How to use this assessment: How to use this assessment: Work through each item and mark it complete once confirmed. Items flagged High Risk represent the most common sources of material overspend. A score of 15 or more indicates a well-governed position.
Section 1
1. You have documented your minimum acceptable terms — covering SLA uptime, data protection, price stability, IP ownership, and liability cap — before entering vendor negotiations. High Risk
Expert Commentary: Negotiations without pre-defined minimum acceptable terms produce agreements driven by vendor proposals, not buyer requirements. Before any commercial conversation, document your non-negotiable terms (SLA floor, data protection standard, liability cap) and your aspirational terms (price reduction target, MFN clause, multi-year price lock). This separation of must-have from nice-to-have prevents the negotiation from collapsing on low-priority issues while losing ground on critical protections.
● High Risk
2. You have obtained a fully-loaded cost projection — including all token types, caching, batch, embedding, and ancillary fees — for the contract period and confirmed it is within budget. High Risk
Expert Commentary: AI vendor contracts that are signed based on headline token rates routinely produce first-invoice surprises of 40 to 200 percent above the projected cost. Build your cost model using actual pilot token counts, extrapolated to your production scale, and reviewed against the vendor's full rate card — not the summary pricing deck. Confirm that your cost projection is within the approved budget before entering final commercial negotiations.
● High Risk
3. You have confirmed that business, legal, security, compliance, and finance stakeholders have all reviewed the contract and provided written sign-off on terms within their respective domains before signature. High Risk
Expert Commentary: GenAI contracts require multi-disciplinary review that is often compressed into a single legal review by time pressure. Business stakeholders must confirm the scope and performance commitments. Security must confirm the data handling and access control terms. Compliance must confirm regulatory alignment. Finance must confirm the cost model and payment terms. Missing any of these reviews creates accountability gaps that become costly in disputes.
● High Risk
4. You have confirmed that the contract covers all use cases, data types, and deployment environments you plan to use during the contract period — not just those in the current pilot. Medium Risk
Expert Commentary: GenAI vendor contracts that are scoped to the pilot use case frequently require amendment or renegotiation when the programme expands. Confirm that the contract scope covers your planned use cases for the full contract period — including future use cases at the planning stage — and that expansion is covered under the existing commercial terms without requiring a new agreement or price negotiation.
● Medium Risk
5. You have confirmed in the contract — not just in the vendor's published policy — that your input data and outputs are not used for model training or shared with third parties. High Risk
Expert Commentary: Published vendor policies state that enterprise API data is not used for model training. But policy is not contract. Policies can be changed unilaterally; contract terms require mutual agreement to amend. Obtain a written contractual commitment that your data is excluded from training, used only for service delivery, and deleted according to your specified retention schedule. This is negotiable and should be non-negotiable for your signature.
● High Risk
Section 2
6. You have reviewed the contract's definition of 'Your Content', 'Output', and 'Training Data' and confirmed that these definitions do not create unintended permissions for the vendor to use your data. High Risk
Expert Commentary: AI contract definitions are frequently the source of unintended data use permissions. A broad definition of 'Training Data' that includes 'aggregated, anonymised interaction data' can encompass your proprietary domain prompts and outputs. Review the definitions section of the contract with legal counsel and confirm that each defined term maps correctly to the intended permission scope.
● High Risk
7. You have confirmed the contract's data residency obligations — specifying the jurisdictions in which your data will be stored, processed, and backed up — and verified they meet your regulatory requirements. High Risk
Expert Commentary: Data residency in GenAI contracts is rarely a simple single-region commitment. Data may be stored in one jurisdiction, processed in another, and backed up in a third. Obtain a complete data flow map from the vendor — specifying every jurisdiction where your data touches any element of the AI service — and confirm it complies with GDPR, the EU AI Act, CCPA, and any sector-specific regulations applicable to your industry.
● High Risk
8. You have confirmed the contract's data deletion terms — specifying when and how your data is deleted, what a deletion confirmation looks like, and what happens to derived models or embeddings trained on your data. Medium Risk
Expert Commentary: Data deletion provisions in standard AI vendor contracts typically cover raw data deletion but are silent on derived artefacts: embeddings generated from your documents, fine-tuned model weights that incorporated your data, and cached outputs that contain your information. Confirm that deletion provisions cover all derived artefacts as well as raw data, and specify the deletion confirmation mechanism and timeline in the contract.
● Medium Risk
9. You have confirmed that the contract includes a formal SLA with quantified uptime commitment — minimum 99.9% monthly — and defined service credits for SLA failures. High Risk
Expert Commentary: Many early enterprise GenAI adopters signed agreements with no uptime SLA at all. Standard API terms typically include only 'best efforts' availability commitments. For any production application, negotiate a minimum 99.9 percent monthly uptime SLA with defined service credits — at minimum 10 percent of monthly fees per 0.1 percent below SLA. Without contractual service credits, SLA failures have no commercial consequence for the vendor.
● High Risk
10. You have confirmed that the SLA covers model performance — not just infrastructure availability — and specifies the acceptable range for response latency and token generation speed. Medium Risk
Expert Commentary: Infrastructure availability SLAs do not cover model performance degradation. A vendor can achieve 99.9% availability while delivering responses 5x slower than pilot performance, or with substantially degraded output quality during high-demand periods. Negotiate performance SLAs that cover response latency (e.g., 95th percentile response time for your model tier) and escalation rights when sustained performance degradation is detected.
● Medium Risk
Section 3
11. You have confirmed the contract's support tier — specifically the response time for P1 incidents affecting production AI applications — and confirmed it meets your operational requirements. Medium Risk
Expert Commentary: Standard API support tiers provide email-based support with 24 to 72 hour response times that are inadequate for production AI applications in customer-facing workflows. Enterprise agreements should include a named support contact, a defined P1 escalation path with 1 to 4 hour response times, and a post-incident review requirement. Confirm that your support tier matches your production operational requirements before signing.
