Navigating AI Service Contracts

Published: 9 Nov 2023
Type: Insight

Organisations are increasingly using and relying on the many commercial advantages of artificial intelligence to model risk, fabricate simulated data, create analytical reports and even generate computer code.

However, the use of AI services is not without risk. Predominantly provided on a “software as a service” basis, the increased risk of AI use is often directly proportional to the complexity of the AI solution offered.

Since a well-drafted contract remains the dominant risk management tool for procuring AI services, the complexity of AI service contracts will also increase with the complexity of the AI services being purchased.

The following are a few examples of AI service contracting issues to keep in mind to effectively manage those risks and to avoid commercial and legal pitfalls.

Many AI solutions are developed to provide a competitive commercial advantage over those who are without such capabilities. However, if open source software is used to develop the AI solution, there are potential downsides caused by the open source licences under which that AI solution was created.

First, the source code for the software may have to be “open” and viewable by anyone, which would negate any desired competitive commercial advantage.

Second, the licence may not include any indemnities for third-party infringement, thus possibly exposing the user to liability in the face of any such claims.

Third, the developer might have to offer any modifications or derivative works of the developed software to others under the same “viral” open source licence terms, including without compensation.

AI service customers should also ensure that the quality, reliability and expected service outputs are very well defined in the AI service agreement.

Failure to do so is one of the leading causes of litigation concerning all technology service transactions, and the need to contractually identify the service level specifications for AI solutions is no different.

A failure to contractually stipulate those outcomes may impede your right to claim that the AI service that you are paying for is not the same quality of solution that you were promised.

The risks associated with failing to operationally define the AI service are compounded by the fact that the quality of AI service can be difficult to verify and assess.

For that reason, AI service agreements routinely include acceptance testing provisions that allow the user to verify the quality of the AI’s functionality before the contract’s commercial and financial obligations take effect. That way, the agreed specifications about the AI’s deliverables can first be tested against the AI’s actual performance.

AI solutions may involve the wide collection of industry data, personal information and existing content (including intellectual property) from third parties. Therefore, AI service agreements should include robust indemnities to compensate the AI customer for any liability that may arise if the AI infringes any third party right, whether contractual, intellectual property, or privacy, related.

Whether the data that the AI service relies upon is supplied by the vendor or the customer, the parties should be very sure that there is an uninterrupted chain of legal right to use that data for the AI services.

Finally, the use of AI is now clearly on the radar of financial services regulators internationally. Consequently, the list of regulatory compliance obligations for IT systems, cybersecurity and related AI solutions is increasing.

On October 30, US president Joe Biden signed an “Executive Order on Safe, Secure and Trustworthy Development and Use of AI” and the European Union has introduced the Artificial Intelligence Act to govern AI solutions on the basis of relative risk, data quality and accountability.

Similarly, Canada’s proposed Artificial Intelligence and Data Act (part of Bill C-27) may even require formal risk and impact assessments to be undertaken before AI can be used.

In Bermuda, AI services may already be subject to regulatory scrutiny and proportional risk assessment, including with regard to cyber and IT risk governance, privacy law compliance, outsourcing transactions, the use of cloud services and the need to undertake diligent risk management assessments.

Therefore, all AI service contracts should include provisions that make AI service providers responsible for those compliance requirements, including the requirement to report cyber events, non-interference with regulator investigations or audits and the flow-down of the required security standards.

President Biden’s AI executive order states: “Harnessing AI for good and realising its myriad benefits requires mitigating its substantial risk.”

Most enterprises believe that the exceptional benefits of AI solutions far outweigh the additional diligence and effort that is necessary to manage the commercial, legal and regulatory risks of those solutions.

First Published in The Royal Gazette, Legally Speaking column, November 2023

Share
More publications
Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.

Appleby-Website-Insurance-and-Reinsurance
8 May 2026

Outsourcing considerations for Bermuda insurers

As Bermuda insurers engage with third-party service providers to support their business functions, the Bermuda Monetary Authority has clarified its regulatory expectations surrounding outsourcing arrangements and operational resilience.

Economic Substance
27 Apr 2026

Economic substance regime now falls under Cita

Recent amendments to Bermuda’s economic substance regime have transferred regulatory responsibility from the Registrar of Companies to the Corporate Income Tax Agency.

Appleby-Website-Private-Client-and-Trusts-Practice
22 Apr 2026

Regulation, Regulation, Regulation

The article discusses updates to global trust guidance and regulation, as well as beneficial ownership and the regulatory burden on trustees that comes with increased transparency.