By: Ian M. Stanford and Steven T. Lawrence
Artificial intelligence (AI) is becoming increasingly embedded in business operations across all industries. A McKinsey survey in late 2025 found that 88 percent of companies reported using AI in at least one business function.[1] AI poses unique risks for companies that contract with supply chain or information technology vendors that use AI in some facet of the delivery of their goods or services. Boilerplate contract provisions often fail to address AI-related risks. Companies that include AI-specific contractual protections in service agreements may reduce exposure to these risks. This article presents several strategies that can be implemented to help companies protect themselves.
Analyze Vendor’s AI Tools
When considering a service agreement with a vendor that uses AI tools in performing its services, the contracting company should first analyze the types of AI tools used by the vendor. For example, does the vendor utilize publicly available large language models, such as OpenAI’s ChatGPT, Alphabet’s Gemini, or Anthropic’s Claude? Does the vendor use its own, proprietary large language model or another form of AI? The use of AI systems can take many forms. For example, vendors may use AI only for coding software, or for bug fixes or patches. Some software companies are using AI for wholesale programming of key portions of software.[2] Many data driven companies are utilizing AI solutions for large scale data analysis.[3] Businesses across many industries are deploying AI to handle customer service interactions via chatbots and other systems to manage routine customer inquiries without human involvement.[4] Companies are also utilizing AI to generate marketing materials.[5]
AI Risks
Supply chain vendors or information technology providers that use AI pose several risks for contracting companies. It is possible that large language models (particularly proprietary, non-public large language models) have been trained on misappropriated, confidential or unlawfully obtained third party materials. Moreover, all forms of AI are not free from error. There have been several well-publicized incidents of AI errors or mistakes.[6] In addition, contracting companies may not want their own confidential information shared with large language models or to allow large language models to learn from the contracting company’s confidential information.
Contract Drafting Strategies
In an effort to reduce risks related to AI as much as possible, contracting companies should consider several drafting strategies. First, a company contracting with a vendor should consider a provision that requires the vendor to disclose any third-party platforms their employees regularly rely upon and then represent and warrant that any AI tool it uses was not trained on misappropriated, confidential, or otherwise unlawfully obtained third-party materials. This representation could extend broadly to cover all inputs the vendor uses to feed its AI tools, with the vendor confirming it has all rights and authorizations necessary to use such materials. As lawsuits continue to emerge concerning the use of protected intellectual property in the training of AI tools[7], it is important that companies protect themselves against entanglement in intellectual property disputes.
Second, contract provisions could be included that specify that the use of AI tools does not modify or change any contractual warranty provisions. To the extent that AI creates an error, the supply chain vendor or information technology provider should be responsible and should not be able to use the inclusion of AI tools in its processes as a reduction in a performance standard.
Third, service agreements should prohibit vendors from inputting any of the contracting company’s confidential information into any publicly accessible AI platforms.[8] This is particularly important given that many publicly accessible AI platforms retain and incorporate user-submitted data into their models. A vendor’s employee who inputs a contracting company’s proprietary designs, financial data, trade secrets, or client information into such a platform may inadvertently compromise that information in ways that are impossible to remedy after the fact. The provision should define confidential information broadly and require the vendor to implement internal policies and training to ensure employee compliance.
In addition, contracting companies should also consider including AI-specific indemnification provisions. Conventional indemnification provisions may not cover all risks posed by AI outputs, such as regulatory and compliance violations, defamation, intellectual property infringement, or discriminatory outputs.[9] Therefore, supply chain and information technology agreements should enumerate these AI-related risks within the indemnification provision.
Another Concern: Lack of Human Oversight
Another concern is the use of AI agents by a vendor. An AI agent is a system that autonomously executes actions in the real world with minimal or no human input.[10] Twenty-three percent of respondents in the McKinsey survey indicated that their companies are scaling systems that utilize AI agents in some part of their operations.[11] Even as AI agents become more sophisticated and reliable, service agreements could include language requiring a qualified human to review any AI-generated outputs before any work product is delivered or action taken. Some vendors may use AI ubiquitously across their organizations. For such vendors, a more effective approach may be to identify specific types of work product and decisions that should require human review before execution, such as those that affect the contracting company’s finances, customers, or legal rights.
As AI-related claims continue to emerge, proactively addressing these risks in supply chain and information technology agreements could reduce risk as the law catches up to emerging technologies.
If you have questions about protecting your organization against AI-related risks, please contact Ian Stanford at 602-792-3528 or Steve Lawrence at 602-792-3536.
[1] https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai; Other surveys have shown as high as 92% of organizations have already invested in AI https://www.prnewswire.com/news-releases/92-of-organizations-have-invested-in-ai-but-78-say-projects-have-either-stalled-or-failed-302769202.html
[2] https://www.entrepreneur.com/business-news/ai-is-taking-over-coding-at-microsoft-google-and-meta/490896
[3] https://www.weforum.org/stories/2026/01/the-leading-companies-turning-ai-into-real-world-impact/
[4] https://chatmaxima.com/blog/ai-customer-support-statistics-2026/
[5] https://www.superside.com/blog/ai-marketing-campaigns
[6] https://www.ninetwothree.co/blog/ai-fails
[7] For example, on May 5, 2026, a class action lawsuit was filed against Meta Platforms, Inc. and Mark Zuckerberg for copyright infringement concerning Meta’s training of its AI platform. https://www.cbsnews.com/amp/news/meta-ai-lawsuit-copyright-scott-turow-publishers-llama
[8] One survey showed that nearly half of large organizations report they do not have full visibility into what information their employees enter into AI tools https://www.prnewswire.com/news-releases/nearly-half-of-large-enterprises-lack-full-visibility-into-ai-use-by-employees-according-to-new-protiviti-ai-pulse-survey-302765940.html
[9] See Mobley v. Workday, Inc., 740 F. Supp. 3d 796, 811 (N.D. Cal. 2024) (denying a motion to dismiss a discrimination lawsuit against an AI vendor acting as an agent of companies using its automated screening tools).
[10] https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai
[11] Id.
