Rules Navigator

Existing enterprise agreements: A Trojan horse for AI risk?

Trojan horse
Photo: Getty Images

Chris Eastham | Fieldfisher

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

A key issue facing business leaders in managing the risks of artificial intelligence is the lack of full visibility of AI usage within their organizations.

Organizations are scrambling to respond to the opportunities, challenges, and risks presented by artificial intelligence since OpenAI’s large language model, ChatGPT, drew worldwide attention upon launch in November 2022. The pace of development has caught many by surprise.

AI functionality is beginning to appear in tools used by organizations but it is not always getting picked up for review by legal and risk functions. The impact is that business leaders can remain unaware of the nature and scale of risks that are being introduced into their organizations. So it is important that you don’t let existing relationships and implementations become Trojan horses.

Software vendors enhance offer

As organizations seek to understand the implications of AI, software vendors are embracing its transformative power to enhance their products and services. Enterprise IT – from productivity suites, to web browsers, to ERP/CRM systems – are embedded and integrated systems that go to the very heart of business operations. They are procured often on the basis of largely standard terms with a relatively low level of scrutiny.

Moreover, further engagement with risk management functions on renewal (which may occur automatically) tends to be limited. Business leaders will remain unaware of the nature and scale of risks that are being introduced into their organization.

What can you do?

It is important to factor in the potential for AI to be introduced through existing vendor relationships without this triggering a legal or risk review under existing processes. The integration of AI into enterprise IT products may result in additional contractual terms, and you should take care that these are not accepted without adequate oversight at the point of renewal. Alternatively, it may be that no new terms are introduced when they really should be.

Update risk profiles

At the outset, you may have negotiated specific legal and commercial arrangements addressing risk, based on key factors such as the level of control, accountability and oversight that you or the vendor have respectively over the services or the output of the product. AI has the potential to transform those key risk factors and you will want to make sure that the changing risk profile can be managed through the contractual and operational protections you have in place.

Review vendor roadmaps

You should consider what processes the introduction of new functionality into existing tools should trigger, and who should be responsible for triggering them. We’d suggest reviewing vendor roadmaps to seek insights into when a vendor is intending to introduce AI solutions, and working with technology sourcing teams to identify renewal dates and plan for risk review.

Technology and business teams need to play their part in the organization’s approach to vendor and contract management, and good lines of communication between those responsible for the tools, and those managing risk, will be critical.

Chris Eastham a partner in the Technology and Data team in the London office of Fieldfisher.

, , ,

You may also like