No Liability Cap, No Indemnity, and a 2.3M Lawsuit

A sixteen-person AI agency in Boston learned an expensive lesson when a client's automated credit scoring model — built by the agency — was found to produce discriminatory outcomes against minority applicants. The client faced a regulatory investigation. The agency faced a $2.3 million lawsuit alleging negligent implementation and failure to test for bias. The agency's contract had no limitation of liability, no indemnification clause, and no provision addressing AI-specific risks like algorithmic bias. Eighteen months of legal proceedings, $340,000 in legal fees, and a $780,000 settlement later, the founders understood that legal protection is not something you think about after things go wrong.

AI agencies operate in a legal landscape that is evolving rapidly, often ambiguous, and full of risks that do not apply to traditional service businesses. The technology you build can make autonomous decisions that affect people's lives, finances, and opportunities. The data you handle is increasingly regulated. The intellectual property questions surrounding AI are unresolved. And the contracts that govern your client relationships often fail to address any of this.

Here are the legal pitfalls that AI agencies must understand and protect against — before they become expensive problems.

Contract Pitfalls

Missing or Inadequate Limitation of Liability

The single most important clause in any AI agency contract is the limitation of liability. Without it, your agency's exposure is theoretically unlimited.

The risk. If an AI solution you build produces incorrect outputs that cause financial damage to a client — a recommendation engine that crashes revenue, a fraud detection system that misses fraudulent transactions, a demand forecasting model that causes overproduction — the client can pursue damages for the full extent of their loss. Without a contractual cap, that exposure could exceed your agency's total assets.

The protection. Every contract should include a limitation of liability that caps your total exposure at a defined amount — typically one to two times the fees paid under the contract, or the value of your professional liability insurance coverage. The clause should cover both direct and consequential damages.

The implementation detail. Ensure the limitation applies to all forms of liability — breach of contract, negligence, indemnification obligations, and any other claims. Carve-outs for fraud, gross negligence, or willful misconduct are standard and reasonable.

Undefined Intellectual Property Ownership

IP ownership in AI projects is genuinely complicated, and most agency contracts either ignore it or handle it poorly.

The risk. You build a custom NLP model for a client using your proprietary training framework, the client's proprietary data, and publicly available pre-trained models. Who owns the resulting model? The training framework? The model weights? The fine-tuned parameters? If your contract does not address these questions explicitly, you are setting up a future dispute.

The protection. Define IP ownership in granular detail:

• Pre-existing IP: Tools, frameworks, and methodologies that existed before the engagement remain your property. License them to the client for use with the deliverables.
• Client data: All client data remains the client's property. Define permitted uses during and after the engagement.
• Custom deliverables: Work product created specifically for the client during the engagement is typically assigned to the client. This is what they are paying for.
• Derivative improvements: If working on a client project improves your general-purpose tools or methodologies, those improvements belong to you. This is critical for maintaining your competitive advantage.
• Model components: For AI-specific work, clarify ownership of model architectures, training configurations, hyperparameters, trained weights, and evaluation frameworks separately.

No Data Handling Provisions

AI projects involve extensive data handling, and agencies that do not address data obligations contractually are exposed to significant liability.

The risk. You receive sensitive customer data from a client to train a model. During the project, a contractor on your team stores a copy on an unsecured personal device. A data breach occurs. Without contractual data handling provisions, the legal responsibility and financial exposure are unclear — and likely catastrophic.

The protection. Include comprehensive data handling clauses:

• Data classification and handling requirements
• Permitted uses of client data
• Storage, encryption, and access control obligations
• Data retention and deletion timelines
• Breach notification procedures and responsibilities
• Subprocessor approval requirements if you use contractors

Missing Acceptance Criteria

AI projects are inherently probabilistic — models have accuracy ranges, not guarantees. Without clearly defined acceptance criteria, disagreements about whether deliverables meet expectations are inevitable.

The risk. You deliver a classification model with 91% accuracy. The client expected 95% accuracy but never specified that requirement. They refuse to pay the final invoice. Without contractual acceptance criteria, you have no objective standard to reference.

