AI Vendor Contracts: The Clauses Every Business Must Have (And What Vendors Hope You Miss)

What the default AI vendor contract actually says

The default AI vendor contract — the terms of service or master services agreement that comes out of the vendor's legal team — is designed to protect the vendor. The typical provisions: no warranty that the AI will produce accurate outputs; limitation of liability that caps the vendor's exposure at one month's fees (often far less than the cost of an AI failure); no obligation to notify you of significant changes to the AI model; broad rights to use your data to improve their systems; and an indemnification structure that protects the vendor from your third-party claims while leaving you exposed.

None of this is surprising — vendors write contracts to protect themselves. What is surprising is how many businesses sign these contracts without modification, in contexts where the AI failure risk is material.

The five clauses you need

AI incident notification: the vendor must notify you within 24 hours of any AI system failure, security incident, data breach, or significant performance degradation affecting your use of the system. This is not in the standard contract. Without it, you may be the last to know about an AI problem that is affecting your customers.

Model change notification: the vendor must give you at least 30 days written notice before making significant changes to the AI model — including changes to training data, model architecture, or outputs that may affect performance. AI vendors routinely update their models without notifying customers. If you are relying on the AI's performance in a regulated context, a model change without notice can cause unexpected compliance failures.

Audit rights: you have the right to receive reports on AI system performance, including accuracy metrics, bias testing results, and model drift indicators, on request and at reasonable intervals. In a regulated context, you may need this information to satisfy your own regulators.

Data deletion on termination: the vendor must delete all your data — including data used to fine-tune or train models on your behalf — within 30 days of contract termination, and provide written confirmation of deletion. This is often resisted by vendors whose business models depend on data retention.

Liability allocation for AI governance failures: the contract must address what happens when the vendor's AI governance failure (inaccurate outputs, discriminatory results, security breach) results in your regulatory exposure. The vendor cannot accept your regulatory obligations, but can accept financial responsibility for failures caused by their AI system.