I. Why existing vendor frameworks underfit AI
Most enterprises evaluate AI vendors using the SaaS playbook of the late 2010s: seat-based pricing, SOC 2 attestations, a standard MSA, and a procurement-led negotiation. That posture, sufficient for collaboration tooling, materially under-prices the risk of a platform that ingests regulated data, generates output that influences decisions, and locks the enterprise into a single foundation model lineage.
Gartner's 2024 research on AI TRiSM (Trust, Risk, and Security Management) and McKinsey's State of AI surveys converge on the same point: enterprises with mature governance capture two to three times the value of those treating AI as a tooling decision. The differentiator is institutional posture, not model selection.
II. The four commercial controls boards should mandate
We advise boards to install four non-negotiable commercial controls before any enterprise-scale AI commitment is signed. These are not procurement clauses; they are governance positions.
- Data egress and training rights
Explicit, contractual, audit-backed prohibition on the use of enterprise data for foundation model training, fine-tuning, or evaluation — including by sub-processors. Default vendor language is insufficient.
- Model substitutability
Architectural and contractual right to substitute the underlying foundation model without renegotiation. Without this, the enterprise is exposed to unilateral price action by the upstream model provider.
- Output liability and indemnity
Clear allocation of liability for hallucinated, biased, or infringing output. Most vendor templates exclude this entirely; institutional buyers should not accept that posture.
- Commercial telemetry
Contractual right to consumption-level telemetry sufficient to forecast cost, attribute usage to business units, and benchmark against alternative providers at renewal.
III. The board's specific role
HBR's recent work on AI oversight is unambiguous: AI governance cannot be delegated to a CIO or CDO operating committee. The board must own three decisions explicitly — the risk appetite for autonomous AI decisioning, the concentration limit for any single foundation model provider, and the disclosure posture to regulators and shareholders.
Practically, this means a standing AI governance agenda item, an annual independent commercial review of the AI vendor estate, and a documented escalation path for material model or vendor changes. Anything less leaves the enterprise structurally exposed.
IV. What disciplined operators are doing differently
Across our work with FTSE 100 and Fortune 500 boards, the operators getting this right share three behaviours. They treat the AI vendor estate as a portfolio with explicit concentration limits, not as a series of independent procurement decisions. They negotiate commercial telemetry as a first-class deliverable, not an afterthought. And they retain independent commercial counsel — structurally separate from the implementation partner — for every material AI commitment.
The institutions that fail to install this posture in the next 12 to 18 months will find themselves renegotiating from a position of structural weakness once the foundation model market consolidates further.
- — Gartner, AI TRiSM Market Guide, 2024
- — McKinsey & Company, The State of AI, 2024
- — Harvard Business Review, Governing AI in the Enterprise, 2024
- — BCG Henderson Institute, The CEO's Guide to the Generative AI Revolution, 2024
Delta Advisory notes draw on the published research of Gartner, McKinsey & Company, BCG, and the Harvard Business Review, alongside engagement-level commercial intelligence from our own work. Notes are editorial and do not constitute investment, legal, or regulatory advice.