AI Regulation Tracker / Procurement
Most enterprise AI SaaS contracts claim data rights beyond service delivery, reported analysis finds
An analysis reported by PYMNTS finds that a large majority of AI vendor contracts assert data-usage rights wider than the service itself requires, and that only a minority promise protection against third-party IP claims. The clauses often sit unremarked in standard SaaS agreements.
A large majority of enterprise AI contracts reportedly claim the right to use customer data for more than delivering the service the customer paid for. That is the central finding of an analysis reported by PYMNTS on June 24, 2026, which attributes its data to TermScout, a contract-review platform associated with Stanford Law School's CodeX center. According to the reported figures, 92 percent of AI vendor contracts assert data-usage rights beyond service delivery, compared with a reported market average of 63 percent across contracts generally. The practical concern for buyers is that these rights are often written into standard agreements that pass through procurement as routine software terms.
The framing in the reporting is deliberate. It treats these contracts less as software licenses and more as data licenses that run in the buyer's disfavor, because the asset a vendor gains is not only a subscription fee but access to customer inputs it can reuse. For a buyer, the question shifts from what the software costs to what the buyer is granting away in exchange. That is a different review than most procurement processes are built to perform, and it is the gap the reported figures point to.
What the reported numbers say
Two reported gaps stand out. The first is the data-usage gap already noted: a reported 92 percent of AI contracts claim rights beyond service delivery, against a reported 63 percent market average. The second concerns risk allocation. According to the analysis reported by PYMNTS, only 33 percent of AI vendors offer protection against third-party intellectual-property claims, compared with a reported average of 58 percent in the broader market. In plain terms, AI buyers are reportedly being asked to grant more and receive less protection than buyers of conventional software. These are reported findings from a private contract analysis, and the percentages should be read as attributed figures rather than established fact.
Where the training license hides
The mechanism is less about a single dramatic clause and more about how ordinary language is drafted. As the reporting describes it, a vendor may seek to use customer data, or derivatives of that data, to train, fine-tune, or improve models that serve other customers or the vendor's own products. A confidentiality clause that permits use of data to "provide and improve the service" can, in an AI context, read as permission to feed customer inputs into model training. The report also cites a related finding that only 17 percent of AI contracts clearly commit to following all applicable laws, which points to broader ambiguity in how these agreements are written.
Why this matters for privileged and regulated data
For firms that handle confidential, privileged, or regulated information, the exposure is concrete. If a law firm's prompts, a bank's client records, or a health provider's patient data pass through an AI tool whose contract permits model improvement, that data may inform outputs delivered to unrelated third parties. The reported scarcity of IP-claim protection compounds the problem, because a buyer whose vendor does not indemnify against third-party IP claims may carry that risk itself. Silence in the contract does not default to the buyer's benefit. It can operate as consent.
What it does not establish
The reported analysis does not show that these vendors are unlawfully using customer data, and it does not name specific companies as violators. It is a study of contract language and the rights that language reserves, not a finding of misconduct. Nor does it mean every AI agreement carries these terms. The value of the reporting is as a prompt to check your own contracts against the pattern it describes, not as a verdict on any particular vendor.
The red-line discipline buyers can apply
Procurement and in-house counsel can respond without waiting for regulation. Locate the data-usage, training, and IP-indemnity clauses in each AI agreement and read them against what the tool needs to run. Require that confidential inputs be excluded from any model training by the vendor and its sub-processors. Ask for written confirmation, not a verbal assurance, and press for third-party IP-claim protection where the vendor withholds it. Where a vendor will not narrow the terms, that refusal is itself information for the buying decision.
The reporting also notes that enterprise customers are already pushing back on vendor terms that create ambiguity around permissible AI use. That pushback is the leverage buyers have. A clause that reads as consent to train can often be narrowed to consent to operate, and an indemnity gap can sometimes be closed on request, particularly for larger contracts. None of this requires new law. It requires reading the specific words a vendor has chosen, asking what the tool genuinely needs, and declining to sign until the two match. The reported pattern is a reason to make that review standard practice for every AI purchase, not an exception reserved for the largest deals.
Frequently Asked Questions
What did the reported analysis actually find?
According to an analysis reported by PYMNTS and attributed to TermScout and Stanford Law School's CodeX center, a reported 92 percent of AI vendor contracts claim data-usage rights beyond service delivery, against a reported 63 percent market average, and only a reported 33 percent of AI vendors offer third-party IP-claim protection, versus a reported 58 percent average. These are attributed figures, not established fact.
Who is affected by this?
Any organization buying AI-enabled software under standard terms, and the procurement, legal, and compliance teams reviewing those agreements. The stakes are highest for firms handling confidential, privileged, or regulated data, including law firms, financial institutions, healthcare providers, and other professional-services buyers.
How can a standard SaaS contract become a training license?
Through broad drafting. Clauses that let a vendor use data to "provide and improve the service" can, in an AI context, read as permission to train, fine-tune, or improve models using customer inputs. The reporting notes that such rights often sit in routine agreements that clear procurement without special scrutiny.
What is the single most important step to take now?
Have counsel find and red-line the data-usage, model-training, and IP-indemnity clauses in each AI or SaaS agreement before signing, and require written confirmation that the vendor and its sub-processors will not train models on your confidential or privileged inputs.
Does this analysis mean specific vendors broke the law?
No. The reported analysis studies contract language and the rights vendors reserve, not vendor conduct. It does not allege unlawful data use or name specific companies as violators, and not every AI agreement carries these terms. Treat it as a reason to review your own contracts, not as a finding against any particular vendor.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.