As AI Risk Shifts to Customers, Contracts Matter More Than Ever

For years, business customers approached software contracting with a familiar expectation: if a vendor’s technology infringed someone else’s intellectual property rights, the vendor would defend the claim and cover resulting losses. As AI companies entered the enterprise market, those protections quickly became table stakes.

That assumption is becoming increasingly unreliable.

Litigation involving AI systems is accelerating. According to Prof. Edward Lee’s team at ChatGPTisEatingTheWorld.com, 111 copyright infringement cases involving AI have already been filed. Insurers are narrowing coverage. Vendors are narrowing indemnities. And businesses adopting AI tools are increasingly retaining risks that vendors once absorbed.

When it comes to AI tools, the standard SaaS contracting playbook doesn’t work.

The Original AI Contracting Model

 Starting in late 2023, AI companies seeking enterprise adoption began offering protections resembling traditional software indemnities. Between September and November 2023, Microsoft, Amazon, and Google each announced versions of AI copyright indemnity or “copyright shield” programs designed to reassure enterprise customers concerned about training-data disputes and generated outputs.

The basic assumption was straightforward: the vendor built and trained the model, controlled the underlying systems, and therefore should bear the primary legal risk associated with infringement claims.

For a time, broad indemnity language became an important selling point in enterprise AI adoption. Other standard protections included insurance requirements, warranties regarding lawful training practices, and limits on vendor disclaimers.

Why the Market Is Changing

 The legal landscape changed quickly. AI companies now face mounting lawsuits from publishers, authors, artists, software developers, and other rights holders. Claims increasingly target not only training data, but also generated outputs that allegedly reproduce copyrighted material, mimic protected styles, or generate infringing code.

At the same time, insurers are reassessing AI exposure across cyber, technology E&O, media liability, and related policies. Some policies now contain:

• AI-specific exclusions;

• narrower definitions of covered services;

• intellectual property carveouts;

• restrictions involving generated outputs or training data; and

• requirements for documented AI governance controls.

As insurers narrow coverage, vendors are shifting more risk to customers. An increasing number of AI agreements:

• exclude claims arising from customer prompts or fine-tuning data;

• deny indemnity if outputs are modified or combined with customer content;

• shift responsibility for “high-risk” uses to customers; and

• cap liability while disclaiming warranties regarding accuracy, infringement, or regulatory compliance.

Some agreements also exclude coverage for regulated-industry uses or third-party model components. In practice, those exclusions can swallow much of the protection that businesses thought they were buying in the first place.

As always, don’t accept a company’s public announcements without checking the platform’s actual terms of use. For example, Microsoft requires its customers to take specific steps to mitigate risk. Businesses relying on public “copyright shield” announcements without reviewing the actual contract terms may discover the limitations only after a dispute arises.

What Businesses Should Do Now 

That does not mean businesses should stop using AI tools. It does mean they should stop treating AI contracting like ordinary SaaS contracting.

Contracts, governance, cybersecurity, privacy, insurance, and operational controls increasingly work together as part of a broader risk-management strategy.

Pressure-Test AI Indemnities

Many AI indemnities do not provide nearly as much protection as customers assume. Key questions include:

·       Are generated outputs covered?

·       Are there exclusions tied to prompts, fine-tuning, or customer modifications?

·       Are a vendor’s indemnification obligations capped by the limitation-of-liability clause?

·       Who controls the defense and settlement of claims?

·       Can the vendor unilaterally change model functionality or usage rules?

Focus on Operational Protections

As broad indemnities narrow, customers should focus more heavily on the vendor’s other obligations.

Depending on the use case, businesses may want:

• commitments regarding lawful training-data sourcing practices;

• human review requirements for sensitive workflows;

• audit and transparency rights;

• AI-specific insurance coverage;

• notification obligations relating to investigations or security incidents; and

• governance or data-security obligations.

These provisions are increasingly important where traditional indemnities no longer provide complete protection.

Review Insurance Coverage

Many businesses incorrectly assume their existing policies automatically cover AI-related claims. This is a fast-changing area, but the following recommendations can help:

• Take an inventory of how your business uses AI (tools, data, risk allocation in contracts related to those tools).

• Map coverage areas to types of AI risk.

• Review the increasing number of AI-specific exclusions; your current coverage may not match your prior coverage.

• Talk with your insurance professional about whether new or updated AI-specific coverage is warranted.

Address Internal AI Governance

Internal governance matters too, especially as regulators, insurers, courts, and enterprise customers increasingly expect documented AI governance practices.

Businesses should not turn a blind eye to “shadow AI” (employees using personal AI tools not approved by their company).

Written AI usage policies, employee training, approval requirements for high-risk uses, restrictions on confidential or regulated data inputs, and documentation procedures are becoming increasingly important.

Governance alone will not solve every problem. But companies without it will have a much harder time defending decisions after something goes wrong.

The Bottom Line

Organizations deploying AI should no longer assume that vendors, insurers, or legacy contract language will absorb emerging AI risks. As indemnities narrow and coverage evolves, AI contracting is increasingly becoming a core business risk-management issue. Let us know how we can protect and support your team.