There is a clause buried in your software contracts that most business owners have never read. It probably lets your vendors train their AI models on your company’s data.
An analysis published by PYMNTS this week pulled apart what is actually in enterprise software agreements — and what it found should give every business owner pause. Standard provisions that were written before generative AI existed, language allowing vendors to “improve,” “build,” or “enhance” their products, now routinely extend to AI training and fine-tuning. Your Jira tickets, your Salesforce records, your support conversations, your financial reports: all of it potentially qualifies.
According to a contract analysis by TermScout cited in the piece, 92% of AI vendor contracts claim data usage rights beyond what is strictly necessary for service delivery. That compares to 63% for standard SaaS agreements. In other words, AI vendors are claiming roughly 50% more data rights than traditional software vendors, and most of those rights are buried in language that looks like boilerplate.
What the Contracts Actually Say
The problem is not that vendors are acting in bad faith. The problem is that contract language has not kept pace with what AI actually does.
A clause written in 2019 that lets a vendor use your data to “improve the service” meant something specific then: usage analytics, performance tuning, maybe some A/B testing on the interface. In 2026, that same clause can plausibly cover fine-tuning a large language model on your company’s documents, feeding your customer conversations into a retrieval system shared across the vendor’s entire customer base, or using your internal workflows as training signal for a general-purpose AI product.
The PYMNTS analysis also flagged that only 33% of AI vendors offer any contractual protection from third-party IP claims, well below the market average of 58% for standard software. And only 17% of AI contracts clearly commit to following all applicable laws, versus 36% in standard SaaS agreements.
That last number is the one that should worry legal and finance teams most. As AI regulations accumulate at the state and federal level, vendors who have not committed to compliance in their agreements create real exposure for the businesses using them.
The Shift That Is Already Happening
On the licensing side, a separate pattern is emerging. What AI companies want to buy has shifted from static data dumps to continuously refreshed real-time feeds. An analysis of 91 disclosed AI licensing deals found that the model is increasingly “rent, not buy”: vendors are paying for ongoing access to live data rather than one-time acquisition.
This matters for businesses because it means your data is not just an input — it is an ongoing asset that AI vendors are structuring their businesses around. The more your business generates useful data (customer interactions, decisions, workflows), the more valuable you are as a training resource.
Most businesses are giving that resource away for free, without negotiating any return, because the contracts were signed before anyone thought to ask.
What This Means for Business
Pull your key AI vendor contracts this week. Look for phrases like “improve our products,” “train our models,” “aggregate usage data,” or “de-identified information.” These are the clauses most likely to include AI training rights. If you cannot find them, that is worth escalating to whoever handles your vendor agreements.
Understand the default. Most contracts default to opt-in for data use. The enterprise standard in 2026 is shifting toward opt-out-by-default, with explicit opt-in required for any model training. If your current agreements do not reflect that, they are worth renegotiating.
Ask the question directly. “Is our data used to train models that serve other customers?” That single question, asked of each AI vendor you work with, will tell you more than any contract review. Vendors who cannot answer clearly are the ones that warrant the most scrutiny.
Know the difference between shared and dedicated models. Some AI deployments train a single model that all customers improve together. Others build dedicated models that run only on your data and serve only your business. That distinction matters enormously for both data governance and competitive positioning. It is also rarely explained upfront.
The businesses navigating this best are not the ones with the most restrictive policies. They are the ones that have a clear, documented position before they sign, not after they discover what they agreed to. The window between “AI is being deployed” and “AI is now deeply embedded” is the moment to act. Most businesses are somewhere in that window right now.
If you’re building with Claude or Codex right now, grab the free Working With Claude field guide. Thirty-two pages on the full ecosystem, Claude Code in depth, and how to roll agents out properly. Get the free guide.
Source
PYMNTS