Contract & Vendor Framework

Every AI vendor agreement is a governance decision. The model provider's terms of service define what happens to your data, who owns the outputs, and what liability the provider accepts — or more commonly, what liability the provider disclaims. I review AI vendor agreements with the same [RISK]/[REDLINED]/[RECOMMEND]/[CLEARED] system I use for client contracts, because the exposure is the same. An AI vendor whose terms allow training on your data has just made your confidential information part of a shared model. That is not a terms-of-service issue. That is a governance failure.

1. Vendor Data Handling Review Every AI vendor agreement must answer three questions explicitly: Does the vendor retain input data? Does the vendor use input data for model training? Does the vendor share input data with third parties? If the answer to any question is "yes" or "it depends on the tier," the governance framework must specify which data classifications are permitted for that vendor. [REDLINED]: any vendor agreement that grants a "perpetual, irrevocable license" to process your data without classification-specific restrictions. Replace with time-limited, purpose-specific, classification-aware licensing.
2. Liability Allocation AI vendor liability is structurally ambiguous. The vendor built the model. You deployed it. The client used the output. When the output is wrong, liability follows the contract language — not the causal chain. Your vendor agreement must allocate liability for: model output errors, data breaches during AI processing, regulatory non-compliance arising from model behavior, and IP infringement in generated content. If the vendor agreement is silent on any of these, you are accepting unlimited exposure by default.
3. Governance Compliance Certification Require AI vendors to certify compliance with your governance framework — not just their own. Your data classification rules, your audit logging requirements, your output validation standards. The vendor's SOC 2 certification tells you about their security posture. Your governance compliance certification tells you about their alignment with your specific policies. [RECOMMEND]: include a governance compliance attestation clause in every AI vendor agreement, reviewable annually, with termination rights if compliance lapses.