Issue #56 — The Clauses You Already Signed

The first thing that stops your agent programme is a line in a software contract.

Dear Reader,

The last two issues were about what happens once an agent acts on its own: the human you design back in, and the record the system writes as it works. This one steps back to a plainer question. Before any of that matters, are you even allowed to point an agent at the software you already run? For a growing number of systems the answer is turning into no, and the no is not technical.

Blocked at the login

Take an agent you have scoped to do real work: reconcile invoices, pull case files, update records across three internal tools. In a dev environment it reasons fine. The trouble shows up at integration testing. It hits multi-factor prompts built for a person, session tokens that expire, and bot-detection installed years ago to keep scrapers out. A recent trade report put it well: enterprise agents are stalling at the login, not on their reasoning (TechTimes).

Some of that is a wiring problem you can solve. The contract is not. Most software you licensed before 2024 carries a clause forbidding “automated”, “non-human” or “bot” access, lines written against screen-scrapers long before anyone sold an agent. Read them today and your agent is the exact thing they describe: an automated, non-human caller using your credentials to work the system for you. Nobody wrote that clause with agents in mind. It still binds.

Now the vendors are making it explicit. LexisNexis, whose legal-research tools sit inside plenty of regulated firms, added a term that prohibits customers from using “any autonomous AI agent, agentic AI system … to access, log in to, navigate, query, or otherwise interact with the Online Services … without LN’s express prior written permission” (LexisNexis General Terms). Unity went further and named the mechanics, barring access “by means of any AI agent, autonomous or semi-autonomous software system, large language model … model-context-protocol (MCP) client or server, agentic framework” unless the customer buys a separate tier of access (Unity Terms of Service). Its wording drew enough anger in early July that the company had to clarify the clause applies to its cloud services and marketplace, not a developer’s own machine. The clarification matters less than the direction. Vendors are redrawing the line around agents right now, in their own favour.

Why the line is moving now

This is a commercial move dressed as a security one. Gartner put a number on the thing the vendors are defending against: up to $234 billion of enterprise application spending is at risk by 2030 as one agent does across several systems what a room of licensed seats used to do. Gartner calls it “agentic arbitrage.” Its managing vice-president George Brocklehurst stated the shift directly: “You are no longer buying software primarily for people; you are increasingly buying it for agents.” If the seat is what you priced, and the agent replaces the seat, the vendor’s revenue model breaks. I would put that projection near the peak of inflated expectations. My own view is that real automation will move more slowly than this over the next few years, and a trough of disillusionment is likely before it pays off. The underlying shift, though, is real.

So the vendors are choosing the meter over the ban. ServiceNow, SAP and Workday now route external agents through metered integration layers before they can touch customer data. HubSpot moved its customer-service agent from a flat rate to $0.50 for every resolved conversation. Even OpenAI meters its own workplace agents by the run, a change that went live on 6 July. The clause and the meter are the same instinct in two forms: one bars your agent, the other lets it in but runs a counter the vendor sets. This is a further cost to budget when building agents in the enterprise, on top of the inference itself, the infrastructure, and the work of reshaping processes and building the skills.

The lock-in being written into this year’s renewals

Underneath the pricing sits a slower question worth watching. An agent working inside your operation accumulates context as it goes: your workflows, your exceptions, the rules nobody wrote down. It is tempting to treat that as a switching cost, on the assumption that changing vendor means starting from a blank slate. Mostly it is not. An agent keeps this context outside the model, in memory files and retrieval stores that sit in your own systems and can be moved; Anthropic’s memory tool, for one, runs client-side and stores nothing in the model (Anthropic). The one genuine exception is a model the vendor has fine-tuned on your data: a closed fine-tuned model lives only as a hosted endpoint you call, never a weights file you can take. The more serious risk, though, is a different one. To work, an agent on a hosted model sends that context to the provider: your processes, your exceptions, sometimes real commercial secrets. The major enterprise agreements say they will not train on it: Anthropic’s commercial terms state it “may not train models on Customer Content”, and OpenAI and Azure commit the same for business tiers (Anthropic, OpenAI). That protection is contractual, not technical. The same exposure exists in ordinary SaaS, of course, but there the separation of one customer’s data from another’s is simpler and fully deterministic.

