Every week, in-house lawyers receive requests to review contracts for AI tools. The pitch is always the same. It will save time. It will make us more efficient. If you review the terms and conditions in those contracts carefully, however, you realize that they can come at a high cost.
I have written before about how contract review needs to extend beyond a simple checklist. That principle has never been more relevant than it is right now, as AI vendors market directly to teams across our organizations. The contracts for these tools arrive with standard terms and conditions that most people click through without reading. In-house lawyers cannot afford to do the same.
I recently reviewed a contract for an AI-powered content platform. The tool would generate written content using its client’s data. The subscription cost was modest. The sales materials looked polished. The standard agreement looked, at first glance, like a straightforward contract. It was not.
When I dug into the terms, I found four significant problems that had nothing to do with cybersecurity or data breaches. They had everything to do with data control.
The vendor claims co-ownership of your content. The agreement gave the vendor joint ownership of every piece of content the AI tool generated using the organization’s data. The vendor could use that content for any purpose, including marketing to competitors, without consent. The organization would have been handing over co-ownership of its own storytelling to a third party.
The vendor walks away with your data. The agreement granted the vendor a perpetual, irrevocable license to the organization’s data once it was incorporated into something the vendor called “Aggregated Statistics.” The definition of that term was broad. There was no defined standard for how the data would be anonymized. There was no mechanism to claw that data back after the contract ended. Once the data went in, it would be gone.
The vendor can walk away, but you cannot. The agreement gave the vendor the right to suspend the platform for a wide range of reasons, including its own operational issues, with no liability for data loss or service disruption. The organization had no corresponding termination rights. If the vendor decided to suspend service indefinitely, the organization would have had no recourse, no refund, nothing.
You are paying for something you may not own. Part of the subscription included a branded microsite where content would be published, but the agreement did not specify who owned the domain. It did not address what would happen to published content if the relationship ended. It did not restrict the vendor from adding its own branding to the page. The organization could have ended up paying for a site that the vendor controlled, with no ability to take it along at the end of the relationship.
None of these issues appeared on a standard contract review checklist. A checklist would have flagged the limitation of liability, the indemnification provision, and the governing law clause. Those things mattered, too, but the real risk in this agreement was something different. Once the organization’s data entered the vendor’s ecosystem, the organization would have had very little control over how it was used, how long it was retained, or whether it could ever be recovered.
This is the pattern I see over and over with AI vendor agreements. The technology is new, but the contracting playbook is old. Vendors draft terms that give them maximum flexibility and minimum accountability. They use familiar language to wrap around terms that would raise red flags if anyone took the time to read them carefully.
Here is what in-house lawyers can take away from this:
Read the IP ownership provisions word by word. If the vendor’s AI tool generates content using your data, the default should be that you own the output. Joint ownership sounds reasonable until you realize it means the vendor can do whatever it wants with content built from your organization’s data.
Trace your data through the entire agreement. Find every term that references your data, including definitions of aggregated data, anonymized data, and derived data. Understand what happens to your data during the contract, after the contract, in the event of a suspension, and upon termination. If the agreement does not give you a clear path to get your data back, that is a problem.
Look for asymmetry in termination and suspension rights. If the vendor can suspend service without liability, but you cannot terminate without penalty, the contract is one-sided. Push for mutual termination rights, defined cure periods, and data return obligations upon termination or suspension.
Ask what you actually own when you pay for a deliverable. If the agreement includes a website, a microsite, a dashboard, or any other deliverable, make sure the contract specifies who owns it, who controls it, and what happens to it when the relationship ends.
AI tools are going to keep flooding in. The technology will keep getting better. The sales pitches will keep getting more persuasive. Our job as in-house lawyers is to look past the demo and into the contract. The terms and conditions are where the real deal lives. Right now, too many of those terms are written to benefit the vendor at the expense of the customer.
We need to dig in. We need to push back. We need to do it before we click “I agree.”
Lisa Lang is an accomplished in-house lawyer and thought leader dedicated to empowering fellow legal professionals. She offers insights and resources tailored for in-house counsel through her website and blog, Why This, Not That™ (www.lawyerlisalang.com). Lisa actively engages with the legal community via LinkedIn, sharing her expertise and fostering meaningful connections. You can reach her at [email protected], connect on LinkedIn (https://www.linkedin.com/in/lawyerlisalang/).