Five AI Contract Questions to Ask Before Your Next Renewal
AI risk is moving through addenda, AUPs, DPAs, and incorporated documents — which means renewal review now has to include the whole contract stack.
You probably do not need another alert telling you that “AI law is moving quickly!”
Colorado has an AI statute. California has transparency rules. Federal agencies are circling the issue. Consumer protection regulators are watching AI claims. Enterprise customers are asking harder questions about data use, model safety, and incident response.
Fine.
The practical question is: where does that show up in the contract you are reviewing?
Increasingly, the answer is not the MSA itself.
It is the documents around the MSA: the Data Processing Addendum, the Acceptable Use Policy, the AI Services Addendum, product-specific AI terms, security schedules, and other documents incorporated by reference.
That is what makes this easy to miss. The MSA may look basically identical to the agreement you negotiated last year. The AI terms may not.
A vendor may have added language allowing customer data to be used to improve AI features. It may have carved AI-generated output out of IP indemnification. It may have shifted compliance obligations to the customer for AI-specific laws and regulations. It may have disclaimed accuracy for the AI output while preserving ordinary SaaS warranties for the platform. It may have created new prohibited-use rules that turn certain AI deployments into contract breaches.
None of those changes requires a dramatic rewrite of the MSA.
They can arrive through the stack.
For AI-enabled SaaS, the operative contract may now look more like this:
MSA → Order Form → DPA → AUP → AI Services Addendum → product-specific AI terms
The renewal trap is obvious once you see it. If the AI addendum was added mid-term, it may carry forward into the renewed agreement. If the vendor offered an opt-out window for training data, that window may already have closed. If the AUP now restricts certain AI uses, the business team may be creating breach risk without knowing it.
So the first step is not to draft a better AI policy.
The first step is to pull the contract stack.
We pulled the AI addenda from seven major enterprise vendors — OpenAI, Google, Salesforce, Microsoft, Adobe, Slack, and Zoom — to map where these questions actually arise. Five of them determine most of the risk picture:
Can the vendor use our inputs, outputs, or usage data to train, improve, test, or benchmark AI systems?
Are AI-generated outputs covered by IP indemnification, or excluded through AI-specific carveouts?
Who bears compliance obligations for AI-specific laws and automated-decision rules?
Does the vendor have to notify us before material model changes or AI-related incidents?
What warranty, if any, applies to the AI output itself?
This is where AI governance becomes contract governance.
The policy manual may tell your employees what they are supposed to do. The contract decides what your vendor is obligated to do, what you are responsible for, and who pays when the AI system creates a problem.
The Point
Do not just compare this year’s MSA to last year’s MSA. Compare the whole stack.
Go Deeper: We mapped where the risk actually lands across those seven vendor addenda. Each clause may be individually defensible; together, they shift substantial risk to the party using the AI.
See more here: MSA + AI: What the Standard Vendor Terms Actually Say


BAN AI! I NEVER WANTED AI!