Your AI vendor's one-page summary says it indemnifies you for IP claims. The sentence is real. The coverage is smaller than the sentence, because three things sit underneath it: conditions that switch the indemnity off, the question of who runs the defense, and a liability cap that can swallow the rest. Here is how to read the clause you are actually signing.
Here is the short answer, because it is the one most buyers get wrong. When AI output infringes a third party's rights and a claim lands, most commercial AI vendor paper puts the risk on you, the customer, not the vendor. That is not because the contract skips the indemnity. It is because the indemnity is narrowed by conditions that describe ordinary enterprise use, then qualified by who gets to run the defense, then capped at a number that does not survive a real intellectual property claim. An AI vendor indemnity is the contractual promise that the vendor will absorb specified third-party IP claims arising from use of its model, but the scope of that promise is defined by its conditions, its cap, and who controls the defense. Three failure points decide who pays:
1. The conditions. The "we indemnify you for IP claims" promise is conditioned on using the default output, as intended, with safety features on, unmodified, and not combined with other tools, and it usually excludes trademark exposure. Most real use breaks at least one of those.
2. The defense. The vendor usually reserves the right to control the defense and the settlement. A vendor that controls the settlement can resolve the claim on terms that change how you are allowed to use the product.
3. The cap. An indemnity "subject to" a cap of twelve months of fees is not coverage for a material infringement claim. If the IP indemnity is not carved out of the cap, the number is the ceiling on your recovery, and it is usually too low.
Everything below is how those three failure points work, and what to ask for instead. For the full set of terms an AI vendor agreement should carry, the companion piece walks the 12 clauses to redline. This one stays on the indemnity, because it is the clause buyers most often believe protects them when it does not.
What does an AI vendor indemnity actually promise?
Three verbs do different work, and AI vendor paper mixes them on purpose. "Defend" means the vendor pays for and runs the litigation when a covered claim is brought. "Indemnify" means the vendor reimburses you for losses, judgments, and settlements. "Hold harmless" means you agree not to bring your own claim against the vendor for the same exposure. A clause that says the vendor will "indemnify" you, with no duty to defend, leaves you fronting your own legal bills while a claim is pending, and arguing later about reimbursement. A clause that says "defend and indemnify" is materially stronger: the first verb funds the fight; the second pays the result.
The promise also has a trigger. Read whether the duty attaches to a "claim" or only to a "final judgment." A duty that triggers on a final judgment is close to worthless, because most infringement claims settle or get abandoned long before judgment, and the cost you actually carry is the cost of getting there. The duty should trigger on a third-party claim, allegation, or demand, not on a court's final word.
Why the "Copyright Shield" is narrower than it reads
The major AI vendors market copyright commitments, sometimes branded as a "shield," that promise to stand behind the output of their models. The commitment is real. Its conditions are where the coverage leaks. The pattern across the commercial programs is a stack of six conditions, and most enterprise use breaks at least one of them. Walk them one at a time, because the marketing names the promise and the contract names the conditions.
Default output. Coverage applies to the model's standard output. The moment you use a fine-tuned model, a custom system prompt that materially steers generation, or a feature outside the default configuration, you can be outside the commitment.
Used as intended. Coverage assumes documented, intended use. Novel or off-label use of a general-purpose model, which is most of what makes AI useful, can fall outside "as intended."
Safety features enabled. Coverage is conditioned on leaving the vendor's content filters and guardrails on. Teams that disable filters to reduce false refusals can forfeit the commitment without realizing the indemnity was the cost.
No modification. Coverage assumes you did not modify the output. A product that takes model output and edits, recombines, or post-processes it, which describes nearly every real workflow, may sit outside the unmodified-output condition.
No combination with other tools. Coverage can drop when the output is combined with other software, data, or a second model. Agentic and retrieval workflows combine constantly. This condition is the one most likely to surprise a buyer who chained two vendors together.
No trademark claims. The commitments are typically copyright-only. Trademark and right-of-publicity exposure, which is exactly what you get when a model generates a brand-adjacent logo or a recognizable likeness, is carved out.
None of this means the commitment is worthless. It covers the default, unmodified, single-vendor case, and the gap between that case and how your company actually runs the tool is the exposure you carry yourself. The redline is to narrow the carve-outs to fraud, willful infringement, and use the vendor expressly prohibited in writing, and to delete the conditions that simply describe normal enterprise use.
Who controls the defense and the settlement?
Indemnity language spends most of its words on money and almost none on control, which is backwards, because control is where the bargaining power actually sits. Two questions decide it. First, who has the right to assume and direct the defense? Second, who has to consent before the claim is settled?
