ARTICLE
2 July 2026

Why Traditional SaaS Agreement’s Do Not Cater For Key AI Risks

E
ENS

Contributor

ENS is an independent law firm with over 200 years of experience. The firm has over 600 practitioners in 14 offices on the continent, in Ghana, Mauritius, Namibia, Rwanda, South Africa, Tanzania and Uganda.
As organisations rapidly adopt AI capabilities through familiar SaaS delivery models, a critical misalignment has emerged between traditional software contracts and the novel risks introduced by AI systems.
South Africa Media, Telecoms, IT, Entertainment
Isaivan Naidoo’s articles from ENS are most popular:
  • within Media, Telecoms, IT and Entertainment topic(s)
  • with Inhouse Counsel

Organisations are adopting artificial intelligence (“AI”) capabilities at an unprecedented pace, often through familiar software-as-a-service (“SaaS”) delivery models. Yet, despite this shift in technology, many contracts governing these solutions remain anchored in traditional legal constructs. As a result, there is a growing misalignment between what SaaS agreements were originally designed to regulate and the novel risks introduced by AI systems.

At its core, the issue is not that existing clauses are irrelevant, but rather that they omit certain key AI concepts such as synthetic data, derived data, and continuously evolving AI models. This creates material legal, commercial, and regulatory exposure for customers.

The limits of traditional contractual constructs

Intellectual property clauses in SaaS agreements typically assume static software outputs and clearly identifiable ownership structures. However, AI systems generate outputs dynamically, often based on large-scale training data, iterative learning processes, and ongoing model refinement. This raises fundamental questions such as who owns AI-generated outputs? And do rights extend to model improvements or downstream derivatives?

Traditional IP clauses rarely contemplate:

  • ownership of AI-generated outputs;
  • rights in synthetic datasets created by the AI system; or
  • vendor rights to use customer data to train or enhance models.

Similarly, warranty frameworks in SaaS agreements are designed around predictable software performance. AI systems, by contrast, are probabilistic in nature and capable of producing inaccurate, biased, or evolving outputs. Conventional warranties are not necessarily drafted in a manner to address concepts such as AI model drift, output reliability, or explainability.

Even definitions can become problematic. Terms such as “customer data”, “usage data”, or “analytics data” are frequently drafted broadly. In an AI context, these definitions may unintentionally capture prompts, outputs, feedback, behavioural data, and derived datasets, effectively granting vendors far-reaching rights over valuable customer information and data.

Synthetic data and derived data

One of the most significant gaps in traditional SaaS agreements relates to how they treat data generated by AI systems, rather than data provided to them.

AI systems routinely generate or rely on:

  • Synthetic data, which is artificially created data that mimics real-world datasets; and
  • Derived data, which includes insights, analytics, AI model outputs, and transformed datasets generated through processing.

Standard contractual frameworks often fail to address ownership, control, or permitted uses of these additional data types. This creates risk in several respects for customers.

First, contracts may permit vendors to use “aggregated” or “de-identified” data without restriction. In practice, this can enable vendors to commercialise insights derived from customer data or incorporate them into broader training datasets.

Second, clauses relating to “service improvement” or “enhancement” may allow vendors to use customer inputs, outputs, and behavioural data to refine or train AI models. These provisions are often drafted in vague terms, masking their true commercial impact.

Third, derivative works clauses may be interpreted to extend to trained AI models themselves, particularly where those AI models have been influenced by customer data. This creates a real risk that customers inadvertently grant vendors rights to build competing or enhanced offerings using their information and data.

In a traditional SaaS context, these clauses may have been low risk. In an AI environment, however, they effectively become mechanisms for data extraction and AI model development and commercialisation.

The expanding scope of “data” in AI contracts

A further complexity lies in the expanding definition of what constitutes “data” in AI systems. Beyond structured datasets, modern AI systems capture and process:

  • user prompts;
  • generated outputs;
  • corrective inputs and feedback; and
  • usage patterns and behavioural telemetry.

This information is not merely operational; it is commercially valuable. It can be used to train AI models, refine performance, and develop new products.

From a legal perspective, this creates tension between:

  • the customer’s expectation of confidentiality and control; and
  • the vendor’s commercial incentive to leverage data for AI model improvement.

Traditional SaaS agreements, which were not designed with this level of data granularity in mind, often fail to properly allocate rights and restrictions across this expanded concept of data.

Why AI-specific service levels are critical

Perhaps the clearest example of outdated SaaS clauses lies in service level agreements (“SLAs”). Traditional SLAs focus on system availability, uptime, and response times. While these metrics remain relevant, they do not address the core performance risks associated with AI systems.

AI-specific SLAs must go further to include:

  • accuracy thresholds, ensuring that outputs meet agreed performance standards;
  • bias and fairness metrics, particularly in regulated industries;
  • AI model performance monitoring, to detect drift or degradation over time; and
  • incident response obligations tailored to AI failures (e.g., hallucinations or incorrect outputs).

Without these protections, customers may receive a service that is technically “available” but commercially unusable due to unreliable, inaccurate or inconsistent outputs. Moreover, AI systems evolve over time through retraining and AI model updates. SLAs must therefore address not only current performance, but also how performance will be maintained or improved over the duration of the agreement.

Moving beyond legacy SaaS contracting models

The rise of AI is forcing a fundamental rethink of how technology contracts are structured. Traditional SaaS agreements, with their static assumptions and generic clauses, are no longer sufficient to manage the dynamic, data-intensive, and probabilistic nature of AI systems.

To address this gap, organisations should:

  • introduce AI-specific clauses addressing data usage, AI model training, and output ownership;
  • refine definitions to clearly distinguish between input data, output data, and derived datasets;
  • implement robust AI-specific warranties and indemnities; and
  • develop tailored SLAs that reflect the unique performance characteristics of AI systems.

Ultimately, contracting for AI is not an incremental adjustment to existing frameworks, it requires a deliberate shift in contracting approach. As AI systems become embedded in core business operations, the ability of agreements to accurately reflect and allocate these risks will become a defining factor in successful AI adoption.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More