The question a contract has to answer, then, is who owns that operating knowledge the agent builds up. Where the agreement lets the provider retain and train on it, your operating knowledge can end up improving a shared model your competitors also rent. Gartner expects 85% of agentic AI spending to be folded into existing SaaS renewals by 2030, up from 55% in 2025. The terms that decide ownership of what your agents learn are going into contracts being renewed this year. Issue 13 argued that an API is a liability you take on, not just a feature you buy. The agent version of that liability is written in the renewal.

What a regulated enterprise should do about it

For a Polish bank, insurer or pharmaceutical company the clause is a supervisory matter as much as a commercial one. DORA, in force since January 2025 and enforced here by the KNF, already requires you to keep a register of your ICT third-party arrangements and a documented exit strategy for any that supports a critical or important function. An agent that runs claims triage or credit checks through a vendor’s metered layer, learning your operation as it works, is precisely such an arrangement. If the exit plan cannot say what happens to the agent, and to everything it has learned, on the day the contract ends, it has a gap that DORA already expects to be closed. The agent is usually an unnamed party in your processing chain, left out because it did not exist when the contract was signed.

The verdict is unglamorous. Before you scope the agent programme, read the software contracts you already hold. The thing most likely to stop the programme is not the model’s capability, nor the AI Act’s high-risk obligations, now deferred to 2 December 2027. It is a clause. This is the due diligence Issue 11 asked for when buying AI, turned to face the estate bought years ago and rarely re-read since. The real negotiation is commercial and legal: who may run an agent, at what meter, owning what it learns. The firm that goes through the software contracts it already holds on legal grounds, before it deploys agents, is ahead of the one that finds the clause after the agent is built, and no Polish company has yet published how it treats vendor contracts as an agent-governance problem. Room to be first.

Briefing

Three of the big labs pushed new frontier models to the public within two days in early July: OpenAI’s GPT-5.6, SpaceXAI’s Grok 4.5 and Meta’s Muse Spark 1.1 all landed on 8–9 July (Business Insider). When the leading models arrive days apart and trade the top spot with each release, model performance alone is no longer where the advantage sits. Treat the model layer as replaceable and spend the design effort on the parts of the stack that are not, which increasingly means your data, your integrations and the contracts around both.

Europe’s systemic-risk board warned on 7 July that frontier models can now find software vulnerabilities and run full-scale cyberattacks at machine speed, and the European Central Bank told banks to submit AI-related cyber action plans to their supervisors by 31 October (Regulation Tomorrow). In finance the supervisory clock is already running ahead of the AI Act’s 2027 deadlines. A firm supervised by the KNF should expect the same kind of demand regardless of what the Act’s timetable says.

Questions for your leadership team

  1. For the key systems our first agents will touch, has anyone read the current terms of service for a clause on automated, non-human or agent access? What does each one say?
  2. When a vendor meters agent access by the action, who owns that line in the budget, and did our business case for the agent assume it was free?
  3. Who owns what our agents learn about how we operate? If we switched vendors next year, what would we lose that we cannot export?
  4. Under DORA, does our exit strategy for critical ICT services account for an agent and the operating knowledge it holds, or does it stop at the data?

Summary

Before an agent can act, it has to get in, and increasingly it cannot. The contract often forbids automated access outright, in boilerplate written years ago against scrapers that now catches agents by accident, and vendors are making the ban explicit by naming AI agents and MCP clients. The reason is commercial: a single agent replacing several seats breaks the per-seat model Gartner puts at $234 billion of spending at risk, so where vendors do not ban the agent, they bring in new licensing models. The deeper lock-in is who owns what the agent learns about your operation, and that term is going into this year’s renewals unread. For a firm such as one supervised by the KNF, it is already a DORA question of third-party dependency and exit. The fix is simple but laborious: read the contracts already signed before building something they may forbid.

Stay balanced, Krzysztof Goworek

Krzysztof Goworek is founder of Quintant — AI advisory that gets enterprises from experiment to production value.