The protection. Define specific, measurable acceptance criteria in every statement of work:

• Performance metrics and thresholds (accuracy, precision, recall, latency)
• Test datasets and evaluation procedures
• Acceptance testing timelines
• Remediation obligations if criteria are not met
• Payment terms tied to acceptance milestones

Inadequate Termination Provisions

Agency contracts often allow termination for convenience with minimal notice, which creates sudden revenue loss and stranded project investments.

The protection. Structure termination provisions that protect your investment:

• Minimum notice periods of sixty to ninety days for termination without cause
• Payment for work completed through the termination date plus any committed costs
• Kill fees for premature termination of fixed-duration contracts
• Transition assistance obligations and associated billing
• IP rights for partially completed work

AI-Specific Legal Risks

Algorithmic Bias and Discrimination

AI systems can perpetuate or amplify biases present in training data, producing discriminatory outcomes in protected categories like race, gender, age, and disability.

The risk landscape. Anti-discrimination laws apply to AI-driven decisions in hiring, lending, housing, insurance, and other regulated domains. If your agency builds a system that produces discriminatory outcomes, both the client and the agency may face regulatory action, lawsuits, and reputational damage.

Protective measures.

• Contractual allocation of responsibility: Clearly define who is responsible for bias testing, monitoring, and remediation. If the client provides biased training data, your liability should be different than if your model architecture introduces bias.
• Bias testing protocols: Build bias testing into your standard delivery process and document it thoroughly. This creates evidence of due diligence that protects you in litigation.
• Disclaimers and limitations: Clearly document the limitations of your models, including the potential for biased outputs. Include these disclaimers in deliverable documentation and client communications.
• Ongoing monitoring obligations: If your contract includes ongoing model support, define what bias monitoring is included and what triggers remediation.

AI Transparency and Explainability

Regulatory frameworks increasingly require that AI-driven decisions be explainable — particularly in regulated industries like finance, healthcare, and insurance.

The risk. You build a black-box deep learning model for a financial services client. The client deploys it for credit decisions. A regulator demands an explanation of how specific decisions were made. The model cannot provide one. The client faces regulatory penalties and looks to you for recourse.

Protective measures.

• Document explainability requirements upfront: During discovery, identify whether the client's use case falls under regulations that require explainability. Design solutions accordingly.
• Contractual explainability disclaimers: If the client chooses a model architecture that sacrifices explainability for performance, document this choice and the associated risks in the contract.
• Maintain technical documentation: Document model architectures, feature importance, decision boundaries, and known limitations thoroughly. This documentation may be needed in regulatory proceedings.

Data Privacy and Regulatory Compliance

AI agencies handle data subject to GDPR, CCPA, HIPAA, and other regulatory frameworks. Non-compliance can result in significant fines and liability.

The risk. You use customer data from a European client to train a model on servers in the United States without appropriate data transfer mechanisms. This potentially violates GDPR, exposing both you and your client to regulatory action.

Protective measures.

• Data processing agreements: Execute formal DPAs with every client whose data you handle, specifying your obligations as a data processor.
• Geographic data handling: Understand where data will be stored and processed, and ensure compliance with cross-border data transfer requirements.
• Industry-specific compliance: If you serve healthcare, finance, or other regulated industries, understand the specific compliance requirements (HIPAA, SOX, PCI-DSS) and build them into your processes.
• Privacy by design: Incorporate privacy considerations into your development process — data minimization, anonymization, access controls, and retention limits.

Autonomous Decision-Making Liability

When AI systems make decisions without human oversight — approving loans, flagging fraud, routing customer service inquiries — questions of liability for incorrect decisions become complex.

The risk. Your AI system automatically denies a legitimate insurance claim. The policyholder suffers financial harm. Who is liable — the insurance company that deployed the system, or the agency that built it?

Protective measures.

