AI Clauses for Your Next RFP: Three Requirements to Add Before Your Vendors Add AI to Your Work

Executive Summary

• Your non-AI vendors are already using AI on your deliverables. McKinsey’s 2025 Global AI Survey (n=1,363) finds 71% of professional services organizations use generative AI in at least one business function — up from 33% in 2023. Marketing agencies lead at 82% adoption. An ACC/Everlaw survey (n=657 in-house counsel, 30 countries, 2025) found that 60% of corporate legal departments do not know whether their outside law firms use generative AI on their matters. The disclosure gap applies equally to accounting firms, IT consultants, and marketing agencies.
• Your existing RFP templates and service agreements were written for a human-only operating model. They do not address whether a vendor may use AI tools on your deliverables, what happens to your data when it enters an AI system, or who bears liability when AI-generated work product contains errors. The contract red lines card (#14) covers contracts with AI vendors you are buying. This covers the other direction: your existing service providers using AI on work you already paid for.
• Three clauses — disclosure, data handling, and error liability — close the gap for less than an hour of GC time per RFP template. These are not theoretical. The GSA finalized a proposed AI contract clause (GSAR 552.239-7001, March 2026) requiring federal contractors to disclose all AI systems used in contract performance. Courts have sanctioned over 128 lawyers across 700+ documented cases involving AI hallucinations (Law360 AI tracker, cumulative through Q1 2026). The risk is current, and the contractual protection is straightforward.

The Problem: Your Vendors Changed How They Work. Your Contracts Did Not.

A 300-person company outsources work to 15-30 service providers: an accounting firm prepares tax returns, a marketing agency writes content, a law firm drafts contracts, an IT managed services provider monitors infrastructure, a benefits consultant administers open enrollment. As recently as 2023, these providers performed that work with human professionals. As of March 2026, the majority use AI tools in at least some of that work.

This is not speculation. The data is specific:

• Law firms: 79% of lawyers report using AI tools in some capacity (ABA TechReport, 2025). The 2026 Wolters Kluwer Future Ready Lawyer survey finds that 59% of law firms believe generative AI should be used for legal work. Yet 60% of in-house legal teams do not know whether their outside counsel uses AI on their matters (ACC/Everlaw, n=657, 2025).
• Accounting firms: All Big Four firms have deployed AI across audit, tax, and advisory functions. KPMG launched Workbench, a multi-agent audit collaboration platform, in June 2025. EY’s Agentic Platform embeds 150+ specialized tax agents supporting 80,000 professionals globally (EY, March 2025). Mid-market accounting firms are adopting the same tools with less governance infrastructure.
• Marketing agencies: 82% of marketing agencies use AI tools (McKinsey, 2025). The Cannes Lions controversy of 2025 — where Brazilian agency DM9 withdrew awards after its case film used AI-generated footage presented as real-world results — demonstrated the disclosure gap in creative services.
• IT managed services: AI-powered monitoring, ticketing, and response tools are now standard in managed services platforms. ServiceNow, ConnectWise, and Datto all embed AI in the tools MSPs use on client environments.

The standard RFP template at most 200-500 person companies has not been updated since before ChatGPT launched. The standard MSA and SOW lack any reference to AI. The gap between how vendors work and what contracts cover is widening every quarter.

Why This Is Different from the AI Vendor Contract Red Lines Card

The contract red lines card (#14) protects a company that is buying AI tools — negotiating with Copilot, Salesforce Einstein, or a specialized AI vendor. Those negotiations happen with sophisticated counterparties who expect AI-specific contract terms.

This card addresses the opposite scenario: a company that is buying professional services from providers who happen to be using AI as part of their delivery. The accounting firm is not selling AI — it is selling tax preparation. The marketing agency is not selling AI — it is selling content strategy. But both are using AI on the company’s data and deliverables, often without explicit disclosure, and often without updated contractual protections.

The distinction matters because the service provider’s standard engagement letter was drafted for human work. It does not address AI-specific risks: data flowing through third-party AI platforms, outputs containing hallucinated content, or work product that may not qualify for full IP protection because it was substantially AI-generated.

The Three Clauses

Clause 1: AI Disclosure and Prior Approval

The requirement: The service provider must disclose, in writing, any use of AI tools in performing work under this agreement — including generative AI, machine learning models, and automated decision-making systems. Use of AI on deliverables containing confidential, proprietary, or personally identifiable information requires prior written approval from the client.

Why this matters: The GSA’s proposed contract clause (GSAR 552.239-7001, March 2026) requires federal contractors to disclose all AI systems used in contract performance — not just AI products they sell, but AI tools they use to deliver contracted services. The clause defines “Service Providers” broadly to include any entity that “directly and indirectly” provides, operates, or licenses AI systems in connection with government work. This is the direction commercial contracting is heading.

