AI data governance in deals. Read the rights.

An enterprise AI contract is a data governance document. It sets who may train on your inputs, where the data sits, and who owns what the model produces.

Who can train on your data under an AI contract?

By default, some AI tiers reuse your prompts and outputs to improve the model. Enterprise tiers usually disable this, but the setting is opt in, not automatic. Verify the commitment in the contract, not the marketing page.

The major vendors publish enterprise privacy positions. Read the OpenAI enterprise privacy terms and the Anthropic commercial terms against your actual order form.

How do you confirm a no training commitment?

• Find the clause: a written statement that inputs are not used for training.
• Check the tier: confirm it applies to the tier you are buying.
• Bind it: reference the clause in the master agreement, not a help article.

Where does your AI data actually live?

Data residency decides which laws apply and which regulators have reach. Without an explicit clause, the vendor chooses the region. Name your required regions and retention limits in the contract.

Retention matters as much as location. Specify how long prompts and outputs are stored and when they are deleted.

Who owns the output an AI model produces?

Output ownership is unclear by default. Most enterprise terms assign output to the customer, but copyright in machine generated work is unsettled law. Get a clear ownership clause and an IP indemnity.

Should you demand IP indemnity?

Yes. Several vendors now offer indemnity against third party IP claims on outputs for enterprise tiers. Make it explicit and check the cap and the conditions.

Which clauses must you negotiate before signing?

Five clauses carry most of the risk. Training use, residency, retention, output ownership, and indemnity. Treat each as a negotiated term, not a fixed default.

How does the EU AI Act affect your contract?

The EU AI Act sets obligations by risk tier that flow through to deployers. Map your use case to its tiers and require the vendor to support the relevant duties.

What frameworks should anchor your review?

Use a recognized control set so the review is repeatable. The NIST AI Risk Management Framework gives a vendor neutral structure for governance and risk.

Where the common advice on enterprise AI contracts is wrong

The common advice is that the major AI vendors are enterprise safe by default, so the standard order form is fine to sign. We disagree. In roughly 20 to 30 enterprise AI reviews we supported, default or standard tiers allowed input reuse for training in half to two thirds of first drafts, and residency, retention, and output ownership were silent until we raised them. The buyer side move is to treat the order form as a starting position and negotiate the five governance clauses in writing before signature. Vendor blog assurances are not contract terms, and only the contract binds.

What to do next

1. List every AI tool in use and the tier each one is bought on.
2. Locate the training use clause in each contract and confirm it disables reuse.
3. Specify required data regions and a retention deletion window in writing.
4. Add a clear output ownership clause assigning results to your organization.
5. Require an IP indemnity for outputs and check its cap and conditions.
6. Map each use case to the EU AI Act risk tiers and the NIST framework.
7. Block signature until the five governance clauses are agreed.

White Paper · GenAI

Enterprise AI Contract Negotiation Guide

How to lock better enterprise AI contract terms in 2026: cross vendor commitment scope, output indemnity, data residency, and model price ceilings. Read it free.

Read the white paper

Frequently asked questions

Can AI vendors train on my enterprise data?

Only if your contract allows it. Default and standard tiers often permit input reuse for training. Enterprise tiers usually disable it, but you must select that tier and bind the commitment in the contract.

How do I stop my data being used for AI training?

Find the no training clause, confirm it applies to your tier, and reference it in the master agreement. Do not rely on a help page or blog statement, which are not contractual.

Where is my AI data stored?

Wherever the vendor chooses unless you specify otherwise. Name your required data regions and a retention deletion window as explicit clauses in the agreement.

Who owns AI generated output?

Most enterprise terms assign output to the customer, but copyright in machine generated work is unsettled. Secure a clear ownership clause and an IP indemnity rather than relying on defaults.

Does the EU AI Act apply to my contracts?

If you deploy AI affecting EU users, its risk tier obligations flow through to you. Map your use case to the tiers and require the vendor to support the relevant duties.

Should I require an IP indemnity?

Yes. Several vendors now offer indemnity against third party IP claims on outputs for enterprise tiers. Make it explicit and check the cap and conditions before signing.

What framework should guide an AI vendor review?

The NIST AI Risk Management Framework gives a vendor neutral, repeatable structure. Pair it with the EU AI Act tiers for regulated use cases.

Are default AI order forms safe to sign?

Not without review. They tend to favor the vendor on training and IP. Treat the order form as a starting position and negotiate the five governance clauses first.