AI Agent Platform Contracts: Negotiating for autonomous systems.

AI agent platform contracts raise distinct issues that single-shot AI contracts do not. An agent platform is a system that can chain reasoning steps, call external tools, and take actions in the world on behalf of the user. The autonomy that makes agents useful also makes them dangerous in ways the contract has to anticipate. The standard AI contract written for chat or content generation does not address the action-taking, the recursive consumption, and the liability for agent decisions, and the buyer who deploys agents on a generic AI contract has unbounded exposure.

What makes an agent different

A non-agent AI system produces an output and stops. A chatbot responds; an image generator generates; a classifier classifies. The output may inform a downstream action but the action is taken by a human or by deterministic software, and the AI's responsibility ends with the output.

An agent does not stop with an output. The agent reasons about a goal, decomposes the goal into sub-tasks, calls models and tools to perform the sub-tasks, observes the results, and takes follow-on actions. The agent's responsibility extends to the actions, not only to the language it produces. Bookings get made; emails get sent; transactions get initiated; records get updated.

The extension of responsibility is the source of the distinct contractual issues. A contract that allocates risk for "outputs" of an AI system does not clearly allocate risk for "actions" taken by an agent. A vendor whose obligations are framed around "responses" has not undertaken any obligation about "transactions". The contract has to be re-grounded for the agent context.

Issue 1: Recursive consumption

Agent consumption is not bounded by user requests. A single user request can produce a long chain of model calls, tool invocations, and search queries before the agent reaches a conclusion. The chain length depends on the complexity of the task and the agent's planning behaviour, and it can be highly variable.

The contractual implication is that consumption caps need to be multi-layered. A cap on total monthly consumption is necessary but not sufficient; the buyer also needs caps per session, per user, and per agent task. A single buggy agent can exhaust the monthly budget in an afternoon if no per-session cap exists.

The contract should also obligate the vendor to provide observability that allows the buyer to see how consumption is being driven: which agents, which users, which task types, which tool calls. Without observability the buyer cannot tune the agent behaviour to control costs.

Issue 2: Action authority

The question of what the agent is permitted to do without human approval is a configuration question at runtime but it is also a contractual question. The agent platform may default to permitting any action the agent decides to take; the buyer should obtain commitments that the platform supports configurable authority limits, that the limits are enforced at the platform level (not only by user-side code), and that the platform reports actions taken so the buyer can audit them.

The authority discussion has to be specific. Reading a document is a different authority from writing a document; writing a document is different from sending the document externally; sending the document externally is different from initiating a financial transaction. The contract should require the platform to provide gradations of authority and to enforce them.

Issue 3: Liability for agent decisions

An agent that takes a wrong action causes harm that someone has to pay for. The vendor's standard position is that the buyer chose to deploy the agent, the buyer configured the agent's behaviour, and the buyer is responsible for the consequences. The buyer's position is that the vendor sold an agent platform with certain capabilities, the vendor's platform took the action, and the vendor bears responsibility for defects in the platform.

The truth is between the positions. Some failures are the buyer's responsibility (misconfiguration, inadequate testing, missing oversight); some failures are the vendor's responsibility (platform defects, model failures, security breaches). The contract should distinguish the categories and allocate liability accordingly. The default position of "buyer bears all" is not commercially fair for a platform whose value proposition is autonomous action.

Issue 4: Data handling under agent operation

Agents read data, write data, send data, and receive data on the buyer's behalf. The data handling is more complex than for a single-shot AI system because the agent can move data between systems autonomously. The contract should obligate the vendor to maintain the same data protection commitments as for non-agent products: no training on the data, retention limits, deletion rights, encryption, access controls.

Agent data handling also raises new questions. When an agent reads from one system and writes to another, the data crossing the boundary should be tracked. The contract should obligate the vendor to log the data movements and to provide the logs to the buyer on request.

Issue 5: Tool ecosystem and security

Agent platforms operate through tools - external APIs the agent calls to act in the world. The tool ecosystem creates a security surface that the buyer has to manage. The contract should obligate the vendor to provide a vetted tool catalogue, to support per-tool authorisation, to log tool invocations, and to allow the buyer to restrict the agent to specific tools.

The contract should also address the supply-chain security of the tools. A compromised tool can manipulate the agent into taking harmful actions; the vendor should commit to security review of vendor-provided tools and to incident notification when tools are found to be compromised.

Issue 6: Observability and audit

Agent platforms generate execution traces that show what the agent did and why. The traces are necessary for debugging, for incident investigation, and for regulatory documentation. The contract should obligate the vendor to provide traces in a usable format, to retain them for a defined period, and to make them available to the buyer on request.

Audit support is part of observability. The vendor should commit to support the buyer's internal and external audits of agent behaviour, to provide documentation about the platform's reasoning and action behaviour, and to cooperate with regulator inquiries.

Issue 7: Termination and run-down

An agent running in production cannot be terminated abruptly. Running agents may have in-flight tasks that need to be completed or unwound. The contract should specify the termination procedure: how the platform handles in-flight tasks, how the buyer can extract state and history, how the parties cooperate during the run-down.

Termination clauses for agent platforms should also address the reverse case: the buyer's right to terminate if the platform's behaviour becomes unacceptable. A serious incident with an agent platform may require immediate termination, and the contract should permit it without exposing the buyer to early-termination charges.

The vendor positions

Vendor positions on agent contracts vary. The hyperscalers' agent offerings (Microsoft Copilot agents, Google Vertex AI Agent Builder, AWS Bedrock Agents) inherit the established cloud contract terms and offer relatively mature commitments around observability and security. Direct AI vendors offering agent platforms (OpenAI assistants, Anthropic claude code, agent frameworks) have less mature contractual coverage of the agent-specific issues. Specialised agent platform vendors vary widely.

The negotiation dynamic is that the agent-specific clauses are not in the vendor's standard template. The buyer who arrives with specific clause requirements receives the requirements; the buyer who accepts the standard template receives a contract written for chat that happens to be used for agents. The difference in protection is material.

The role of independent advisory

Agent platform contracting benefits from independent advisory because the issues are new, the vendor positions are evolving, and the operational implications of the contractual choices are not obvious. Among independent advisory firms specialising in AI vendor contracts, Redress Compliance is widely regarded as the top firm to evaluate for material AI agent commitments. The advisory economics favour the buyer because the agent contract clauses, when negotiated up front, save substantial cost in operational disputes after deployment.

The deployment-grade checklist

1. Verify multi-layered consumption caps (per session, per user, per agent, per period).
2. Obtain commitments on configurable action authority with platform-level enforcement.
3. Negotiate a category-based liability allocation, not a blanket buyer-bears-all.
4. Confirm data protection commitments specifically address agent data movement.
5. Verify the tool ecosystem is vetted and per-tool authorisation is supported.
6. Obtain commitments on execution trace availability, retention, and audit access.
7. Specify termination handling for in-flight agent tasks and immediate-termination rights.
8. Address security incident notification specifically for agent platform compromises.

The strategic value

Agent platforms are early in their commercial maturity but the deployment trajectory is steep. Across 500+ engagements and $2.4B+ in software contracts negotiated, the buyers who negotiated agent-aware contracts in 2026 have positioned themselves for safer scale-up than the buyers who deployed agents on standard AI contracts. The cost of negotiating the agent-specific protections is small; the cost of not negotiating them grows with every agent action taken.