We recognize it’s a little early to make the call for the biggest AI challenge for 2026, but we’re pretty confident that NDAs and other contractual use limitations are about to become a significant problem for enterprise AI adoption.
As AI model capabilities converge and plateau, improved GenAI performance—especially for law firms, consultants, asset managers, insurance companies, and financial services firms—will come from providing the models with high-quality context (e.g., non-public, relevant documents). Indeed, many of the new features recently announced by frontier LLM providers like OpenAI and Anthropic are designed to provide the models with access to high-quality, non-public internal firm context from work emails, SharePoint sites, databases, customer service calls, and so on. But often, the firms that want to use these materials do not clearly own them or the right to use them in this way. Many of these materials were provided by clients, customers, or other third parties, with use conditions attached to them. Specifically, NDAs, engagement letters, and contractual terms and conditions may place significant limitations on how those documents can be used.
First, there are provisions that expressly restrict firms’ ability to use AI with client data. A lot of these provisions were written in 2023 and 2024, when many law firms did not have access to enterprise AI models, so the concern was that the AI models would train on the client’s data, compromising its confidentiality. Essentially, these clauses provide that “you are prohibited from using AI with our data without our consent.”
There are also many provisions that were drafted either before GenAI was available or without the use of GenAI in mind, but may nonetheless apply to the use of GenAI with client data. These include restrictions relating to use limitations, technical segregation, data alteration, data dissemination, data destruction, and IP rights.
Adding to the complexity of what is already a very complicated analysis, the contracts that govern the datasets are often not standardized and govern numerous pieces of data, so finding which clauses apply to particular datasets can be very difficult. There may be hundreds or even thousands of applicable contracts. For example, law firm engagement letters may be somewhat uniform, but most firms are also subject to hundreds of outside counsel guidelines that are all very different from each other in both substance and form.
To illustrate the point, suppose an insurance company wants to use AI to re-price its auto insurance in a particular city, neighborhood by neighborhood, using a vast quantity of data that may be relevant for accident or theft claims in each location. They have collected or purchased data relating to weather conditions, road construction, crime statistics, past insurance claims, telematics, vandalism frequency by make and model of car, drone footage with analytics, etc. Each dataset may be subject to multiple contracts, and therefore multiple possible restrictions, which may differ by provider, by time period, and by location.
Debevoise has developed a protocol for these kinds of large data projects that involves collecting the contracts, organizing them using bespoke AI structuring solutions, identifying the applicable data restrictions, mapping the data to the contracts, and then addressing these restrictions through several creative and practical mitigation options.
Unlocking the value of AI will increasingly involve the messy exercise of assessing and addressing contractual restrictions on high-quality internal non-public data. This process can be a time-consuming and complex analysis, which often involves managing several and different legal, technical, business, and reputational risks. The challenges can be significant and are not the kind of problems that get easier over time if ignored, but they are solvable.
* * * * *
To subscribe to the Data Blog, please click here.
The Debevoise STAAR (Suite of Tools for Assessing AI Risk) is a monthly subscription service that provides Debevoise clients with an online suite of tools to help them fast-track their AI adoption. Please contact us at STAARinfo@debevoise.com for more information.
To learn why we added a CAPTCHA to the blog, click here.
The cover art used in this blog post was generated by ChatGPT-5.
