The Clause Hiding in Plain Sight
A new wave of contract analysis is exposing an uncomfortable reality for enterprise buyers. Standard clauses buried in software agreements are handing AI vendors sweeping rights to train models on source code, financial records, legal documents, and customer data. According to work by TermScout in partnership with Stanford Law School's CodeX center, 92 percent of AI contracts claim data usage rights that go beyond what is needed to deliver the service, compared with a 63 percent average across standard SaaS deals. The gap is not a rounding error. It is a structural shift in who benefits from the data enterprises generate.
The mechanism is mundane, which is exactly why it is dangerous. Most procurement teams scan for price, uptime, and termination terms, not for a sentence granting the vendor rights to improve its models. Yet that sentence can convert a routine subscription into an open-ended training license. For companies in regulated industries, where the data in question may include privileged legal material or sensitive financial records, the implications run well beyond commercial inconvenience and into compliance and confidentiality exposure.
The Numbers Tell a One-Sided Story
Beyond the headline figure, the analysis paints a picture of contracts tilted sharply toward vendors. Only 33 percent of AI agreements offer protection from third-party intellectual property claims, below the 58 percent market average for conventional software. That matters because generative systems can reproduce material that infringes someone else's rights, and a customer left without indemnification carries that risk alone. The party with the least visibility into how a model was trained is being asked to absorb the most liability when the training goes wrong.
Most striking is that just 17 percent of AI contracts clearly commit to following applicable laws, against 36 percent in standard SaaS agreements. Read plainly, more than four in five AI vendor contracts decline to make an unambiguous promise to comply with the law. We do not think most of these vendors intend to break rules. But the absence of the commitment is itself the tell. It reflects an immature market in which providers are reluctant to bind themselves to obligations whose contours regulators are still drawing.
Figma and Adobe Show the Stakes
This is not theoretical. Figma faced a proposed class action in California federal court in November 2025 alleging that customer designs and intellectual property were used to train AI without permission, a claim the company denied. Adobe drew customer backlash over updated terms that appeared to grant broad rights to content, then clarified that it does not train AI on customer data, while noting it uses licensed image collections for its Firefly system. Both episodes followed the same arc: an opaque term, a public outcry, and a scramble to reassure users.
The pattern should worry any executive who assumes a trusted vendor would never repurpose their data. The disputes did not stem from rogue actors but from mainstream platforms whose terms were ambiguous enough to alarm sophisticated customers. If the companies building the design and creative tools of record can stumble into this controversy, the long tail of smaller AI vendors, with thinner legal teams and hungrier model roadmaps, warrants far closer scrutiny before anything sensitive flows through them.
What Buyers Should Demand Now
Regulators are beginning to move. The FTC warned in February 2024 that companies cannot quietly revise privacy commitments to enable AI training, and that doing so may violate the FTC Act. Juanita DeLoach, a partner at Barnes and Thornburg, recommends explicit contractual restrictions on the use of customer data, prompts, and outputs for training models that serve other clients. That last point about outputs and prompts is the one most buyers overlook, since training fuel increasingly comes from how customers use a tool, not just the files they upload.
Our advice to CIOs and general counsel is to treat every AI agreement as a data-rights negotiation, not a procurement formality. Insist on clear no-training language for your data, prompts, and outputs, demand IP indemnification, and require an explicit commitment to legal compliance. Vendors that resist these terms are telling you something important about their business model. In a market where 92 percent of contracts already overreach, the burden has shifted to the buyer to claw back rights that should never have been on the table.