The disclosure requirement serves two functions. First, it creates visibility. The GC cannot assess risk on AI use that is invisible. Second, it establishes a decision point. Some AI use is perfectly appropriate — a law firm using AI for initial document review, a marketing agency using AI to generate first-draft social media copy. Other uses carry material risk — an accounting firm using AI to prepare financial statements without human review, a benefits consultant using AI to make coverage determinations. The disclosure clause lets the company distinguish between the two.

Sample language: “Provider shall disclose in writing, prior to commencement and on an ongoing basis, all AI systems, generative AI tools, and automated decision-making systems used in performing services under this Agreement. Provider shall not use AI tools on Client’s confidential information, personally identifiable information, or regulated data without prior written approval from Client.”

Clause 2: Data Handling Restrictions for AI Processing

The requirement: Client data entered into AI tools by the service provider must not be used to train, tune, or improve any AI model. Data must be processed through enterprise-grade tools (not consumer accounts). Client data must be logically segregated and deleted from AI systems upon completion of the engagement.

Why this matters: When an accounting firm pastes a client’s financial data into a generative AI tool to draft a memo, that data may flow to the AI vendor’s servers. If the AI vendor’s terms permit data use for model improvement — and most consumer-tier AI tools do — the accounting firm just created a data flow the client never authorized and may never discover.

The contractual chain matters. The client’s MSA with the accounting firm includes confidentiality obligations. But those obligations were drafted for human work — they prohibit the accounting firm’s employees from disclosing client information, not the accounting firm’s AI tools. Without an explicit data handling clause covering AI processing, client data can exit the confidentiality framework through a tool the contract never contemplated.

88% of AI vendors cap their own liability at one month’s subscription fees (CIO.com vendor analysis, 2025). If the service provider’s AI tool causes a data incident, the AI vendor’s liability is capped at pennies. The service provider’s liability depends entirely on what the engagement letter says. If it says nothing about AI, the exposure falls to ambiguity — which in practice means litigation.

Sample language: “Provider shall not enter Client data into any AI system that uses inputs for model training, tuning, or improvement. AI processing of Client data must use enterprise-grade tools with contractual data protections. Provider shall maintain logical segregation of Client data within AI systems and certify deletion of Client data from all AI tools within 30 days of engagement completion.”

Clause 3: Liability for AI-Generated Errors

The requirement: The service provider bears full responsibility for the accuracy and quality of all deliverables, regardless of whether AI tools were used in their production. The provider warrants that all AI-assisted work product has been reviewed by qualified professionals before delivery. The provider indemnifies the client against third-party claims arising from AI-generated errors, including but not limited to hallucinated content, fabricated citations, and infringing material.

Why this matters: The AI hallucination problem is not theoretical. Courts have documented over 700 cases involving AI-generated fabrications in legal filings through Q1 2026 (Law360 AI tracker, cumulative). Sanctions have exceeded $100,000 in individual cases. Stanford’s CodeX Center found that general-purpose LLMs fabricate citations in 30-45% of legal research responses (Stanford, 2025). The hallucination rate in other professional contexts — financial analysis, tax preparation, technical writing — is less studied but structurally identical.

The liability question is sharpening. In Mobley v. Workday (July 2024, N.D. Cal.), Judge Rita Lin allowed discrimination claims against Workday under an agency theory, ruling that “when AI systems perform functions traditionally handled by employees, the vendor has been delegated responsibility” for that function. The case achieved nationwide class action certification in May 2025. The principle extends: when a service provider delegates work to AI, the service provider remains accountable for the output.

AI-generated work product also creates an emerging discoverability risk. In In re OpenAI, Inc., Copyright Infringement Litigation (S.D.N.Y., December 2025), Magistrate Judge Wang compelled production of millions of AI-generated logs, finding them relevant and discoverable. K&L Gates’ February 2026 analysis confirms that AI-generated content — including prompts, outputs, and logs — is discoverable in litigation and may not be protected by work product doctrine, depending on context. If a service provider uses AI on deliverables and those deliverables later become relevant to litigation, the AI logs may be discoverable — creating a record the client never intended to generate.

Sample language: “Provider warrants that all deliverables have been reviewed for accuracy by qualified professionals, regardless of the tools used in their creation. Provider shall indemnify and hold Client harmless from third-party claims arising from errors, omissions, fabricated content, or intellectual property infringement in AI-assisted deliverables. Provider’s use of AI tools does not reduce Provider’s standard of care, professional responsibility, or liability under this Agreement.”

Key Data Points

What This Means for Your Organization

The GC at a 200-500 person company can close the RFP gap in a single afternoon. The three clauses above are additive — they attach to existing RFP templates and service agreements without requiring a full contract rewrite. The disclosure clause goes into the standard RFP questionnaire. The data handling clause goes into the data processing addendum or the confidentiality section of the MSA. The liability clause goes into the representations and warranties section.