• Human-in-the-loop requirements: Contractually recommend or require human review of high-stakes decisions. Document these recommendations even if the client declines them.
• Performance warranties: Be extremely careful about warranting the accuracy or reliability of AI outputs. Use language like "the system will perform within the documented accuracy range under normal operating conditions" rather than "the system will produce correct results."
• Use case restrictions: Define the intended use cases for your deliverables and disclaim liability for use outside those parameters.

Business Structure and Insurance

Entity Structure

Operate through a legal entity. Never provide AI services as a sole proprietor. An LLC or corporation creates a liability shield between your personal assets and business obligations.

Consider multiple entities for high-risk work. If your agency serves industries with elevated liability exposure — healthcare, finance, autonomous systems — consider creating separate entities for different practice areas to isolate risk.

Insurance Coverage

Professional liability (errors and omissions). This is the most critical insurance coverage for AI agencies. It covers claims alleging that your professional services caused financial harm to a client. Target coverage of at least $1 million per occurrence and $2 million aggregate.

Cyber liability. Covers costs associated with data breaches, including notification expenses, forensic investigation, legal defense, and regulatory fines. Essential for any agency that handles client data.

General liability. Standard business liability coverage for bodily injury, property damage, and personal injury claims. Required for most office leases and many client contracts.

Technology errors and omissions. A specialized form of E&O coverage designed for technology companies, covering claims arising from software defects, system failures, and technology implementation errors.

Directors and officers. If your agency has a board of directors or advisory board, D&O coverage protects individual board members from personal liability.

Employment and Contractor Law

Contractor Misclassification

AI agencies rely heavily on contractors. Misclassifying employees as contractors is one of the most common and most expensive legal mistakes.

The risk. If a contractor works exclusively for your agency, follows your schedule, uses your tools, and receives work direction (not just project specifications), they may legally be an employee regardless of their contract title. Misclassification can result in back taxes, penalties, and benefits obligations.

The protection. Ensure that contractors genuinely operate as independent businesses — they serve multiple clients, control their own schedules, provide their own tools, and have the ability to profit or lose based on their business decisions. Use a compliant independent contractor agreement and review your working relationships annually for classification risks.

Non-Compete and Non-Solicitation

Protect your client relationships. Require employees and contractors to sign non-solicitation agreements that prevent them from soliciting your clients for a defined period after departure. These are generally more enforceable than broad non-compete agreements, which many jurisdictions have restricted or banned.

Protect your team. Non-solicitation provisions that prevent departing employees from recruiting your team are equally important. Losing a key employee and three of their closest colleagues to a competitor is a preventable risk.

Intellectual Property Assignment

Ensure all work product belongs to the company. Every employee and contractor agreement should include a comprehensive IP assignment clause that assigns all work product created during the engagement to your agency. Without this clause, contractors may retain ownership of code, models, and other deliverables.

Regulatory Compliance

AI-Specific Regulation

The regulatory landscape for AI is evolving rapidly. The EU AI Act, state-level AI legislation in the US, and industry-specific AI regulations are creating a patchwork of compliance requirements.

Stay informed. Subscribe to AI regulatory updates from legal firms and industry associations. Assign someone on your team to monitor regulatory developments.

Build compliance into delivery. Rather than treating compliance as an afterthought, incorporate regulatory requirements into your project methodology. Risk assessment, documentation, testing, and monitoring should be standard phases.

Help clients understand their obligations. Your clients may not understand the regulatory implications of AI deployment. Providing guidance on compliance — even when it is not in the contract — builds trust and reduces the risk of deployments that create liability for both parties.

Your Next Step

Schedule a meeting with an attorney who specializes in technology and AI law within the next two weeks. Bring your current client contract template and ask them to review it against the specific risks outlined in this article. At minimum, ensure you have adequate limitation of liability, clear IP ownership provisions, data handling obligations, and AI-specific risk allocation clauses. The investment in proper legal documentation — typically $5,000-$15,000 for a comprehensive contract template and entity review — is trivial compared to the six and seven-figure exposures that inadequate contracts create.