When the vendor controls the defense, the vendor also tends to control the settlement, and a vendor optimizing for its own portfolio risk will settle on terms that are cheapest across all its customers, not best for you. A settlement can require you to stop using a feature, switch models, or accept an injunction on a workflow your product depends on. If the indemnity lets the vendor bind you to settlement terms that affect your use without your consent, the indemnity has handed the vendor a switch on your product. Ask for a consent-to-settle right for any settlement that imposes a non-monetary obligation on you, and a right to participate in the defense with your own counsel at your own cost.
Why the liability cap quietly eats the indemnity
This is the failure that does the most damage, because it is invisible until the claim is large. The commercial norm is a liability cap equal to roughly twelve months of fees paid. If the IP indemnity is "subject to" that cap, then no matter how the indemnity reads, your maximum recovery is twelve months of fees, and a serious infringement claim costs multiples of that before the defense even matures.
The fix is structural, not cosmetic. The IP indemnity should be carved out of the general limitation of liability, the same way data-breach and confidentiality exposure should be. If the vendor will not agree to an uncapped indemnity, the fallback is a super-cap: a separate and higher ceiling dedicated to the indemnity, commonly set at two to five times annual fees, sitting above and outside the general cap rather than eating into it. The number is negotiable. The carve-out from the general cap is the part that makes the number collectible. The 12-clause checklist covers the cap structure in more detail; the point to carry here is narrow: an indemnity inside the cap is only as good as the cap, and the cap is usually too small.
Does the vendor's indemnity also run against you?
Read the clause in both directions. The same agreement that indemnifies you for the model's output almost always asks you to indemnify the vendor for your inputs: your prompts, the data you submit, the material you fine-tune on, and your use of the output in your own products. That customer-side indemnity is often broader than the vendor-side one, and uncapped where the vendor's is capped.
Some of that is fair. If you feed a model infringing material and it reproduces it, that is your exposure. The asymmetry to watch is a reverse indemnity that sweeps in liability for the model's own behavior, dressed up as liability for your use. Watch in particular for "continued use after notice" language, which converts the vendor's problem into yours the moment the vendor tells you a claim exists, and for a customer indemnity that is uncapped while the vendor's protection for you is capped. Symmetry of cap treatment between the two indemnities is a reasonable and clarifying ask.
What "output infringes" actually looks like in 2026
Infringement from AI output is not hypothetical, and it does not arrive as one tidy category. It shows up as training-data provenance, when a model reproduces protected expression it was trained on. That is the question behind the New York Times and OpenAI litigation, which remains in discovery and undecided, and the Getty Images and Stability AI dispute, where a UK court rejected the core copyright claim on the merits in late 2025 and Getty is appealing, with parallel proceedings continuing in the United States. No clean, settled answer has landed. It shows up again as generated code that carries an open-source license obligation the model stripped, the exposure raised in the GitHub Copilot litigation, where most claims were dismissed at the district court and the surviving question is now on appeal. And it shows up as trademark and right-of-publicity claims when a model generates brand-adjacent or likeness-adjacent output, which, as noted above, the copyright commitments do not reach at all.
The regulatory layer is moving alongside the litigation. Under the Digital Omnibus on AI provisional agreement, the AI strand of the broader Digital Omnibus simplification package and not yet adopted as final law, the EU AI Act's Article 50 transparency obligations for generative output are due to apply in 2026, with the high-risk obligations pushed into late 2027. Those rules govern disclosure and documentation, not indemnity, but they shape what "intended use" and "as documented" mean in a contract that conditions coverage on both. For the data-provenance side of the same problem, the training-data propagation audit clause handles the deletion-and-provenance angle, and the chain-of-title piece handles who owns the output in the first place. Indemnity is the backstop for when ownership and provenance fail.
Green flags and red flags in an AI indemnity
| Element | Red flag (vendor form paper) | Green flag (what to ask for) |
|---|---|---|
| Promise | "Indemnify" only, triggered on final judgment | "Defend and indemnify," triggered on any third-party claim or demand |
| Conditions | Default output, unmodified, uncombined, as intended, filters on, copyright only | Carve-outs narrowed to fraud, willful infringement, and expressly prohibited use |
| Scope | Copyright only, trademark and publicity excluded | Covers the IP categories your actual use can trigger |
| Defense control | Vendor controls defense and settlement, no consent needed | Consent required for any settlement imposing non-monetary terms on you |
| Cap treatment | Indemnity subject to the general cap of ~12 months' fees | Carved out of the cap, or a 2x to 5x super-cap |
| Reverse indemnity | Customer indemnity uncapped and broad; "continued use after notice" | Symmetric cap treatment; reverse indemnity scoped to your inputs, not the model's behavior |
What to ask for in the next redline
You do not need to win every point to move the risk. Four asks carry most of the value. Make the duty "defend and indemnify" on any claim, not just a judgment. Narrow the conditions so the indemnity survives ordinary modification, combination, and configured use. Carve the IP indemnity out of the general liability cap, or attach a super-cap. And read the reverse indemnity for symmetry, so you are not capped where the vendor is not. If the vendor resists all four, that resistance is itself information about where the vendor expects the risk to land.