The timing matters because service provider contracts typically renew on 12-month cycles. Every renewal that passes without AI-specific language is another year of unmanaged risk. The GC who adds these clauses to the next three RFPs that cross the desk — the accounting firm engagement, the marketing agency retainer, the IT services contract — establishes the precedent for the entire vendor portfolio.

The federal government is already there. The GSA clause requires AI disclosure for every contractor on the Multiple Award Schedule. State-level requirements are accelerating: Colorado’s AI Act takes effect June 30, 2026. Illinois requires AI disclosure in employment decisions as of January 2026. New York requires AI disclosure in advertising as of June 2026. These regulations apply to the service providers that mid-market companies hire. If the GC’s standard engagement letter does not address AI, the company inherits whatever AI practices the vendor adopts — governed by whatever the vendor’s AI tool permits, not by what the client’s risk profile requires.

If this raised questions specific to your organization’s vendor agreements, I’d welcome the conversation — brandon@brandonsneider.com

Sources

1. McKinsey & Company, “The State of AI in 2025,” Global AI Survey, n=1,363 respondents, 2025. https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai — Independent consulting firm survey; annual methodology; high credibility.

2. ACC/Everlaw, “Generative AI’s Growing Strategic Value for Corporate Law Departments,” n=657 in-house counsel, 30 countries, 2025. https://www.acc.com/resource-library/generative-ais-growing-strategic-value-corporate-law-departments-survey-results — Trade association survey; large cross-border sample; high credibility.

3. ABA, TechReport 2025, lawyer AI adoption survey. https://www.americanbar.org/groups/law_practice/resources/tech-report/ — Bar association research; comprehensive methodology; high credibility.

4. Law360 AI Tracker, cumulative AI hallucination case database, through Q1 2026. Referenced in Jones Walker LLP analysis: https://www.joneswalker.com/en/insights/blogs/ai-law-blog/from-enhancement-to-dependency-what-the-epidemic-of-ai-failures-in-law-means-for.html — Legal news database with case-level tracking; high credibility.

5. Stanford CodeX Center, LLM hallucination rates in legal research, 2025. Referenced in legal industry analysis. — Academic research center; methodology-driven; high credibility.

6. GSA, Proposed Contract Clause GSAR 552.239-7001 for AI Systems, March 2026. Analysis: https://www.crowell.com/en/insights/client-alerts/ai-for-government-7-days-for-contractor-comments-on-gsa-proposed-contract-clause-for-ai-systems — Federal rulemaking; public record; high credibility.

7. Gibson Dunn, “GSA AI Procurement Rules Would Introduce New Disclosure and Use-Rights Requirements for Federal Contractors,” March 2026. https://www.gibsondunn.com/gsa-ai-procurement-rules-would-introduce-new-disclosure-and-use-rights-requirements-for-federal-contractors/ — Law firm analysis of federal rulemaking; high credibility.

8. CIO.com, “Your Vendor’s AI Is Your Risk: 4 Clauses That Could Save You from Hidden Liability,” vendor contract analysis, 2025. https://www.cio.com/article/4081326/your-vendors-ai-is-your-risk-4-clauses-that-could-save-you-from-hidden-liability.html — Trade publication; methodology not fully specified; medium credibility.

9. Jones Walker LLP, “AI Vendor Liability Squeeze: Courts Expand Accountability While Contracts Shift Risk,” analysis of Mobley v. Workday and contract market patterns, March 2026. https://www.joneswalker.com/en/insights/blogs/ai-law-blog/ai-vendor-liability-squeeze-courts-expand-accountability-while-contracts-shift-r.html — Law firm analysis; case citations verified; high credibility.

10. K&L Gates, “Litigation Minute: Is AI-Generated Content Discoverable? What Companies Need to Know in 2026,” February 2026. https://www.klgates.com/Litigation-Minute-Is-AI-Generated-Content-Discoverable-What-Companies-Need-to-Know-in-2026-2-12-2026 — Law firm analysis of discovery rulings; case citations verified; high credibility.

11. Wolters Kluwer, “2026 Future Ready Lawyer Survey Report,” 2026. https://www.wolterskluwer.com/en/know/future-ready-lawyer-2026 — Legal technology vendor survey; annual methodology; medium-high credibility (vendor-funded but large sample).

12. EY, “EY.ai Agentic Platform launch,” March 2025. Referenced in industry coverage. — First-party vendor announcement; factual; high credibility for stated facts.

13. Tascon Legal, “AI Clauses in Contracts: The Practical Guide for 2025,” contract clause recommendations. https://tasconlegal.com/ai-clauses-in-contracts-the-practical-guide-for-2025/ — Legal practice guide; practical orientation; medium credibility.

Brandon Sneider | brandon@brandonsneider.com March 2026