The Anatomy of an AI Use Rider for Your Vendor Agreements


Artificial intelligence (AI) is becoming a core component of enterprise software and services, especially for SaaS vendors and cloud-based tools. As your vendors adopt AI capabilities - whether through their own models or by integrating third-party tools like OpenAI, Google Vertex AI, or Amazon Bedrock - it’s important to ensure their use of AI aligns with your legal, security, and ethical standards.

One way to do that is by attaching an AI Use Rider to your vendor agreements. Here are best practices on what to include in an AI Use Rider to protect your business. This post will give you a high level overview of what can go into an AI Use Rider for your Vendor Agreements.

1. Clear Definition of “AI Use”

Start by defining what constitutes “AI Use” under the agreement. Include:

• Use of generative AI (text, code, image generation);
• Predictive analytics and recommendation engines;
• Automated decision-making tools.

The definition should be broad enough to cover current and future AI integrations but tailored to your vendor’s service.

2. Approved Use Cases

Vendors should only use AI tools:

• As necessary to provide the contracted services;
• In ways that do not introduce bias, hallucination risks, or misuse of customer data;
• With your prior written approval if use cases change.

This section helps ensure transparency and limits scope creep.

3. Disclosure of AI Subprocessors

Require vendors to disclose:

• The specific AI platforms or models they use (e.g., OpenAI GPT-4, Vertex AI);
• Whether any third parties (including AI service providers) will access your data;
• Updates if the list of subprocessors changes.

This enables better data mapping and security reviews.

4. Data Protection, Handling and Training Restrictions

Make it clear that:

• Your data may not be used to train or fine-tune any AI model unless explicitly authorized;
• Prompt and output logs involving your data must be deleted upon request;
• Personal data or regulated data types (e.g., Protected Health Information) must not be input into generative AI without express consent and compliance measures - including entering into a Business Associate Agreement or Data Processing Addendum.

This aligns with data privacy laws and reduces exposure to downstream liabilities.

5. Warranties and Representations

Vendors should represent and warrant that:

• AI use is in compliance with applicable laws and regulations;
• AI outputs will be reviewed for accuracy and appropriateness before being presented to end users;
• They have safeguards in place to mitigate AI risks (e.g., bias, toxicity, copyright infringement).

This gives you recourse if AI introduces unacceptable risks.

6. Indemnity for AI Misuse

Include a tailored indemnity clause that covers damages, claims, or regulatory penalties arising from the vendor’s improper or unauthorized use of AI. This is especially important if AI tools generate outputs that could result in IP violations, misinformation, or legal exposure. Also consider an unlimited limitation of liability for breaches of the AI Use Rider.

7. Audit and Oversight Rights

Reserve the right to:

• Request documentation of how AI tools are used;
• Audit or review AI governance processes, including testing, monitoring, and bias detection practices.

This encourages accountability and supports your internal compliance obligations.

Let us Help

This is a high level overview of what an AI Use Rider should contain. There may be more specific nuances for regulated industries. An AI Use Rider is important for risk mitigation, operational clarity, and accountability. As AI continues to reshape how services are delivered, forward-thinking businesses should take proactive steps to define the rules of engagement with vendors using these technologies. If you need help drafting an AI Use Rider that fits your business - reach out to Kader Law. We can help businesses navigate AI adoption safely and strategically.

This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader. The content of this post was assisted by generative artificial intelligence solutions.