● Medium Risk
12. You have confirmed the contract's force majeure, planned maintenance, and scheduled downtime provisions and assessed their impact on your application's availability commitments to your own customers. Lower Risk
Expert Commentary: Force majeure clauses in AI vendor contracts typically exclude planned maintenance windows from SLA calculations. A vendor with weekly 2-hour maintenance windows can technically achieve 99.9% monthly availability while taking your AI application offline for 8 hours per month. Confirm that planned maintenance is scheduled outside your peak usage hours and is notified with sufficient advance notice for your operational team to prepare.
● Lower Risk
13. You have confirmed that you own the outputs generated by the AI vendor's model on your prompts and that you have full commercial rights to use those outputs. High Risk
Expert Commentary: Standard AI enterprise terms confirm that you own outputs generated on your inputs. However, two qualifications are common: outputs may not be used to develop competitive AI models, and the vendor may retain a licence to use outputs for service improvement (which should be excluded if you have a data training exclusion clause). Confirm both the ownership confirmation and the restrictions — and confirm that the restrictions are compatible with your intended use of AI-generated outputs.
● High Risk
14. You have confirmed the contract's IP indemnification provisions — specifically whether the vendor indemnifies you against third-party claims arising from AI outputs that infringe copyright or other IP. High Risk
Expert Commentary: AI-generated content copyright litigation is accelerating in 2026. Enterprises that deploy AI-generated content in customer-facing outputs face potential copyright infringement claims if the AI model reproduced third-party copyrighted material. Confirm whether your vendor provides IP indemnification for AI outputs — the scope, the exclusions (such as outputs generated with specific third-party content prompts), and the coverage limit.
● High Risk
15. You have reviewed the vendor's liability cap and confirmed it is proportionate to the financial exposure your business faces from AI output failures in production. High Risk
Expert Commentary: Standard AI vendor contracts cap liability at fees paid in the preceding 12 months — a cap of £50,000 to £500,000 for most enterprise accounts. If your business deploys AI outputs in contexts where an error could cause regulatory fines, customer litigation, or reputational damage exceeding the liability cap, the cap represents an uninsured risk. Negotiate for a higher liability cap for specific high-risk use cases and consider whether AI liability insurance is appropriate as a supplementary protection.
● High Risk
Section 4
16. You have confirmed the contract's indemnification provisions — specifically who bears liability for AI outputs that cause harm to third parties — and confirmed that the allocation is appropriate for your use case. Medium Risk
Expert Commentary: AI liability allocation in enterprise contracts varies significantly across vendors. Some vendors accept liability for outputs generated by their models operating within documented parameters; others place full liability on the enterprise customer for any downstream harm caused by AI outputs. Review the indemnification provisions for third-party claims with legal counsel and confirm that the liability allocation is consistent with your risk appetite and insurance coverage.
● Medium Risk
17. You have confirmed that the contract includes a price stability clause — specifying that your enterprise rate will not increase beyond a defined cap during the contract period. High Risk
Expert Commentary: AI API pricing has moved dramatically in both directions over short periods. An enterprise agreement without a price stability clause is subject to list price increases that may override your negotiated discount. Negotiate a price cap — maximum annual increase of 5 to 10 percent — or a Most Favoured Nation clause that ensures your rate cannot exceed the rate offered to comparable customers for the same volume commitment.
● High Risk
18. You have confirmed the contract's minimum commit structure — specifically the consequences of under-utilisation — and confirmed that the commit is achievable based on your production forecast. High Risk
Expert Commentary: Enterprise AI contracts with annual minimum commits that the organisation cannot reach create two risks: financial waste (paying for unused tokens) and commercial penalty (additional charges or contract breach for under-utilisation). Base your minimum commit on your production forecast minus a 20 percent buffer for deployment delays and volume variability. Never commit to the volume your sales forecast projects — commit to the volume your conservative operational plan delivers.
● High Risk
19. You have confirmed the contract's auto-renewal, notice period, and renewal negotiation provisions — and set calendar reminders to review 90 days before each renewal date. Medium Risk
Expert Commentary: Standard enterprise AI contracts renew automatically if non-renewal notice is not provided within 30 to 90 days of the renewal date. Missing the renewal notice window locks you into another full contract period at the vendor's proposed terms. Set calendar reminders at 120 days and 90 days before each renewal date, and begin renewal negotiations — including alternative vendor quotes — no later than 90 days before renewal.
● Medium Risk
20. You have confirmed the contract's termination for convenience provisions — specifically the notice period, any termination fees, and the data return process — and confirmed they are compatible with your exit requirements. Medium Risk
Expert Commentary: Enterprise AI contracts typically allow termination for convenience with 30 to 90 days notice. Some contracts impose termination fees for early exit from annual or multi-year commitments. Confirm the termination notice period, any early exit fees, the data return format and timeline, and the model weight or fine-tuning artefact export process before signing. The ability to exit is a negotiating position to establish before you are committed, not after.
● Medium Risk
Ready to optimise your AI contract and cost position?
Download our AI Platform Contract Negotiation Guide — covering all major vendors, pricing structures, and negotiation tactics.Next Steps
Score your confirmed items against the benchmarks above. If you are in the High Exposure or Partial Governance bands, prioritise the items flagged High Risk — these represent the most common sources of material overspend and are addressable within a single procurement or FinOps cycle.
Redress Compliance works exclusively on the buyer side, with no vendor affiliations. Our GenAI advisory practice has benchmarked AI costs, negotiated enterprise AI contracts, and built governance frameworks across 500+ enterprise engagements. Contact us for a confidential review of your AI cost and contract position.