The rapid adoption of artificial intelligence (AI) across industries has introduced a new set of legal and strategic questions for parties on both sides of commercial and intellectual property license agreements. Whether you are a technology provider offering AI-powered solutions or a customer licensing those tools, the terms governing these relationships carry consequences that extend well beyond the typical software or services deal. This alert highlights the most important considerations for structuring, negotiating and managing these contracts.
Ownership of AI-Generated Outputs
AI-generated outputs may not always be clearly protected by copyright, particularly where human authorship is limited. Guidance from the U.S. Copyright Office and recent cases indicate that purely AI-generated works lacking meaningful human input are not eligible for copyright registration, and that prompts alone are generally insufficient to qualify as authorship. Human contributions involving selection, editing and structural decisions remain protectible, but the line between protectible and unprotectible output is still developing.
Because of this legal uncertainty, contractual allocation of ownership becomes critical. Agreements should include explicit ownership clauses stating which party owns all outputs, including derivatives where applicable. Some large language model providers, such as Anthropic, currently offer express assignment of ownership to the customer, while others state that the customer owns outputs or condition ownership on certain terms. Providers and customers alike should review these upstream provisions carefully and ensure that downstream agreements are consistent.
Training Data and Confidentiality
When a technology company builds its product on a third-party model, the rights it can grant to its own customers are necessarily constrained by the terms accepted from the underlying model provider. In particular, training and data-use provisions warrant careful scrutiny. Some model vendors reserve the right to use customer inputs and outputs to improve their systems, which can create material risks for confidentiality and trade secret protection. While enterprise offerings often provide that customer data will not be used for training absent an explicit opt-in, vendors frequently retain rights to use aggregated and/or de-identified usage data. If not clearly circumscribed, these rights can expand over time in ways that blur the line between operational usage data and customer content.
Accordingly, providers must ensure that their downstream customer agreements do not contain representations or commitments that are inconsistent with upstream vendor terms. Confidentiality obligations, data use restrictions and data processing agreements should be carefully aligned across the contractual stack to avoid gaps or inadvertent overpromises.
Relatedly, the risk of confidentiality leakage should be addressed explicitly. AI systems may retain, log or otherwise reuse prompts and interactions, depending on their design and configuration. Contracts and internal policies should therefore govern the inclusion of confidential information in prompts and clearly address whether and under what conditions such information may be used for model training or system improvement.
Avoiding Third-Party IP Infringement
AI-generated outputs present intellectual property risks at both the input and output stages. Upstream, training datasets may contain copyrighted material, and the extent to which such use constitutes fair use or otherwise complies with applicable law remains unsettled. Downstream, generated outputs may be identical or substantially similar to protected works, creating potential infringement exposure.
Customers should seek vendor representations and warranties regarding compliance of training practices with applicable intellectual property laws. In practice, however, many vendors either decline to provide such assurances or qualify them to limit exposure (e.g., by knowledge or materiality). As a result, these provisions are often heavily negotiated and may provide limited protection.
Indemnification is a critical, yet highly variable, component of AI contracting, as are insurance considerations. [See our previous alert on AI coverage exclusions.] Some providers disclaim any indemnification for customer use of outputs, arguing that customers control deployment and use. Others offer more robust, customer-facing indemnities, sometimes carving them out from general liability caps, while certain platforms provide limited or no indemnity coverage for outputs at all. Companies building on third-party models must carefully assess their upstream indemnity rights and align them with downstream contractual commitments to avoid unanticipated liability gaps.
Accordingly, agreements should clearly delineate responsibility between vendor and customer, particularly given the frequent tendency of vendors to allocate downstream risk to the customer. As practical safeguards, both parties should implement human review processes prior to commercial use of outputs, consider deploying content filtering and similarity detection tools, and maintain contemporaneous records documenting human involvement and authorship in the development and finalization of outputs.
Data Privacy, Human Oversight and Regulatory Compliance
AI-powered solutions introduce heightened and evolving compliance obligations. Parties should ensure that sensitive or personal data is not improperly included in prompts, fine-tuning datasets or other training inputs. This issue is closely tied to data-processing frameworks, as some model providers may process personal data contained in inputs under their own terms, potentially acting as independent controllers rather than processors, depending on the service design and contractual structure. Accordingly, commercial agreements should incorporate clear provisions governing data use, as well as audit and transparency rights addressing model operation, data handling practices and applicable security safeguards.
On the customer-facing side, providers should be mindful that AI outputs may be biased or incorrect. Contracts should include appropriate disclaimers regarding reliance on AI-generated content and should require the customer to maintain human oversight over decisions informed by AI outputs. This is particularly important for providers whose products inform consequential decisions, where inaccurate or biased outputs could create liability exposure for both the provider and its customers.
The regulatory landscape is rapidly evolving, and contracts cannot always be fully future-proofed against new legal requirements. Companies should monitor emerging U.S. state-level AI laws, including California’s AB 2013 (the Generative AI Training Data Transparency Act, which requires certain disclosures about training datasets), the California AI Transparency framework (including SB 942 / AB 853 addressing provenance and disclosure obligations for generative AI outputs), and Colorado’s comprehensive AI legislation focused on high-risk systems and consumer protections. Entities subject to these laws, including those that fine-tune or substantially modify existing models, must carefully balance compliance with disclosure obligations against the need to protect proprietary information and trade secrets.
Key Takeaways
Contractual clarity regarding AI is critical in an environment of legal uncertainty. Addressing ownership, IP risk and data use are critical. Above all, strong governance and human oversight remain essential regardless of how sophisticated the underlying technology becomes.
For more information on the importance of legal counsel in complex commercial and technology contract reviews and negotiations, please contact Chiara Portner, or your regular Lathrop GPM attorney.