Most organizations think their existing SLA covers their AI vendor relationship. It does not.
A standard SLA covers uptime. It covers Severity 1, 2, and 3 incidents — the system is down, a feature is not working, something broke. The vendor fixes it and you are back online. That is what you negotiated. That is what you are protected for.
It does not cover what the AI actually does.
When an AI model produces inaccurate outputs — wrong recommendations, biased results, hallucinations — your SLA is silent. There is no contractual mechanism to hold the vendor accountable for the accuracy or performance of the AI function itself. You have a system that is technically up and functionally wrong, and nothing in your agreement gives you recourse.
The exposure is everything. If your organization relies on AI outputs without independent verification, and those outputs are inaccurate, you are carrying the reputational and operational risk of decisions made by a model your contract does not actually govern.
This is not theoretical. It is happening right now, in organizations that adopted AI tools quickly and papered the relationship with agreements written for traditional software.
If you are a CPO sitting across from an AI vendor, here is the question that matters: what guarantees or assurances about AI performance are actually written in this contract?
Then stop talking. See what they say.
Most vendors have not thought about it. Most contracts do not address it. The questions that should be on the table — warranty of accuracy, limitation of liability for AI errors, whether E&O insurance covers AI performance or carves it out, whether the model communicates outside your environment — are going largely unasked.
That is the gap. And until the contractual framework catches up to the technology, the organization that signs without asking is the one holding the exposure.