Advanced

Caps & Carveouts

A practical guide to caps & carveouts for AI risk management practitioners.

What This Lesson Covers

Caps & Carveouts is a key topic within Indemnification Clauses for AI. In this lesson you will learn the underlying liability framework or insurance pattern, the controlling legal authorities, how to evaluate exposure and procure protection, and the common pitfalls. By the end you will be able to apply caps & carveouts in real risk-management work.

This lesson belongs to the Contractual Liability category of the AI Liability & Insurance track. AI liability is now one of the fastest-evolving areas of law, and the insurance market is racing to catch up. Practitioners who understand both sides ship faster, win bigger deals, and avoid existential incidents.

Why It Matters

Master indemnification clauses for AI. Learn IP indemnification scope, hallucination indemnification, defense control, mitigating factors, caps, and the OpenAI/Microsoft Copyright Shield model.

The reason caps & carveouts deserves dedicated attention is that the gap between teams that take AI liability seriously and teams that don't is widening every quarter. A single uninsured loss or successful class action can dwarf a year of revenue. Understanding the liability landscape and the insurance products available is no longer optional — it is core risk management.

💡
Mental model: Treat caps & carveouts as engineering risk management, not paperwork. The teams that ship AI fastest and most safely are the ones who design liability allocation, insurance procurement, and operational controls into the product from day one — not bolted on after the first regulatory letter arrives.

How It Works in Practice

Below is a practical framework for caps & carveouts. Read it once, then apply it to a real AI use case you are advising on or operating today.

# AI indemnification clause anatomy

INDEMNIFICATION_TEMPLATE = """
Vendor shall defend, indemnify, and hold harmless Customer from and against any
third-party claim, demand, action, suit, or proceeding (a "Claim") alleging that
the Service, or Customer's authorized use thereof, infringes or misappropriates
any third-party Intellectual Property Right (an "IP Claim"), and shall pay
damages, settlements, costs, and expenses (including reasonable attorneys' fees)
finally awarded against Customer or paid in settlement of such IP Claim.

Indemnification SHALL NOT apply to:
(a) Customer's modifications to outputs after delivery;
(b) Customer's combination of outputs with materials not provided by Vendor;
(c) Customer's use of outputs in violation of Documentation or laws;
(d) Customer's failure to use updated versions of the Service.

Vendor's indemnification obligation is conditioned on: (i) prompt written notice
of the IP Claim; (ii) Vendor's sole control of defense and settlement; and
(iii) Customer's reasonable cooperation.

If a final injunction prohibits Customer's use, Vendor shall, at its option:
(a) procure for Customer the right to continue use; (b) modify the Service to
be non-infringing; or (c) accept return and refund of fees paid in past 12 months.
"""

VENDOR_OUTPUT_INDEMNIFICATION_COMPARISON = {
    "OpenAI_Copyright_Shield":     "ChatGPT Enterprise / API - copyright defense for outputs",
    "Microsoft_Copilot_Indemnity": "Customer Copyright Commitment - similar scope",
    "Google_Cloud_AI_Indemnity":   "Generated content + training data",
    "Adobe_Firefly_Indemnity":     "Enterprise users - IP claims for outputs",
    "Anthropic":                   "API IP indemnification on enterprise plans",
}

Step-by-Step Walkthrough

  1. Identify the parties and exposure — Who could be sued? For what? Map the AI value chain (data provider, model provider, fine-tuner, deployer, integrator, end user) and the legal theories applicable to each.
  2. Quantify the potential exposure — Use damages models, statutory ranges, and class action multipliers to estimate worst-case loss. This drives both insurance limits and contractual caps.
  3. Allocate risk via contract — Who bears each risk via indemnification, limitations of liability, insurance requirements, and warranty provisions? Reduce to writing in every AI agreement.
  4. Procure matching insurance — Layer Tech E&O, cyber, product liability, D&O, and specialty AI products to cover the residual risk. Read AI exclusions VERY carefully.
  5. Build operational controls — Logs, audit trails, evals, monitoring, and incident response. These reduce both liability and premium — insurers reward documented governance.

When To Use It (and When Not To)

Caps & Carveouts applies when:

  • You operate, advise on, or insure AI systems that could cause measurable harm
  • You are negotiating AI vendor or customer contracts at any scale
  • You face regulatory scrutiny or are preparing for it
  • You need to disclose AI risk to investors, lenders, or your board

It is the wrong move when:

  • The use case is so low-risk that the cost of analysis exceeds the residual exposure
  • A different framework (pure compliance, pure ethics, pure engineering) better fits the question
  • You are still iterating on the use case — lock in the scope first, then layer liability/insurance
  • You are using liability concerns as a smokescreen to delay shipping a feature you should delay for other reasons
Common pitfall: Teams treat AI insurance as a generic checkbox, only to discover that key AI risks (algorithmic bias, hallucinations, prompt injection, training-data IP) are EXCLUDED from their existing policies. Always read AI exclusions carefully — the gap between standard tech E&O and your actual AI exposure is wider than most assume.

Practitioner Checklist

  • Have you identified all parties potentially liable in this AI use case?
  • Have you quantified worst-case exposure (statutory damages, class action math, regulatory fines)?
  • Are your contracts allocating risk explicitly via indemnification and limitations?
  • Does your insurance stack actually cover the AI-specific risks (read exclusions)?
  • Have you documented operational controls so you can defend a "due care" position?
  • Is there a tested incident response playbook for AI-related incidents?

Disclaimer

This educational content is provided for general informational purposes only. It does not constitute legal advice or insurance advice, does not create an attorney-client or broker relationship, and should not be relied on for any specific matter. Consult qualified counsel and licensed insurance professionals for advice on your specific situation.

Next Steps

The other lessons in Indemnification Clauses for AI build directly on this one. Once you are comfortable with caps & carveouts, the natural next step is to combine it with the patterns in the surrounding lessons — that is where AI liability practice goes from one-off analyses to an operating system. Liability and insurance work is most useful as a system, not as isolated checks.