Technology Agreements in the Age of AI: What Should Your Contract Actually Cover?

Introduction

Technology agreements have shifted considerably over the past decade. What were once relatively straightforward licence arrangements have evolved into dense SaaS terms that many businesses accept with limited scrutiny. The rise of artificial intelligence introduces a further layer of complexity. Unlike traditional software, AI systems bring uncertainty in outputs, questions around data provenance, and a rapidly developing regulatory landscape.

Against that backdrop, many existing contractual frameworks are no longer fit for purpose.

Rethinking the Nature of AI in Contracts

A central issue is that most contracts continue to treat AI systems as if they operate in the same way as conventional, deterministic software. In reality, AI systems are probabilistic in nature, often opaque, and heavily dependent on the data on which they have been trained. This creates a mismatch between how the technology behaves and how contracts attempt to regulate it.

For example, standard warranties—such as those confirming that software will perform in accordance with its documentation—offer limited protection in an AI context. An AI system can operate exactly as intended and still generate inaccurate or harmful outputs. Contracts therefore need to move beyond traditional formulations and address the inherent unpredictability of these systems more directly.

Defining Scope and Use

Clear drafting around scope of use is becoming increasingly important. Businesses should not only specify permitted uses of AI outputs, but also set boundaries around how those outputs can be used in practice. In particular, there is a growing need to identify higher risk use cases, such as decisions relating to recruitment or credit, where additional oversight may be required.

Equally, contracts should deal explicitly with prohibited uses. This may include restrictions on using the system to train competing models, misuse of personal data, or reliance on fully automated decision making without human involvement. As regulation develops—particularly under regimes such as the EU AI Act—allocating responsibility for high risk uses will become a key area of negotiation.

Data: Input, Training and Output

AI contracting introduces three distinct categories of data, each of which raises different issues.

First, input data provided by the customer should remain under the customer’s control. This includes limiting the supplier’s ability to reuse that data, particularly for model training purposes.

Secondly, training data presents a more complex challenge. Suppliers are often expected to confirm that training datasets have been lawfully obtained and do not infringe third party rights. In practice, however, suppliers—particularly those providing large language models—may have limited visibility over historic datasets. As a result, negotiations frequently shift away from absolute warranties and instead focus on allocating risk through indemnities, exclusions and liability caps.

Finally, output data must be addressed expressly. In many cases, the commercial expectation is that outputs generated from a customer’s prompts will belong to the customer. However, this should not be assumed and needs to be clearly documented.

Accuracy and “Hallucination” Risk

One of the most widely discussed features of AI systems is their ability to generate incorrect information with a high degree of confidence. Standard contractual approaches often attempt to deal with this through broad disclaimers of accuracy, but this can leave customers exposed.

A more balanced approach is emerging. This typically involves setting performance benchmarks where appropriate, requiring human oversight for high stakes use cases, and allocating responsibility where that oversight is not applied. There is also increasing focus on obligations to identify and report systemic failures, rather than treating errors as isolated events.

Regulatory Compliance

Regulation is evolving quickly, adding further complexity to AI contracting. Agreements need to clearly allocate responsibility for compliance with applicable frameworks.

Under the EU AI Act, this includes clarifying whether a party is acting as a “provider” or a “deployer”, as these roles carry different obligations. In the UK, data protection considerations remain central, particularly in defining controller and processor roles and addressing rules around automated decision making under the UK GDPR. In certain sectors, additional regulatory requirements may also apply, requiring a tailored approach.

Intellectual Property Considerations

AI also raises novel intellectual property issues. One aspect is the risk associated with outputs, particularly where those outputs may inadvertently reproduce or infringe third party content. Contracts should address this through appropriate safeguards, including indemnities where commercially viable.

In addition, customer prompts themselves can represent valuable intellectual property. Without clear restrictions, suppliers may seek to reuse that material, including for model improvement. For many businesses, retaining control over prompts and preventing unauthorised reuse will be a priority.

Liability and Risk Allocation

Traditional liability provisions often fall short in the AI context. Caps based on a multiple of fees, such as 12 months’ charges, may not adequately reflect the potential impact of AI related failures.

As a result, parties are increasingly considering more nuanced approaches. These may include specific carve outs for systemic failures or high risk scenarios, alongside provisions that recognise the role of the customer—for example, where the customer fails to apply agreed levels of human oversight.

Governance, Transparency and Ongoing Management

Customers are placing greater emphasis on transparency and governance. While full explainability is not always technically feasible—particularly for more complex models—contracts can still require meaningful visibility into how systems are developed and managed.

In practice, this tends to focus on process based transparency, such as access to impact assessments, testing methodologies, and information about significant model updates. There is also a growing expectation of defined processes for handling AI related incidents.

Exit and Transition

AI systems can create a degree of operational dependency, raising the risk of vendor lock in. Contracts should therefore address exit planning from the outset.

Key considerations include ensuring that output data can be exported in a usable format, clarifying what happens to any fine tuned models, and protecting confidential prompts and workflows. Without these safeguards, transitioning away from a supplier may be more difficult than anticipated.

What This Means in Practice

Despite the pace of technological change, contractual approaches are still catching up. Many standard terms do not adequately address the issues outlined above, yet continue to be widely accepted. As AI becomes more embedded in day-to-day operations, this gap presents an increasing risk for businesses.

At a minimum, organisations should ensure that their agreements clearly address three core questions: who owns the outputs, what happens when the system produces incorrect results, and who is responsible for regulatory compliance. If those issues are not dealt with explicitly, the contract is unlikely to provide the level of protection required.

This article is intended for information purposes only and provides a general overview of the relevant legal topic. It does not constitute legal advice and should not be relied upon as such. While we strive for accuracy, the law is subject to change, and we cannot guarantee that the information is current or applicable to specific circumstances. Costigan King accepts no liability for any reliance placed on this material. For further details concerning the subject of the article or for specific advice, please contact a member of our team.

Related Articles