You sign up for an AI drafting tool. The click-wrap terms run to seventeen pages. You tick the box, start using the product, and six months later a client asks whether their documents are being used to train the model. You check page eleven. Clause 9.2 says the vendor may use customer inputs to improve the service. Your client data has been processed without their consent. You are the data controller. The ICO does not accept “the terms allowed it” as a defence.
That situation is live for hundreds of UK owner-operated firms right now. The clauses below are the ones that change it.
What do AI contract clauses actually cover?
AI contract clauses govern what the AI is allowed to do, who owns inputs and outputs, what happens to your data, how performance is measured, and who is liable when things go wrong. They differ from standard SaaS terms because AI creates risks those agreements were not written to handle: training rights on your data, IP uncertainty over outputs, and liability for decisions the system influences.
Legal commentary from A&L Goodbody and LawyerLink identifies five clusters of provisions. The first is scope and human oversight: a precise description of what the AI does, agreed accuracy expectations, and a requirement for human sign-off before any AI output directly affects a decision about a person’s job, pricing, or access to a service. The ICO is explicit that where decisions produce significant effects on individuals, meaningful human review is required under UK GDPR.
The second cluster covers data and confidentiality, specifying who can train on what, with what consent, under what safeguards. The third is intellectual property: under UK copyright law, “computer-generated works” vest in the person who arranged for their creation (Copyright, Designs and Patents Act 1988, section 9(3)), and without an assignment clause that person may not be you. The fourth and fifth clusters address security and service levels, and liability allocation including exit rights when a third-party model changes or disappears.
Why do AI contract clauses matter for a small UK firm?
Standard vendor terms are written to protect the vendor. As a UK business processing personal data through an AI tool, you are the data controller under the UK GDPR, which means you are responsible for how that data is handled regardless of what the vendor’s terms permit. The ICO holds you accountable whether or not the vendor’s contract appears to absolve them.
The IP exposure is concrete. Lawsuits allege that several AI providers trained models on copyrighted material without proper authorisation, including Getty Images (US), Inc. v Stability AI Ltd (High Court of Justice, London, 2023). Where a vendor cannot warrant that its training data was lawfully sourced and indemnify you for third-party IP claims, the risk of using outputs commercially falls on you.
Liability is the third dimension. Standard AI contracts frequently cap the vendor’s liability at the annual contract value and exclude consequential loss. Where an AI tool produces a biased recommendation that generates an employment claim, or a hallucinated figure in a client report causes a financial loss, those caps leave you carrying the bulk of the exposure. The Competition and Markets Authority flagged the need for clear responsibility allocation across AI value chains in its 2023 foundation models report.
Where will your firm actually encounter these terms?
AI contract terms appear in three settings, each with different scope for negotiation. SaaS click-wrap agreements are typically non-negotiable, but you decide whether to accept them. Bespoke consultant and agency contracts are fully negotiable. Platform API terms from providers such as OpenAI or Microsoft Azure fall between: enterprise customers get custom terms, but the typical SME is on standard agreements with limited room to push back.
For SaaS click-wrap tools, the right question is whether the default terms suit your use case, not whether you can negotiate them. If the tool processes client data or outputs appear in client deliverables, a vendor clause permitting use of inputs to improve the service is a material risk. Check whether the vendor offers a data processing agreement, a privacy-preserving tier, or an enterprise plan before you start using the product.
For bespoke contracts with consultants, agencies, and build partners, you have room to negotiate: data ownership, IP in outputs, accuracy commitments, security standards referenced to NCSC guidance, breach-notification timelines, liability carve-outs, and exit provisions including data portability and transition support.
For platform API terms, ThoughtRiver’s guidance on AI contract clauses recommends requiring a written list of all AI systems used in any deployment and advance notice of material changes. OpenAI made unannounced API changes in March 2024 following prompt-leak reports; Stability AI revised its licensing terms in late 2023. Both showed how quickly upstream model changes can affect the downstream applications built on top of them.
When should you press for bespoke AI clauses and when can you accept standard terms?
The answer depends on four factors: whether personal data is involved, whether the AI influences decisions about individuals, whether outputs appear in client work, and how significant the liability exposure is if something goes wrong. Where all four are low, standard click-wrap terms are proportionate. Where any is high, the defaults are likely insufficient and proper AI clauses are worth the effort.
Four scenarios warrant proper AI contract provisions. First, any use that processes client personal data: a written data processing agreement is required under UK GDPR regardless of the vendor’s standard terms. Second, any AI use that influences hiring, dismissal, pricing, or service eligibility for identifiable individuals: the ICO’s guidance on automated decision-making requires meaningful human review and the right to contest.
Third, any engagement where AI outputs go directly into client deliverables, where IP ownership and liability for defective output are live questions. Fourth, longer-term engagements where the vendor’s standard liability cap creates a material mismatch between your exposure and your recourse.
Conversely, if your firm uses a public chatbot only for internal drafts with no personal data and no client-facing outputs, bespoke AI schedules add limited value. Open-source models running on your own infrastructure shift the issue to internal governance rather than supplier terms.
What else needs to sit alongside the contract?
The contract covers your relationship with the vendor, but several adjacent obligations apply regardless of what it says. A Data Protection Impact Assessment is mandatory for any high-risk AI use, including large-scale profiling or automated decisions affecting individuals, and the ICO can require evidence of the DPIA if it investigates a complaint.
The NCSC’s 2023 “Guidelines for Secure AI System Development” sets out secure-by-design principles for AI tools: protecting training data, securing supply chains, and maintaining logging. Your contract should reference these standards, but you also need to verify internally that the controls are in place. If you have EU clients and AI-enabled services reach the EU market, the EU AI Act applies: as the deploying business, transparency and human oversight obligations attach to you. The EU’s Model Contractual Clauses for AI Procurement (MCC-AI), published in 2024, provide a reference framework for those obligations and are increasingly used in private contracts as well as public procurement.
The contract sits inside your internal AI policy. That policy should specify which tools are approved, what data categories can be processed, who signs off on new AI uses, and how incidents are reported. Strong contract clauses with no internal governance is half the job.
The sequence that works for owner-operated UK firms: start with data and IP, add human oversight clauses for any decision that affects a person, align security requirements with NCSC and UK GDPR breach-notification obligations, and build in exit rights that account for upstream model changes. Revisit annually as ICO, CMA, and EU AI Act guidance evolves. If you’d like a sounding board on how these contract provisions fit your specific AI procurement, Book a conversation.
