Summary: Artificial Intelligence has been around for decades, but Generative AI (GenAI) has changed the game — especially for organizations in healthcare, IT, and nonprofit sectors. With that change has come a surge in AI-related contract clauses, governance concerns, and compliance questions that project leaders can’t ignore.

This article breaks down what’s driving those concerns and how organizations can adopt AI safely and effectively.

Why AI Is Showing Up in Contracts

Many organizations are now encountering restrictive “no AI” language in contracts, which can often be late in the deal cycle. These clauses usually stem from legal teams trying to answer a few core questions:

• Will our data be used to train AI models?
• Could our data leak into other customers’ outputs?
• Is this solution compliant with HIPAA or other regulations?

The problem isn’t AI itself. In fact, it’s a lack of shared understanding between legal, technical, and business stakeholders.

Dissecting AI Policy Implementations

Navigating AI effectively is achievable; however, to do so, we must also understand the inner workings of AI.

• Generative AI is a small part of AI that generates content, such as text, summaries, or code.
• Large Language Models don’t “learn” from being used every day. Each prompt is stateless unless fine-tuning or memory is explicitly enabled.
• Most AI models utilize Retrieval-Augmented Generation (RAG), which retrieves data from secure sources at runtime instead of retraining models.

Knowing these differences is important when discussing data usage, retention, and privacy with legal teams.

Reducing Risk

Here’s how organizations can protect themselves and their clients when using AI.

1. Create an AI Acceptable Use Policy

Define:

• Approved tools and models
• Allowed and prohibited use cases
• Rules around sensitive data

Clear guidance reduces shadow IT and unsafe usage.

2. Utilize Prompt Libraries

Centralized prompt libraries:

• Save time and money
• Improve consistency and quality
• Support faster onboarding and audits

Prompts should be tagged just like data (internal-only, client-facing, pending legal review, etc.).

3. Data Controls and Logging

Utilize data classification, implement controls and access specific to organizational roles, and log thoroughly to prevent accidental exposure while ensuring auditability.

Where to look

When using commercial AI tools:

• Confirm Business Associate Availability (especially in healthcare)
• Ensure your data has opt-out settings and is not being used for model training
• Review both data usage policies and API terms of service

For organizations that require a high level of control, self-hosted open-source models can offer a large selection of benefits in terms of privacy and compliance.

How to Negotiate AI Contract Language

When restrictive clauses appear, don’t panic. Instead:

• Identify the specific risk the clause is trying to address
• Clarify how data is actually used (e.g., inference-only, no training)
• Align business, technical, and legal stakeholders before pushing for revisions

Most AI clauses can be clarified once everyone understands the technology and its intended purpose.

 Getting Started

If your organization is early in its AI journey:

1. Add generative AI guidance to your acceptable use policies
2. Train teams on approved tools and AI fundamentals
3. Experiment safely with hosting prompt workshops and building shared libraries

AI adoption doesn’t have to conflict with compliance. With the right guardrails, it becomes a competitive advantage.

Sign Up For Our Newsletter