Two Contracts Define Your AI Risk: The Vendor's Terms of Service and Your Insurance Policy. Have You Read Either One?
By Gabriel Tan | May 2026
Two contracts determine what happens to your firm when an AI-assisted deliverable goes wrong. The first is your AI vendor's terms of service. The second is your professional indemnity insurance policy.
Most MDs have read their vendor agreements, but few have paid close attention to the liability clauses specific to AI-generated output. And most have a professional indemnity policy in place, but it was written and reviewed before AI became part of the workflow. One of those contracts has already been written to protect the other side. The other one probably does not cover what you think it covers.
Contract 1: Your vendor's terms of service
Open the terms of service for ChatGPT, Claude, or Gemini. Search for the word "liability." You will find a clause that says something like: the provider does not guarantee the accuracy, completeness, or reliability of any output generated by the service.
Every major AI vendor says this. OpenAI, Anthropic, Google. The language differs slightly, but the position is the same. The vendor is not responsible for what the AI produces. You are.
The EU AI Act formalises this through a framework that divides responsibility between two roles: the provider and the deployer. The provider is the company that builds or places the AI system on the market. Their obligations include documenting how the system works and monitoring it after release. The deployer is the company that uses the AI system in its operations. That is your firm. The deployer's obligations include ensuring proper usage and oversight, monitoring performance, keeping logs, and training staff.
Under EU AI Act Article 28, the provider is responsible for what they built. The deployer is responsible for how they used it. If a regulator investigates a problem with an AI-assisted deliverable, the question they ask your firm is not "did the AI make a mistake?" The question is "what did your firm do to catch it before it went out?"
Product liability law is moving in the same direction. The EU's revised Product Liability Directive now treats AI software as a product. Liability can fall on manufacturers, deployers, and importers. There is a presumption of defect for AI systems that behave like black boxes: if a claimant cannot explain how the AI reached its output, the Directive presumes the system was defective. The burden shifts to the provider or deployer to prove otherwise. In the UK, the Consumer Protection Act 1987 imposes strict liability for product-related damage. No negligence needs to be proven.
The vendor's terms of service disclaim accuracy. The law is building a framework where your firm, as the deployer, carries the operational liability. That is Contract 1. Five minutes to read. The implications are significant.
Contract 2: Your insurance policy
Call your professional indemnity (PI) insurer. Ask one question: does our policy cover claims arising from AI-assisted deliverables?
Most PI policies were written before AI became a standard part of the workflow. They cover professional negligence, errors, and omissions in the delivery of professional services. Whether an AI-assisted error falls within that coverage depends on the policy language, and most policies have not been updated to address it.
There are three scenarios your insurer may not have contemplated. First, your team uses AI to draft an investor update. The AI fabricates a statistic. The client publishes it. The share price moves. The regulator investigates. Is that covered under professional negligence, or is it excluded because a tool, not a person, generated the error?
Second, a client claims that your firm's use of AI without disclosure breached the engagement terms. The claim is not about the output quality. It is about the process. Does your PI policy cover process disputes, or only output errors?
Third, an AI tool's data retention leads to a confidentiality breach. Client information that was entered into a consumer-tier tool surfaces in a way that exposes the client. Is that a professional indemnity claim, a cyber liability claim, or neither?
If your insurer cannot confirm coverage for these scenarios, your firm is carrying uninsured risk on every AI-assisted deliverable. That is not a governance problem. That is a balance sheet problem.
The conversation takes 15 minutes. Get the answer in writing.
The gap between the two contracts
The vendor has protected themselves through their terms of service. Your insurer may not have confirmed coverage for AI-assisted work. Your firm sits in the gap between those two positions.
The way to close that gap is a documented accountability chain for every client deliverable where AI was used.
The drafter. The person who used the AI tool and produced the initial output. They log which tool was used, what data was entered, and what the AI generated.
The reviewer. A named person who knows AI was used and checks the output specifically for accuracy. This is not a general proofread. The reviewer is checking AI-generated claims against source material: are the numbers right, are the quotes real, are the forward-looking statements supported?
The approver. A senior person who confirms the deliverable is fit for release. They sign off knowing AI was involved, knowing the review was conducted, and accepting responsibility for the final output.
Three names. Three sign-offs. One log entry per deliverable. This chain does two things. It reduces the likelihood of an AI-related error reaching the client. And if something does go wrong, it gives your firm a documented process to show the regulator, the client, and the insurer. A firm with a documented chain is in a stronger position than a firm that says "we review everything" but cannot show how.
What to do this week
Read Contract 1. Open the terms of service for every AI tool your firm uses. Search for "liability," "disclaimer," and "accuracy." Note what the vendor does and does not cover. Five minutes per tool.
Read Contract 2. Call your PI insurer. Ask whether your policy covers claims arising from AI-assisted deliverables. Ask about the three scenarios above. Get the answer in writing. Fifteen minutes.
Close the gap. Document the three-role chain. For every client deliverable where AI is used: who drafted, who reviewed, who approved, which tool was used. Add this to your existing workflow as a sign-off line.
The vendor built the tool. Your firm chose to use it. One contract protects the vendor. The other contract may not protect you. The gap between them is where your firm's risk sits. Close it before something forces you to.
Gabriel Tan is the founder of Mekong Bridge Advisory. He builds structured execution systems for PR and communications firms.
info@mekongbridge.com| www.mekongbridge.com
