The Exposure Class
What is Inherited AI Liability?
The contractual, data-governance, privacy, and regulatory exposure that enterprises accumulate across the full lifecycle of AI vendor relationships. Not because anyone made a mistake. Because the contracts were written for a world that didn’t have AI in everything.
How it accumulates
Before you sign. Procurement moves slower than AI. The contract you sign today reflects a technology that has already moved on. The liability attaches at signature.
After you sign. Traditional software vendors introduced AI into products already under contract. No new agreement. No governance event. The product changed. The contract didn’t.
While it’s running. The vendor changes the model. Adds a subprocessor. Modifies how your data flows. The gap between what you contracted and what’s actually running gets wider every quarter.
After it ends. Standard deletion certificates cover what the contract called “data.” They don’t cover vector embeddings, fine-tuning artefacts, or model memorisation. Some liability is permanent.
Accountability
The liability sits with you, not the vendor
Under GDPR, India’s DPDP Act, and the EU AI Act, the enterprise is accountable as the data controller, data fiduciary, or deployer. That accountability does not transfer to the vendor through the vendor’s contract.
A vendor can be technically excellent and financially stable while its standard contract terms assign all liability for AI outputs to you, grant unlimited subprocessor rights, contain no deletion obligation covering embeddings, and provide no audit rights over algorithmic decisions. Those are contractual gaps, not vendor quality failures. Your existing processes were not designed to catch them.
The Gap
Why your current approach misses it
Security questionnaires review vendor security policies. They don’t review your contracts for AI-specific gaps. A vendor can pass every question while every Stop Condition in their contract remains triggered.
Data protection audits confirm the DPA exists. They don’t identify that the DPA was written before the product became an AI product. The document is there. The liability comes from what it doesn’t cover.
Advisory firm reviews assess your internal posture. They cannot produce unqualified findings on the AI vendors they have commercial relationships with. The assessment most valuable to you is the one no advisory firm with a vendor relationship can produce.
Precedent
This has happened before
In the 1990s, commercial insurance policies covered physical loss. They didn’t mention cyber risk because the category didn’t exist yet. When cyber incidents produced claims, those claims fell into existing policies through silence. The insurance industry spent fifteen years resolving what it named Silent Cyber.
Enterprise AI vendor contracts are following the same pattern. Written for software relationships. AI liability falls into them through silence. The deletion clause that doesn’t mention embeddings. The liability cap drafted before AI outputs were a category of vendor output. Silent Cyber took fifteen years. AI contract liability is in year two or three.
Next Step
See what you're carrying
A 45-minute briefing covers your vendor portfolio and where exposure is most likely concentrated. No obligation.