Cyber Bytes banner RPC law

AI-as-a-Service – Key Issues

Published on 11 March 2024

Artificial Intelligence-as-a-Service (AIaaS), in the same vein as Software-as-a-Service and Infrastructure-as-a-Service, refers to cloud-based tools that allow businesses to gain access to an AI model hosted by a third party provider. As developing many AI tools from scratch is prohibitively expensive, the majority of AI solutions procured by businesses will involve some element of "as-a-Service" (i.e. using models built and hosted by third parties) although the extent of development and configuration overlaid on that will differ.  We have considered the commercial issues involved when procuring such AI solutions in 'Procuring AI – Commercial Considerations Checklist'. In this section we consider the issues that arise when procuring off-the-shelf AI tools typically provided by third parties on a one-to-many subscription-based model.

Types of AIaaS

The most common types of AIaaS are:

  • Chatbots. Prior to the advancements in AI, chatbots provided answers to a predefined set of questions. However, chatbots are now powered by LLMs and, using natural language processing, can closely mimic actual human speech and deal with a wider array of issues.
  • Application Programming Interface (APIs). APIs create a communication pathway between the AI model and an organisation's internal systems.  For example, a computer vision API could give existing software access to the ability to process and analyse images.
  • Machine Learning (ML). Access to ML frameworks allows businesses to use ML to analyse big data, identify trends and make predictions. For example, an on-demand video provider may use ML to serve a consumer with film and tv recommendations based on their previous viewing habits.

Benefits of AIaaS

There are several clear benefits to using AIaaS. Firstly, pre-trained, off-the-shelf solutions are far more affordable than any solution that requires significant development work. A team of data scientists and engineers to build and maintain the solution are not required, nor is the purchase of extensive processing power to run a model in-house. Secondly, AIaaS avoids the need to invest significant time and effort to train any model, including training by people fine-tuning the solution. A basic service could theoretically be used 'out of the box' with minimal configuration. Lastly, AIaaS solutions (like most cloud-based solutions) are flexible, scalable, and designed to be integrated with standard enterprise IT systems. Customers have the option to turn features on or off and to scale up or down according to usage. 

Key issues when contracting for AIaaS

Many of the contracting issues that apply to SaaS services generally will also apply in respect of AIaaS. However, several take on a new dimension due to the nature of AI and the current market practice around AIaaS.

  • Implementation. Many tools will be advertised as 'out of the box'. That said, consider if any additional training or configuration work is required for the tool to operate as required. Much will also depend on the system architecture that the AIaaS will be used with. AIaaS, being relatively new tech, may require work to be integrated with legacy IT systems. 
  • Usage obligations. In a normal SaaS context, customers would need to comply with obligations around usage (e.g. acceptable use codes) and businesses could mitigate this risk internally through employee policies and training.  AIaaS providers also require customers to comply with acceptable use codes however some go further than others.  Many AIaaS terms require businesses to ensure that they do not generate prohibited content using the service. This is a harder risk to mitigate - customers could set safety filters and policies around user prompts but it's impossible to predict what exactly would be generated. Many AIaaS tools also contain technical usage restrictions as generative AI is extremely resource intensive. If usage exceeds those limits the provider can block access to the service.   
  • Service performance. Does the provider offer clear assurances as to minimum standards for the service? Several AIaaS products are currently being sold in "preview" mode so do not include fixed service levels. Or providers may afford assurances for some performance standards (e.g. availability) but not others which may be less certain to them (e.g. response time). Consider therefore if this is sufficient for the intended use case – perhaps it's prudent to only experiment with the service rather than use it for any critical business purpose.  
  • Liability. SaaS products are typically provided 'as is' with limited warranties and liability on the provider. AIaaS is no different, and although the market practice here is still unclear it seems so far that generally speaking, the warranties and liability caps proffered by providers give customers less protection than in many SaaS arrangements. It has also been well publicised that large AIaaS providers currently provide customers with an indemnity against third party IP rights infringement. However, many of these are capped and only apply to their in-house models. Early adopters might be able to negotiate better bespoke terms with providers.
  • Pricing. SaaS is typically priced as pay-as-you-use which is convenient but poses the risk of unforeseen costs if an organisation does not have robust internal governance as to usage. This risk is exacerbated for AIaaS because of how new and untested the tech might be for a business. For example, there are various pricing models for AI chatbots but most charge per prompt.  If chatbots are new to a business, it may be difficult to accurately estimate how many prompts would be needed. Accidental overage may also trigger penalties. Similarly, an unexpected need for the provider to render additional professional services (e.g. to deploy or configure the service) may arise.  
  • Regulatory compliance. There is typically a lack of transparency with SaaS - the underlying infrastructure and processes are not generally made available to the customer. However, a key principle in AI regulation (including under data protection laws) is explainability i.e. understanding how the model works and relaying this to end users (see also The Ethics of AI – The Digital Dilemma). Ensure sufficient documentation is given by the provider to be able to comply with regulatory obligations.
  • Security. Cyber security is a known issue for SaaS. However, the sheer volumes of data sent to AIaaS and potentially stored offshore significantly increase the security risk. AI has also resulted in new types of security attacks (see 'Procuring AI – Commercial Considerations Checklist') and threat actors will take advantage of businesses' delay to implement measures that keep up with these developments. Complying with the most up-to-date security standards and frameworks is one way to lower these risks.


Discover more insights on the AI guide