract

2. Vague Data Rights

Problem: Ambiguous language leaves data rights unclear Prevention: Explicit, specific language on all data use

3. Unrealistic Performance Guarantees

Problem: AI can't guarantee specific outcomes Prevention: Reasonable commitments with defined measurement

4. Inadequate Exit Planning

Problem: Locked in with no practical exit Prevention: Negotiate data portability and transition assistance upfront

5. Ignoring Regulatory Evolution

Problem: Contract doesn't accommodate changing requirements Prevention: Regulatory cooperation clauses, flexibility for changes

FAQ

Q: Can we really negotiate with large AI vendors? A: Yes, especially for significant deals. Even standard terms have flexibility. Document what you request even if not obtained.

Q: What's a reasonable liability cap for AI contracts? A: Typically 1-3x annual fees for general liability. Higher for data breaches and indemnification. Uncapped for certain carve-outs.

Q: How do we handle AI contracts under PDPA? A: Ensure DPA is in place, data residency requirements are met, and vendor commits to supporting data subject requests.

Q: Should we require source code access? A: Generally not feasible for commercial AI. Focus on explainability, audit rights, and data access instead.

Q: What about AI-generated content ownership? A: Specify that outputs generated from your prompts/data belong to you. Vendor should not claim rights.

Q: How do we address potential AI bias in contracts? A: Include representations that vendor implements bias monitoring, indemnification for bias-related claims, and audit rights.

Disclaimer

This guide provides general information about AI contract provisions and is not legal advice. Contract terms should be reviewed by qualified legal counsel familiar with your jurisdiction and specific circumstances.

Next Steps

AI contracts require careful attention to provisions that traditional software agreements don't address. Don't accept vendor standard terms without negotiation. Protect your data rights, ensure appropriate liability allocation, and plan for exit.

Need help reviewing AI vendor contracts?

Book an AI Readiness Audit to get expert guidance on vendor negotiation and contract review.

References

• IAPP: "Contracting for AI Services"
• Gartner: "AI Contract Provisions Checklist"
• World Economic Forum: "Model AI Governance Framework"
• Singapore IMDA: "Model AI Governance Framework"