5 AI Vendor Contract Clauses Your Company Is Missing

Every AI vendor contract we review has at least one landmine buried in it. The vendors who draft them know what they are doing — the contracts are designed to protect the vendor, not you. Here are the five clauses every business should pay attention to before signing an AI vendor agreement, and the specific language to negotiate in each one.

If your business deploys AI — whether you built it or you are just a customer of a SaaS tool with AI features — you are responsible for what that AI does to your customers, your employees, and anyone else who interacts with it. Colorado SB 26-189 (the new Colorado AI Act) and similar laws emerging in other states assume that the business deploying the AI has contractual visibility into what the vendor built. SB 26-189 goes further: it makes developer documentation a statutory duty owed to deployers. If your contract does not give you that visibility, you are taking on risk the vendor should be bearing.

Here is what to look for before you sign.

1. Training data indemnification

What the default usually says

Most AI vendor contracts have a generic IP indemnification clause that promises to defend you if someone sues you for infringement based on the vendor's product. That sounds fine until you read the exclusions, which frequently carve out training data, model outputs, and “derivative uses” by the customer.

Why that matters

AI models are trained on enormous corpora of text, images, or code. A meaningful amount of the litigation in 2024 and 2025 over generative AI has been about whether that training data was lawfully used. If a right-holder sues you because an output from the vendor's model allegedly reproduces copyrighted material, and the vendor's indemnification carves out training data, you are on your own.

What to ask for instead

Push for an indemnification that explicitly covers third-party claims arising out of the training data the vendor used, the outputs the model produces in response to customer inputs, and the use of those outputs in the customer's ordinary course of business. Get specific dollar limits in writing — uncapped indemnification is better, but a cap pegged to contract value (for example, 12 months of fees) is a reasonable middle ground for smaller deals.

2. Ownership of model outputs

What the default usually says

Many AI vendor contracts are ambiguous about who owns the outputs the model produces in response to the customer's inputs. Some say the customer owns “customer content,” which is then defined in a way that arguably excludes model outputs. Others grant the customer a license to use outputs “subject to the vendor's terms of service,” which is a moving target.

Why that matters

If your business is using AI outputs in customer-facing work product — contracts, marketing copy, customer support responses, analyses, designs — you need clean ownership. You cannot build your work on top of content that is subject to a license the vendor can revoke or change.

What to ask for instead

The contract should say, in plain English, that the customer owns all outputs the model generates in response to the customer's inputs, subject only to the intellectual property rights of third parties. The vendor should explicitly disclaim any ongoing license or retained rights in those outputs. If the vendor insists on a license-back for model improvement, it should be narrowly scoped and the customer should have the right to opt out.

3. Data rights and training opt-out

What the default usually says

A surprising number of AI vendors reserve the right to use customer data — including the prompts, queries, and documents the customer uploads — to train or improve their models. The language is usually buried in a section called “service improvement” or “aggregated data,” and it often does not require any additional consent.

Why that matters

If your customers' or employees' data is flowing into a vendor's training pipeline, you have a privacy problem, a confidentiality problem, and a Colorado AI Act recordkeeping problem all at once. You cannot demonstrate compliance with SB 26-189's pre-use notice and adverse-outcome notice duties if you do not know what the vendor is doing with your data.

What to ask for instead

Get a written commitment that customer data will not be used to train any model — not the vendor's main model, not a fine-tune, not an embeddings database — without separate, written consent. If the vendor wants the right to use aggregated and de-identified data for analytics, define exactly what counts as de-identification and require contractual commitments on the de-identification process.

4. Developer documentation and transparency

What the default usually says

Most AI vendor contracts are silent on documentation and model transparency. Some have aspirational language in a “responsible AI” section that commits the vendor to industry best practices, but that language is rarely operational. You cannot enforce “we take responsible AI seriously” in a courtroom.

Why that matters

SB 26-189 makes developer documentation a statutory duty. Developers must give deployers a statement of intended uses and known harmful uses, the categories of data used to train the system (to the extent known), known limitations and risks, and instructions for meaningful human review. Separately, deployers and developers remain liable under state anti-discrimination law for outcomes materially influenced by ADMT — and indemnity clauses purporting to shift that liability are void by statute. If you cannot get the documentation, you cannot draft accurate consumer notices, conduct meaningful human review, or defend an AG inquiry.

What to ask for instead

Require the vendor to deliver, on signing and on every material update, the SB 26-189 developer-documentation package — intended uses, training data categories, limitations, risks, and human-review instructions. Require an annual disparate-impact summary in writing. For high-risk use cases, require additional testing against the specific demographics and outcome categories your business cares about. Require prompt notice if the vendor discovers a material disparate-impact issue in production.

5. Termination for regulatory change

What the default usually says

AI vendor contracts almost always include a termination clause that lets the vendor walk away with notice, and a separate one that lets the customer walk away only for material breach. There is often no provision at all for what happens if the regulatory environment changes in a way that makes the product unusable in your jurisdiction.

Why that matters

State AI legislation continues to move fast. Colorado was first to pass and then rewrote its law in May 2026; California ADMT rules, New York employment AI rules, Illinois, Connecticut, Texas, and several others have provisions in circulation or already on the books. If a new law makes the vendor's product non-compliant in a key jurisdiction for your business, and your contract is a three-year lock-in, you are paying for something you cannot lawfully use.

What to ask for instead

Add a regulatory-change termination right. If new federal, state, or local legislation makes the product unlawful or materially impractical to use in a jurisdiction where the customer operates, the customer should have the right to terminate with pro-rata refund of any prepaid fees. Pair this with a vendor obligation to notify the customer promptly when the vendor becomes aware of such a change.

How to actually do this review

You do not need to renegotiate every AI vendor contract from scratch. A realistic approach for a small business looks like this:

• Start with your most-used AI tools — the ones processing employee data, customer data, or decisions about real people.
• Pull the contracts and read them against the five clauses above.
• Flag every clause where the default falls short. Send a redline to the vendor or ask for a side letter.
• If the vendor refuses to negotiate and the contract is materially problematic, document that fact. That documentation is part of the three-year record SB 26-189 requires and is also a useful defense in any anti-discrimination claim that follows.
• On every new AI vendor procurement going forward, bake the five clauses into your standard negotiation playbook.

Available Law reviews AI vendor contracts as a standard part of FAIIR certification and as a standalone work item under our flat-rate subscription plans. If you want to see how your current AI vendor contracts stack up against the Colorado AI Act's deployer duties, our free readiness checker will flag vendor management as a specific gap when it applies to your situation.

And if you have not yet read our plain-language walkthrough of the Colorado AI Act, that is the place to start — the clauses above exist because the statute's duties exist, and understanding the duties makes the contract review make sense.