Artificial intelligence tools are becoming standard in business operations — from customer service chatbots to automated financial analysis. But for New York businesses adopting AI solutions, the vendor selection process carries legal risks that most companies overlook until it is too late.
At Travis & DeBlase PLLC, we advise clients to treat AI vendor agreements with the same rigor they would apply to any critical technology procurement — and in many cases, with more scrutiny, given the unique risks AI introduces around data privacy, intellectual property, and regulatory compliance.
Why AI Vendor Due Diligence Is Different
Traditional software vendors sell tools that process data according to fixed rules. AI vendors sell systems that learn from your data, generate outputs that may be unpredictable, and in some cases retain or use your proprietary information to improve their models. This distinction creates several categories of risk that standard vendor vetting does not address.
Data Ownership and Training Rights
The most consequential clause in any AI vendor agreement is the data usage provision. Many AI platforms include terms that allow the vendor to use your inputs — client data, proprietary documents, internal communications — to train or improve their models. For businesses handling sensitive commercial information, this can mean that your trade secrets, client lists, or strategic plans become part of a model that serves your competitors.
New York businesses should insist on contractual language that explicitly prohibits the vendor from using input data for model training, retaining data beyond the session or engagement, and sharing or aggregating data with other customers’ information. These protections are not always the default, and in many cases they must be negotiated.
Intellectual Property Considerations
AI-generated content raises unresolved questions about intellectual property ownership. If your business uses an AI tool to draft marketing copy, generate product designs, or create code, who owns the output? The vendor’s terms of service typically address this, but the answers vary widely. Some platforms assign full ownership to the user. Others retain a license to the output or disclaim ownership entirely, leaving the question open.
For businesses that depend on IP protection — which in New York’s competitive market includes most companies — this ambiguity is unacceptable. Your AI vendor agreements should clearly assign ownership of all outputs generated using your data and prompts.
Compliance with New York and Federal Regulations
New York has been at the forefront of AI regulation. Local Law 144, which took effect in 2023, requires companies using AI in hiring decisions to conduct annual bias audits. The New York Department of Financial Services has issued guidance on AI use in insurance underwriting. And federal agencies including the FTC and SEC are increasing scrutiny of AI-related claims and practices.
Before signing with an AI vendor, New York businesses should confirm that the vendor’s tool complies with applicable regulations, that the vendor will cooperate with required audits and disclosures, and that the agreement includes indemnification for regulatory violations caused by the vendor’s technology.
Security and Breach Notification
AI systems that process business data are attractive targets for cyberattacks. New York’s SHIELD Act requires businesses to implement reasonable safeguards for private information and to notify affected individuals in the event of a breach. If your AI vendor suffers a breach that exposes your data, you — not the vendor — may bear the notification obligation and associated liability.
Your vendor agreement should include specific security standards and certifications (SOC 2, ISO 27001), clear breach notification timelines that allow you to meet your own SHIELD Act obligations, and contractual liability and indemnification for security failures on the vendor’s side.
What to Do Before You Sign
AI vendor agreements are not standard software licenses. They require careful review by counsel who understands both the technology and the regulatory landscape. At Travis & DeBlase PLLC, our AI Enhanced General Counsel practice helps New York businesses evaluate AI vendor agreements, negotiate protective terms, and ensure compliance with applicable law.
If your business is considering an AI vendor — or has already signed an agreement you have not fully reviewed — contact us to discuss your situation.