AI Contractual Requirements
Define minimum contractual provisions that must be present in agreements with AI vendors, covering data handling, transparency, audit rights, and incident notification.
Objective
Protect the organization's legal position and compliance obligations through vendor contracts that explicitly address AI-specific risks.
Maturity Levels
Initial
AI vendor contracts are standard commercial agreements with no AI-specific provisions.
Developing
Some AI-specific terms have been added ad hoc to contracts but no standard requirements exist.
Defined
A documented set of required contractual provisions is consistently applied to all AI vendor agreements.
Managed
Contracts are reviewed at renewal to ensure provisions remain current with regulatory requirements.
Optimizing
Contractual requirements are continuously updated as regulatory obligations evolve; legal reviews new AI regulations for contract implications.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Signed vendor contracts confirming required AI governance clauses are present (incident notification, audit rights, data use restrictions)
- —Data processing agreements (DPAs) executed with each vendor processing personal data through AI systems
- —Contract review records showing AI governance requirements were assessed before execution
- —Clause coverage matrix confirming each required provision is present across all material vendor agreements
- —Contract renewal review records confirming terms remain adequate when agreements are extended or renegotiated
Implementation Notes
Key steps
- Define your non-negotiable contract provisions: data processing agreement (mandatory for GDPR), prompt and output data handling restrictions, audit and inspection rights, incident notification timelines, and model change notification requirements.
- Require notification of material model changes: many AI vendors update their models without notifying customers — you need contractual notice so you can validate the change before it affects production.
- Include a right-to-audit or third-party audit report requirement for vendors providing high-risk AI capabilities.
- Address AI-specific liability questions: who bears liability for harm caused by model errors, discriminatory outputs, or data exposure?
Example Implementation
Legal team standardizing contract provisions for all AI vendor agreements
AI Vendor Contract Requirements Checklist
The following provisions are required in all AI vendor agreements. Legal reviews draft contracts against this checklist before signature.
Data handling (mandatory):
- Data Processing Agreement (DPA) signed — required for any personal data processing
- Prompt and output data use: vendor may not use our data to train or improve their models without explicit opt-in
- Data residency: EU personal data must be processed within the EU (or SCCs in place)
- Zero-retention option: vendor must offer or confirm data is not retained beyond request processing
Transparency (mandatory for Critical/Significant risk tier vendors):
- Model disclosure: vendor must disclose which model(s) are used and whether they are proprietary or third-party
- Change notification: vendor must notify us at least 14 days before material model changes
- Subprocessor list: vendor must maintain and share a current subprocessor list
Incident notification (mandatory):
- Security incident notification within 24 hours of discovery
- AI-specific incident notification: covers discriminatory output patterns, data exposure, model failure at scale
- Designated security contact (not generic support)
Audit rights (mandatory for Critical risk tier):
- Right to request SOC 2 Type II report annually
- Right to audit or commission third-party audit with 30-day notice
Liability:
- Vendor liability for harm caused by model errors or data exposure — cap and indemnification terms documented
Control Details
- Control ID
- PRC-002
- Domain
- Procurement
- Typical owner
- Legal / Procurement
- Implementation effort
- Medium effort
- Agent-relevant
- No