Key Takeaways:
- Define AI with specificity: Move beyond vague “AI” labels by specifically defining technologies like machine learning and LLMs to account for the probabilistic nature of generative outputs. Matt Kohel noted that you should look for “terminology that references machine learning, large language models, neural networks… anything where it identifies that the system can do some kind of human reasoning.
- Evolve your definition of “Customer Data”: Ensure your addendum covers your data pulled from third-party connectors (like Slack or CRM systems). Laura Belmont warned that many people use connectors to give context, leading her to ask, “Is the data that’s connected and being pulled in actually an input?”
- Leverage GDPR implementation learnings: Don’t reinvent the wheel; apply the same categorization and renewal strategies used for Data Processing Addendums to integrate AI terms into your existing contract tech stack. Laura Belmont reminded us that “this is something we’ve done before… this is not the first time rules have changed,” suggesting we have the existing precedent to handle this shift.
Some hikers take the same trail every time. Others like to step out into the wild with nothing but a compass and hope they’ll find their way back to the car hours later. This is the difference between SaaS (deterministic software) and generative AI (probabilistic tool). As a Pacific Northwest native who loves hiking, I can tell you that there’s a big difference between these two hiking preferences, just as there’s a big difference between SaaS and AI.
In a recent webinar hosted by Contract Nerds and sponsored by Docusign, Intelligent Agreement Management, legal experts Laura Belmont, and Matt Kohel shared tips on how to draft and approach AI contract terms. As these provisions shift from optional to expected, lawyers and contracts professionals on both sides of the deal need practical frameworks for identifying risk, negotiating balanced terms, and building internal processes. Our webinar answered questions like: what is standard, what is reasonable, and how do we get there? Equipping attendees with real-world strategies for handling AI-specific clauses whether they’re being added to an existing master agreement or leveraged for the first time.
Our community of 25,000+ nerds is hungry for practical guidance on this topic. This was evidenced by the almost 2,700 registrants for this webinar — a record breaking number! If you missed the webinar, in this article I will share my three favorite takeaways, interesting questions that came up during Q&A, and some eye-opening poll results.
Saas v. AI slide from webinar presentation deck.
Free Download: Access the full 75-minute webinar recording, detailed presentation deck, 6-page sample AI Addendum template drafted by four attorneys, and more free bonus materials about AI contracting.
1. Define “AI Features” with Specificity
The first hurdle in any AI Addendum is defining exactly what is being governed. A vague definition like “AI Features means features using artificial intelligence” is a recipe for disaster if there’s ever a dispute, because obligations have a dependency on this definition.
Slide discussing good vs. bad ways of defining “AI”.
Matt Kohel emphasizes that “you’re going to see terminology that references machine learning, large language models, neural networks… anything where it identifies that the system can do some kind of human reasoning or problem solving”. This specificity ensures that your contract doesn’t accidentally sweep in traditional, deterministic search functions or basic statistical analysis that doesn’t utilize machine learning.
From the vendor side, this clarity is about managing expectations. Laura Belmont notes that “traditional SaaS is something that’s called deterministic, which means input A is always going to lead to input B, but when we’re talking about AI, it’s probabilistic.” By defining the technology accurately, you ground the entire agreement in the reality that outputs are not always predictable, which directly impacts your SLAs and performance guarantees.
2. Evolve Your Definition of “Customer Data” Beyond Inputs and Clarify Actor Roles
In the age of interconnected systems, “Customer Data” is no longer just the text a user types into a chatbot. We must now account for data accessed via connectors to CRM systems, Slack, or Google Drive. If your definition only covers “inputted” data, you may be leaving a massive volume of processed information unprotected.
Laura Belmont warns that “many people are using connectors which give context by connecting to underlying data sources… and I went back to look at the definition because I was very concerned about this issue of: is the data that’s connected and being pulled in actually an input?” It is critical to ensure your AI addendum explicitly includes “accessed” data to cover these interconnected workflows.
