Artificial Intelligence (AI) Agreements Checklist

By: Jessica Bishop and Sarah Stothart, GOODMANS LLP 

This checklist provides an overview of key legal considerations attorneys should review when advising clients on negotiating and drafting contracts involving artificial intelligence (AI). Considerations may vary depending on the jurisdiction and nature of the AI at issue.

1. Define the Scope of Work and Deliverables

• As with any technology contract, clearly define and describe the scope of services and deliverables in the contract.
• Consider and review whether the AI product description, documentation, specifications, deliverables, and contractual terms meet the client’s requirements.

2. Address Intellectual Property (IP) Ownership

• The contract should address IP ownership between the parties with respect to:
  • The deliverables
  • The AI
  • All input and output
  • Any training data
• If the customer provides inputs or prompts to the AI solution, the customer may wish to continue to own the inputs or prompts. Also consider whether the customer would expect any ownership rights in the output, including any deliverable created from that output.
• Prompts and certain customer data may include information that the vendor expects or requires the right to use and to allow third parties to use. The vendor should include provisions protecting its:
  • Rights in the AI
  • Vendor information and data
  • Trade secrets
  • Copyrighted materials
  • Patents or patent applications
• Factor these requirements into the definition of the deliverables and corresponding ownership and use rights.
• AI solutions often rely on the use of open-source software and third-party software. Consider whether open-source software or third-party software will be incorporated into any deliverables or services and any associated IP or data security risks.
• In many cases, contracting parties may choose to maintain secrecy over components of the AI. Contracting parties should maintain awareness of applicable trade secrets legislation and should include strict confidentiality provisions in contracts, specifying that a breach would result in irreparable harm that is not compensable in damages.
• In connection with the foregoing considerations of ownership of applicable property, consider and provide for any necessary licenses over such property. Licenses may be limited to the duration of the contract period but no longer or may vary depending on the purpose to which the AI is put.

3. Include Performance and Service Levels

• As with any technology contract, a contract for an AI solution should contain robust performance and quality metrics that reflect the customer’s requirements. If the vendor or its subcontractor is hosting the AI, standard service levels for availability of the AI should be included in the contract.
• Service level requirements should be included for any customer requirements relating to items such as incidents, support, and processing times, as well as service level objectives for items that require tracking and reporting.
• Where AI solutions will be used as workplace tools by regulated industries or by clients with professional obligations, ensure that the contract allows the client and any users to comply with all:
  • Regulations
  • Professional obligations
  • Policies

4. Draft Representations and Warranties

• Customers should require vendors to represent and warrant that:
  • Vendor has all the necessary rights and licenses to use any third-party and open-source technology to provide the AI solution, deliverables, and any services.
  • Vendor has full power and authority to grant the rights to the customer under the contract.
  • The AI solution, deliverables, and any services will not misappropriate, violate, or infringe any third-party IP rights (this is in addition to indemnification protection for third-party IP claims).
  • The vendor and its AI solution, services, and deliverables will comply with all specifications and all applicable laws, including all privacy laws.
• Potential weaknesses of AI solutions include bias and data quality. If representing a customer, consider including representations and warranties that mitigate the risks associated with bias (if applicable to the AI solution) and data quality.
• If representing a vendor, consider the use of disclaimers with respect to limitations and risks of the AI solution. Errors in outputs could result from customer prompts or bad input data.
• Vendor should require customers to represent and warrant that:
  • The customer and its use of the AI solution and services will comply with all applicable laws.
  • The customer has all necessary rights and consents required to allow the vendor to process its data, including all personal information, in accordance with the contract.

5. Consider Data Privacy

• Organizations should prudently determine if the AI solution will process personal information. When making this determination, each type of data, including the input data, output data, and any training data should be considered. Also consider whether the output data could constitute newly generated personal information.
• AI solutions typically involve the processing of large volumes of data that may contain personal information.
• The organization providing the personal information to be processed, and in some cases, the processor as well, is responsible for ensuring that the necessary consent has been obtained for the processing of personal information by the AI.
• Robust data-protection terms should be included in the contract to ensure compliance with all applicable privacy laws, including health privacy laws where personal health information is processed, and to restrict the use of personal information. The data-protection terms should expressly limit the use of personal information to the purposes for which consent has been provided.
• Personal information should be defined in a manner consistent with applicable privacy laws. Under U.S. law, the definition of personal information varies by jurisdiction. The Canadian courts have determined that the definition of personal information
  is usually to be given a broad and expansive interpretation (e.g., information will be personal information if it is about
  an identifiable individual. A person will be identifiable if the information disclosed, together with other publicly available information, would tend to or possibly identify them).