The indemnity is the backstop; audit rights are the early-warning system that tells you whether it will actually fire. Both belong in the same MSA negotiation: the training-data propagation audit clause spoke covers the provenance-and-lineage side. Together they sit inside the company's wider AI governance program, where contract terms, board reporting, and regulatory exposure get allocated together.
Frequently Asked Questions
If my AI vendor offers a Copyright Shield, am I covered?
Partially, and usually less than the name suggests. The copyright commitments from the major vendors cover the model's default output, used as intended, unmodified, uncombined with other tools, with safety features on, and exclude trademark claims. That profile fits a narrow, single-vendor, default-configuration use case. It does not fit fine-tuned models, agentic or retrieval workflows that combine tools, post-processed output, or brand-adjacent and likeness output. The commitment is a floor, not full coverage. Read it next to the liability cap and the conditions before you rely on it, and treat the full clause checklist as the baseline rather than the shield alone.
What is the difference between "defend" and "indemnify" in an AI contract?
"Defend" means the vendor pays for and runs the litigation while the claim is live. "Indemnify" means the vendor reimburses your losses, often after the fact. A clause with only an indemnity, and no duty to defend, leaves you funding your own defense while the claim is pending and arguing about reimbursement later. Ask for both, triggered on a third-party claim rather than a final judgment.
What indemnification terms should a startup demand in an AI vendor MSA?
The four demands that carry most of the protective value are: a "defend and indemnify" duty triggered on any third-party claim (not just a final judgment); conditions narrowed so the indemnity survives modification, combination, and configured use; an IP indemnity carved out of the general liability cap or placed under a dedicated super-cap; and symmetric cap treatment on the reverse indemnity. Beyond indemnity, audit rights are the companion ask: the right to review training-data provenance and model-version documentation in the same MSA negotiation. The training-data propagation audit clause covers that side of the ask. Qualified legal counsel can advise on which terms are realistic given the specific vendor and deal size.
Can an AI vendor make me indemnify them?
Routinely, and that reverse indemnity is often broader than the protection the vendor gives you. You will typically indemnify the vendor for your prompts, your submitted and fine-tuning data, and your use of the output. Some of that is fair. What to watch for is a reverse indemnity that is uncapped while the vendor's is capped, and "continued use after notice" language that shifts the vendor's own exposure onto you once it tells you a claim exists. Ask for symmetric cap treatment.
Who is liable if AI-generated code infringes an open-source license?
It depends on the contract, and the default often leaves it with you. Generated code can carry copyleft or attribution obligations the model did not surface, and whether the vendor's indemnity reaches that exposure turns on the same conditions as any other output: default configuration, no modification, no combination. Because code is almost always modified and combined, this is a common place the indemnity quietly does not apply. If your product ships model-generated code, confirm the indemnity reaches it rather than assuming it does.
What We're Watching
The training-data infringement dockets. The pending matters over whether model output reproduces protected training data will, when they resolve, reset every vendor's appetite for standing behind output. Each ruling moves the indemnity negotiation.
Vendor copyright-commitment revisions. The major programs have been revised more than once. Watch for conditions that expand or contract, because the marketing name stays the same while the covered profile shifts underneath it.
EU transparency obligations under the Digital Omnibus timeline. As the EU's 2026 transparency rules for generative output take shape, "intended use" and "as documented" acquire regulatory content, and that feeds straight back into the conditions an indemnity hangs on.
Close
The indemnity is the clause buyers trust most and read least. The vendor's one sentence is true and the coverage underneath it is narrow, and the distance between the two is measured in conditions, defense control, and a cap. None of those three is visible in the marketing, and all three are negotiable in the paper. Read the clause in both directions, carve the IP track out of the cap, and make the vendor own the gap between its default use case and how your company actually runs the tool. The buyers who ask now set the precedent the vendor's form paper follows next.
This article is for informational purposes only and does not constitute legal advice. Every company's situation is different, and you should consult with qualified legal counsel before making decisions based on the developments discussed here.