AI and Vendor Contracts: What You Need to Do to Reduce Risks

Artificial intelligence (AI) is continuing to shape the business world, and it seems like only a matter of time before most organizations will adopt this technology in some form or another. Several studies have shown that over half of business owners are already using AI, or plan to use it in the future. Whether your organization is part of this group or not, it’s likely that AI will influence at least some of your vendors. So, what does this mean for your organization and managing AI vendor risk?

One of the best ways to reduce vendor risk, no matter the type, is with a well-drafted vendor contract. It’s important to review and revise your existing contract templates to ensure you include specific considerations and controls that address the unique risks of AI.

5 Contract Considerations for Vendors Using AI

You may want to pinpoint vital elements when implementing AI language into your vendor contract. Creating a contract without these essential components results in vagueness and fails to fully address AI risks that could harm your organization.

Consider these topics when drafting your agreement:

1. Usage – You’ll want to ensure that your contract includes details about the vendor’s acceptable usage of AI and any limits you want to impose. If the vendor is currently using AI technology strictly for research purposes, consider whether you want to add restrictions on whether they can begin using it for the development or production of any products or services your organization will use. 
2. Interaction with data – If your vendor uses AI to collect, process, store, or handle data, including those details in the contract is essential. When considering a vendor, it’s crucial to verify that their contract outlines procedures for handling data in case of termination or expiration. This is a critical step in safeguarding against potential privacy and cybersecurity hazards.
3. Right to audit – AI technology can present a variety of risks that must be managed by your vendor’s internal controls. A right to audit clause in your contract will ensure that you can review the vendor’s controls for effectiveness and require remediation, if necessary. 
4. Roles and responsibilities – Some AI technology may require higher expertise and training to prevent misuse or inaccuracies. To ensure proper utilization of AI, it’s essential to include specific responsibilities in the contract to guarantee that the vendor staff are qualified to handle it.
5. Service level agreements (SLAs) – The vendor’s product or service and the type of AI used should factor into the creation of your SLAs. For example, your vendor may use an AI-powered chatbot to perform customer service on your website. The customer response time for this vendor would likely be different from that of a call center.  

3 Best Practices for Vendor Contract Management

Partnering with a vendor that uses AI can offer new opportunities for efficiency and growth, but it also creates unique contract challenges. It’s helpful to remember the following best practices that will create a safe and valuable partnership:

1. Collaborate with subject matter experts. Your legal and vendor risk management teams might be the primary departments involved in vendor contract management, but don’t forget to collaborate with other relevant subject matter experts, such as information security and business continuity. Because AI risk is a newer concept, these different business units can offer a valuable perspective on what to include in your contract.  
2. Complete vendor due diligence before contract execution and renewal. Due diligence can be a lengthy process in general, but even more so when assessing a newer type of risk like AI. You may need to collect and review additional documentation for AI risk, but this is a critical step that must be taken before you sign or renew the contract. 
3. Establish a review schedule. In general, a vendor contract should be reviewed periodically alongside the vendor’s performance. This evaluates the need for any changes and ensures that SLAs are being met. Regardless of the schedule your organization adopts, reviewing your contract before renewal is essential. For critical vendors, this should be done no later than the midpoint of the contract term. Higher-risk vendor contracts can typically be reviewed one year before expiration, and moderate or low-risk vendor contracts should be evaluated no less than 120 days before they expire.

A well-written vendor contract helps create transparency and accountability, both of which are needed to manage AI risk. As AI technology becomes more widespread, it shouldn’t be surprising to see increased attention from regulators. By integrating AI language in vendor contracts, you can help to safeguard both your organization and customers from evolving risks and complexity.