6. Consider Security

• The security of AI solutions is a key consideration, particularly when processing data that may contain personal information, or sensitive or otherwise confidential information. AI solutions can present potential cybersecurity risks that threat actors can attempt to exploit by compromising the security of the system or obtaining confidential data.
• Organizations that collect, use, and disclose personal information are obliged to establish physical, technical, and organizational safeguards appropriate to the sensitivity of the information. Those safeguards must protect against risks such as loss or theft, unauthorized access, disclosure, copying, use, or modification.
• AI solutions raise the same security concerns as other software, with a few specific considerations:
  • Some AI solutions access large datasets which can heighten the risks associated with data breaches, and breach-related incidents can be difficult to reconstruct.
  • AI processes may be proprietary or opaque, which makes it difficult to determine whether the AI system is processing data in accordance with the contract or whether it has been tampered with.
  • Allowing training data or outputs to be accessed or used in a manner that is not authorized is a risk.
  • The possibility of re-identification of data with individuals arising from the architecture of AI systems and output is a risk.
• Customer-specific considerations:
  • Customers should understand the AI solution architecture and any security vulnerabilities to enable them to better mitigate risks and bolster cybersecurity programs and policies.
  • Customers should ask for security-related specifications and requirements and such terms should be included in the contract.
• Vendor-specific considerations:
  • Vendors should consider adding security-related disclaimers making it clear that the AI solution is not free from third-party interference or otherwise secure.
  • Vendors may want to require customers to follow security practices to address risks stemming from the customer’s systems and access to the AI solution and to require customers to protect the integrity and security of input data and training data (if provided by customer).

7. Consider Risk Management and Liability

• Evaluate the risk/benefit of the AI system:
  • Before entering the contract, consider all of the following:
    • The specific use case for the AI
    • Its historical performance
    • Whether it is being implemented for a high-risk function
  • Depending on these factors, consider whether the benefit of implementation is sufficient to warrant the outsourcing of performance to an AI system with the associated uncertainty and risk that may be incurred.
• Responsibility for issues/performance failures:
  • The contract should clearly set out the allocation of liability for any resulting issue, including harm to the parties and third parties when an AI system results in error or incurs liability.
  • The negotiated allocation of responsibility for resulting issues may depend on the source of the issue and the negotiated allocation of responsibility (e.g., development or maintenance of the AI).
• Performance oversight:
  • The contract should specifically allocate responsibility for performance oversight. This should include:
    • Development of contractual agreement to the implementation of safety mechanisms
    • Procedures and the conduct of regular auditing and testing
  • The AI must perform in compliance with the parties’ own performance requirements, but, depending on the context, the AI may also be required to comply with third-party expectations of performance.
• Third-party terms of use:
  • To the extent the subject AI will be accessed or used—directly or indirectly—by third parties, stipulate terms of use that bind such third-party usage. Terms of use will need to be publicly posted for agreement by third parties at the time of use.
  • Carve-outs can be documented in the main contract to specify where liability is subject to third-party terms of use.
• Documentation and Recordkeeping:
  • The parties should ensure that all aspects of development and deployment of the AI system are documented.
  • When problems with an AI system arise, one of the most important factors in being able to resolve and correct them is a transparent and well-documented system where the source of the issue is identifiable.
  • Documentation and recordkeeping obligations—and consequences for failure to comply—should be specified in the contract.

To review additional checklist items covering Indemnification, Ethical Considerations, Legal and Regulatory Requirements and Dispute Resolution, subscribers may access the complete checklist in Practical Guidance.

Not yet a practical guidance subscriber? Sign up for a free trial to view this complete article and other current AI coverage and guidance.

Jessica Bishop is a partner in a business law group at Goodmans. Her practice focuses on corporate and commercial law with a focus on complex commercial technology transactions.

Sarah Stothart is a partner in the litigation and dispute resolution group at Goodmans. She maintains a broad practice primarily divided between complex commercial, insolvency, and intellectual property litigation.

To find this article in Practical Guidance, follow this research path:

RESEARCH PATH: Intellectual Property & Technology > IP & IT in Corporate Transactions > Checklists

Related Content