Trick or Treat Contracts: Avoiding AI Vendor Horror Stories

Ed. Note: This is the fifth article in our series, “Conjuring Competitive Advantage: An AI Spellbook for Leaders,” focused on unlocking AI for business with practical steps and insights. Read Part 1, Part 2, Part 3, and Part 4.

Before adopting AI tools, businesses should follow a structured evaluation process that goes beyond feature comparisons and vendor demonstrations.

AI tools can expose businesses to regulatory violations, data breaches, competitive disadvantages, and reputational damage if not properly vetted.

The AI Tool Evaluation Considerations

1. Develop clear use cases and requirements: Understand precisely what problem you're trying to solve and whether AI is necessary or merely fashionable. Document specific functional requirements, performance expectations, and success criteria. Consider regulatory requirements and whether the proposed use creates a high-risk system under applicable AI regulations. Evaluate whether simpler, non-AI solutions might achieve similar outcomes with less complexity and risk. 

2. Assess the value proposition: Evaluate tangible benefits promised and whether they justify costs and risks. Look beyond vendor marketing claims to understand real-world performance in similar businesses. Calculate the total cost of ownership, including licenses, implementation, training, maintenance, and risk mitigation. Consider the opportunity costs of choosing one solution over alternatives or maintaining the status quo. 

3. Address data considerations: Verify that training data is lawfully sourced with appropriate rights and licenses. Assess whether training data is representative of your use case and free from problematic biases. Ensure personal data handling complies with applicable privacy laws and your organizational policies. Examine whether your input data will be stored, analyzed, or used for model training by the vendor. 

4. Consider jurisdictional implications: Different regions may prohibit certain AI uses, impose specific obligations, or require explicit consent. Understand where data will be processed and stored, and whether cross-border transfers are involved. Adapt systems to meet local regulatory expectations and cultural norms in multinational contexts. Plan for regulatory changes and ensure contracts allow for necessary modifications. 

5. Review technical details and model history: Inquire about model types, architectures, and rationale for technical choices. Request available bias assessments, conformity evaluations, error rates, and performance benchmarks. Understand model update frequency and processes for incorporating improvements. Assess technical documentation quality and availability of support resources. 

6. Check vendor dependencies and supply chain: Understand whether the vendor relies on third-party models, APIs, or service providers. Assess the stability and reputation of any third-party dependencies. Evaluate vendor financial health and the likelihood of continued operation. Consider risks of vendor lock-in and availability of migration paths. 

7. Assess output risks and quality controls: Examine how AI outputs will be used and their potential legal implications. Evaluate accuracy requirements and error tolerance for your specific use cases. Understand potential bias or fairness issues in outputs and mitigation strategies. Test the system with your actual data and use cases before committing. 

8. Ensure meaningful human oversight: Decide who will monitor AI decisions and what training they need. Establish clear protocols for handling errors, appeals, and overrides. Ensure humans maintain meaningful control over significant decisions. Document oversight procedures for regulatory compliance and liability management. 

9. Plan for failure and resilience: Anticipate potential negative impacts and develop mitigation strategies. Integrate AI risk response into business continuity and disaster recovery plans. Prepare comprehensive AI impact assessments before deployment. Establish fallback procedures for when AI systems fail or perform poorly. 

10. Monitor and evaluate: Define specific metrics to measure performance against objectives. Establish feedback loops to capture user experiences and improve system performance. Plan for eventual system replacement or significant upgrades.

The Three Pillars of AI Risk Assessment

When vetting AI systems, there are three critical risk areas that determine overall system safety and compliance: 

• Privacy: Ensure data collection and processing are limited to necessary purposes with appropriate legal bases. Provide transparent notices about AI processing and individual rights. Comply with cross-border data transfer requirements and localization laws. Implement appropriate retention limits and secure deletion procedures. Enable individual rights, including access, correction, objection, and explanation. 

• Security: Evaluate encryption standards for data at rest and in transit. Assess access controls and authentication mechanisms. Test vulnerability to adversarial attacks and data poisoning. Review third-party API security and integration points. Examine incident response procedures and breach notification capabilities. 

• Trustworthiness and Transparency: Build protective measures to prevent biased, harmful, illegal, or misleading outputs and reduce false information generation. Include transparency features suited to specific applications and user needs. Give individuals the ability to challenge AI-driven decisions that impact them. Create defined responsibility frameworks that clarify who is accountable for AI-related outcomes. 

Conducting an AI impact assessment - a structured evaluation of risks, benefits, and compliance requirements - helps identify and mitigate legal, ethical, and operational risks before they materialize. Document these assessments thoroughly as they may be required for regulatory compliance and provide valuable evidence of due diligence in case of disputes.

Contract Clauses That Protect Your Business

Vendors are increasingly embedding AI in products and services, often without clear disclosure. Protect your organization through comprehensive contract provisions: 

1. Use restriction and approval clauses: Include provisions requiring vendors to obtain prior written approval before using AI functionality with your data or on your behalf. Require clear descriptions of current AI use and notification of planned changes. Reserve rights to prohibit AI use for sensitive applications. 

2. Understand vendor AI usage: Request detailed descriptions of how AI collects and processes inputs, generates outputs, and makes decisions. Require documentation of human oversight and override mechanisms. Understand training data sources and update procedures. Clarify whether your data will be used for model improvement. 

3. Obtain comprehensive documentation: Demand detailed documentation of AI system architecture, data flows, and decision logic. Require regular updates to documentation as systems evolve. Ensure documentation is sufficient for regulatory compliance and audit purposes. Include rights to audit AI systems and review performance metrics. 

4. Seek strong compliance assurances: Ensure vendors have policies and procedures to mitigate risks and support regulatory compliance. Obtain warranties regarding legal compliance and fitness for purpose. Include specific performance standards and service levels for AI components. 

5. Address subcontractors and supply chain: Require subcontractors to meet the same AI standards as primary vendors. Include flow-down provisions for AI requirements. Maintain visibility into AI supply chain dependencies. Reserve approval rights for new AI subcontractors or significant changes. 

6. Develop standard AI terms and templates: Create contract templates or addenda with clear AI definitions and requirements. Include standard restrictions on AI use and data handling. Incorporate strong indemnification clauses for AI-related harms. Address intellectual property rights in AI inputs and outputs. 

7. Provide negotiation playbooks and escalation paths: Develop fallback positions and acceptable compromises for common negotiation points. Create approval workflows for deviations based on risk level and data sensitivity. Train procurement teams on AI-specific concerns and red flags. Establish clear escalation procedures for high-risk AI procurements.

Implementation and Ongoing Management

Successful AI implementation demands thoughtful planning and ongoing oversight. Start with pilot programs using select users and low-risk applications, then systematically collect feedback to refine your approach. Scale incrementally, incorporating insights from early deployments while remaining ready to modify or discontinue underperforming tools. 

Create robust governance frameworks with designated owners for each AI tool who oversee performance, risk, and compliance. Schedule regular assessments to verify continued effectiveness and maintain up-to-date inventories documenting tools, risks, and controls. Build knowledge transfer protocols to preserve critical AI expertise across personnel changes. 

These evaluation and contracting practices enable organizations to capture AI's benefits while controlling risks and ensuring compliance. Thorough upfront assessment and strong agreements yield lasting returns through improved outcomes and competitive positioning. Businesses that excel at AI procurement and governance will lead in tomorrow's technology-driven marketplace.