Furthermore, we must navigate the “Three-Actor Model”: the Developer (LLM provider), the Deployer (SaaS vendor), and the Customer (buyer). Matt Kohel highlights the complexity of these relationships, noting that “a lot of the products that you’re seeing are not licensed directly by the developer, and they are becoming more complicated; they may have multiple LLMs working in sequence”. Understanding where the data goes—and which party’s terms apply at each stage—is the only way to truly protect your organization’s proprietary data.
3. Leverage the GDPR Implementation Map
Our live poll during the webinar revealed a startling reality: 75% of legal and contracts professionals are either currently drafting or have no AI addendum template at all.
Folks, we’ve done this before. Remember GDPR circa 2017-2018? While AI feels like a brand-new frontier, the process of implementing new terms to comply with evolving regulations and technology (here, AI terms) is a path we have hiked before – we have the map we can reuse!
Much like the rollout of GDPR and the subsequent mass-adoption of Data Processing Addendums (DPAs), tracking data subprocessors, and more, in-house legal teams have developed the map needed to manage and categorize risk and prioritize the high risk renewals of AI vendors.
“I think a lot of people are holding off because things could change, and there’s not a market industry standard that we could point to,” Laura Belmont observes, “but this is something we’ve done before… this is not the first time rules have changed”. Legal teams should not wait for regulatory certainty. Instead, Belmont suggested, use future-proofing techniques such as “compliance with AI laws as amended from time to time” to maintain flexibility.
Matt Kohel suggests a proactive approach for those stuck in “paralysis by analysis.” He advises that “as the customer, you should also really be thinking about—if you haven’t been given an AI addendum from your vendor—when the situation calls for you to proactively send one to the other side.” By identifying high-risk contracts and renewing agreements in the next six months, you can integrate AI provisions incrementally rather than waiting for a perfect, all-encompassing template.
If you’re one of the 75% who don’t yet have a usable AI Addendum template, not to worry because Contract Nerds is offering an AI Addendum Toolkit to equip you with practical strategies for handling AI-specific clauses.
Free Download: Access the full 75-minute webinar recording, detailed presentation deck, 6-page sample AI Addendum template drafted by four attorneys, and more free bonus materials about AI contracting.
Audience Q&A
Question: If a customer prohibits an AI vendor from using their data to train or improve the AI system, how do you reconcile this with the product’s need to inherently self-learn and improve?
Laura Belmont: “I think part of that conversation is we’re looking at it so much as a yes or no—you can opt in or opt out—and maybe there is that gray area of if you can really anonymize the data. What are those controls that will prevent [input getting spit back out] from happening?”
Matt Kohel: “Is the volume of customer data even enough to move the needle to really train a model? Vendors can curate datasets, they can create synthetic data sets, there are data brokers out there… there are plenty of other sources for vendors to acquire and use data beyond just their customers”
Question: What do you see developing regarding third party AI audits or AI-related indemnification obligations?
Laura Belmont: “Static annual audits can’t manage dynamic AI risks—we need ongoing monitoring and proportional control over changes that could impact our operations”. “Annual third-party security audits [covering] prompt injection and data isolation” are becoming a reasonable middle-ground commitment for vendors.
Matt Kohel: “The current state is that the developer and deployer are not indemnifying from third-party claims arising from inherent LLM limitations like hallucinations or biases. You really have to develop an outside-of-the-box kind of AI identification paragraph… what are the risks that are going to arise from our use?”
Successfully navigating AI addendums requires moving beyond generic “AI” and “Customer Data” definitions to capture the specific risks of probabilistic technology and data connectors. The good news: Legal teams can apply the same implementation strategies used during the GDPR era to future-proof their contracts today.
Continued Learning Opportunities
- Join our next free webinar live and get CLE or CPE credit! We host one webinar a month. Follow us on LinkedIn to stay updated.
- Join 25,000+ lawyers and contracts professionals who want to master contracting skills by subscribing to our weekly newsletter.
- Check out tons of expert content about AI contracts at www.contractnerds.com.
The post Three Expert Tips for Drafting AI Addendums + Free AI Addendum Toolkit appeared first on Contract Nerds.