GenAI in contract review: what procurement lawyers won't tell you

Every major procurement team is experimenting with generative AI for contract review. The pitch is compelling: upload a master services agreement, an AI tool extracts obligations, flags non-standard clauses, and generates a risk summary in minutes instead of days. Gartner predicts AI-assisted contract review can cut cycle times by 50%. The technology is real. The cost savings are measurable. What vendors and internal champions rarely disclose is what the AI cannot do — and the procurement lawyers know this better than anyone.

In 2025, at least twenty federal procurement decisions from the GAO, COFC, and boards of contract appeals showed signs of "Gen-AI Misuse" — filings containing plausible but false legal assertions and fabricated citations generated by large language models. The lawyers who litigate these cases saw it coming. The procurement teams deploying the tools did not.

---

LLMs hallucinate contract risk assessments, not just citations

The core failure mode is structural, not fixable with better prompts. Large language models are word-prediction machines. They generate the most statistically likely sequence of tokens — not a legally defensible analysis. Research from Burr & Forman documents that LLMs produce false citations approximately 30% of the time. When applied to contract review, that same failure rate means every third clause summary, risk flag, or compliance assessment could be wrong — and wrong in a way that sounds completely convincing.

A procurement lawyer reviewing a software licensing agreement knows that "standard" liability caps of 1x annual fees may be commercially unacceptable when the software runs a factory line. The AI sees the cap, compares it to a training corpus of "market norms," and flags it as standard — missing the operational context entirely. The failure is invisible at review time and surfaces only during a dispute.

---

AI reads black-and-white text. It does not read the deal.

Contract review is not a text-matching exercise. Experienced procurement lawyers evaluate terms against regulatory posture, commercial dependencies, leverage dynamics, and unwritten understandings with strategic vendors. AI tools cannot factor in side letters, past negotiation history, or how a specific court jurisdiction is likely to interpret a triggering condition in context.

This gap manifests in predictable patterns. The AI misses cross-contract dependencies between a framework agreement, its statements of work, data processing addenda, and SLAs — because each document lives in a separate review session. Security addenda sitting outside core terms and conditions go unexamined. Operational realities that make a "standard" liability cap commercially suicidal for a specific category — say, a sole-source supplier transition mid-production — are invisible to the model.

---

Data confidentiality and training rights are structurally under-negotiated

When a procurement team uploads a master agreement containing pricing models, volume commitments, and intellectual property terms to an AI contract review tool, they are sharing confidential commercial information with a third-party system. Many generative AI vendors reserve broad rights to process customer data under "legitimate interests" or service necessity as described by Deloitte — including rights to train models on inputs and outputs.

The consequences are not theoretical. A procurement team that uploads its negotiation playbook, pricing benchmarks, or strategic sourcing analysis to a public-facing AI tool may find those materials reflected in outputs for other customers. Trade secrets, once exposed to a model's training data, lose their protected status. Off-the-shelf AI/SaaS contracts keep these points vague or one-sided, and procurement teams rarely have an AI-specific addendum that addresses training rights, data retention, and output confidentiality as recommended by technology transactions lawyers.

---

Liability for incorrect output is disclaimed — and buyers bear the cost

Standard SaaS boilerplate treats AI as "tooling" used at the customer's own risk. When a GenAI tool green-lights a risky indemnity clause, misses a material-adverse-change trigger, or incorrectly summarizes an exclusivity provision that later blocks a strategic deal, the vendor bears no liability. Remedies are typically limited to service credits according to Bird & Bird's analysis of AI contract structures. There is no specific indemnity for harmful or infringing outputs.

This creates a misaligned incentive structure. The vendor captures the efficiency gains. The buyer carries the downside risk of wrong analysis. Procurement teams that treat AI contract review as a "bolt-on" to their existing CLM without renegotiating liability terms are accepting a risk profile their general counsel has not signed off on.

---

The regulatory overlay most procurement teams ignore

The EU AI Act's risk-based duties phase in through 2025 and 2026 per legal guidance. They apply not just to AI products procurement teams buy, but to their internal use of GenAI for decision-support in regulated domains. In the US, ABA Formal Opinion 512 (July 2024) established that lawyers must have a "reasonable understanding" of AI capabilities and limitations as reported by the National Law Review. Illinois's AI in Employment Law (effective January 1, 2026) mandates disclosure when AI influences employment decisions.

Procurement teams that treat AI purely as a software procurement issue — a tick-box security addendum and a data processing agreement — are years behind where regulation is heading. AI risk spans privacy law, employment law, consumer protection, intellectual property, records retention, and litigation readiness. Contract review alone cannot cover it as legal practitioners now advise clients.

---

What good looks like: controlled acceleration, not blind adoption

The most sophisticated procurement legal teams are not rejecting GenAI. They are deploying it with defined guardrails. AI handles first-pass clause extraction, portfolio triage, obligation tracking, and compliance monitoring against a pre-approved playbook. Lawyers handle contextual risk assessment, negotiation strategy, cross-contract dependency analysis, and any deal exceeding a defined complexity threshold. The AI generates the issues list. The lawyer decides what matters.

According to the National Law Review's 2026 AI predictions, "zero-touch" contracting for low-risk agreements with surgical redlining achieving 95% accuracy is within reach. But organizations that skip the governance step — formal AI policies addressing ethical, brand, and PII risks — will be the ones making headlines for the wrong reasons.

---

What this means in practice for procurement leaders

• Require a dedicated AI addendum before any GenAI contract tool goes live. Address data use, training rights, IP ownership of AI-generated analysis, confidentiality, output liability, right to audit, and transparency. Off-the-shelf SaaS terms do not cover these points.
• Establish a complexity threshold for mandatory human review. Deals above a defined value, involving sole-source suppliers, touching regulated data, or spanning multiple legal jurisdictions must never be AI-finalized.
• Audit AI output systematically, not by spot-checking. Run a blind comparison between AI-generated risk assessments and lawyer-generated assessments for the first 50 contracts. Measure accuracy by dimension: clause identification, risk flagging, missing terms.
• Build internal AI governance that ties tool use to specific workflows and risk tiers. A single "OK to use AI" policy is insufficient. Define which processes permit AI-assisted review, which require AI-plus-human, and which exclude AI entirely.
• Train procurement teams on what the AI cannot do. The risk of over-reliance — treating an AI assessment as final without examining whether its model assumptions fit the organization's regulatory or operational profile — is the single largest emerging procurement risk in 2026.

---

Frequently asked questions