Last week Stanford published the 2026 AI Index, and the finding that should reframe every enterprise AI contract on the table this quarter was not on the first page.
The Foundation Model Transparency Index, which scores how openly AI companies disclose their training data, compute, and safety practices, climbed from 37 in 2023 to 58 in 2024. In 2025 the average dropped back to 40, with wide variance across vendors. At the same time, the share of enterprises with no responsible AI policies fell from 24% to 11%, AI-specific governance roles grew 17%, and organizational AI adoption reached 88% (Stanford HAI, 2026 AI Index Report).
Enterprise governance advanced. Vendor transparency retreated. The AI Agent Governance Gap named the internal side of this problem, who can stop an agent mid-execution, who owns the rejection loop. This is the other side. The best internal policy still stops where the vendor firewall begins, and in 2025 that firewall got taller.
The response is not a louder policy document. It is contract language.
The Four Clauses
Every enterprise AI contract signed this quarter should carry four specific clauses. Each maps to a shift the 2026 AI Index documented. Each comes with a verification mechanism that does not rely on the vendor’s word.
1. Disclosure clause. The contract names the specific dimensions the vendor is expected to disclose: training data provenance, the evaluations run on the current model version, the cadence of model updates, and the safety practices tied to the buyer’s deployment. The clause also names what happens when any of those change. A written delta, notified to the buyer within a defined window, not discovered in a vendor newsletter. This is the procurement response to the Foundation Model Transparency Index regression. A vendor that has chosen not to disclose publicly can still be asked to disclose contractually, under mutual NDA, scoped to the buyer.
2. Responsible AI tradeoff clause. Stanford’s Chapter 3 documents an uncomfortable empirical finding. Training for one responsible AI dimension consistently degrades others. Safety gains can reduce accuracy. Privacy gains can reduce fairness. There is no shared framework across vendors for navigating these trade-offs, which means every vendor is making internal choices they rarely articulate. The contract clause requires the vendor to name which dimension was prioritized in the latest safety tuning of the model version being purchased, and what measurable shift occurred in the others. The buyer does not need to know the algorithm. The buyer needs to know the priority. That is the difference between buying a capability and buying a black box.
3. Incident reporting clause. The 2026 AI Index documented 362 AI incidents in 2025, up from 233 the year before. A 55% year-over-year rise is not a statistical curiosity, it is an operational signal. The contract clause defines the window in which the vendor must notify the buyer of documented incidents affecting the buyer’s use case or the model class the buyer has deployed. Five business days is reasonable. Ninety days is not. The clause should also require a quarterly incident log scoped to the vendor’s own platform. This is infrastructure the Board AI Reporting Gap framework depends on, because a board cannot report what procurement never asked the vendor to provide.
4. Verification right clause. The first three clauses produce vendor statements. The fourth produces the buyer’s right to check them. The clause grants the buyer the right to commission third-party attestation, conduct red-team evaluations on critical deployments, or request audit access scoped to the buyer’s use. This does not mean every buyer will exercise the right every quarter. It means the right exists. The act of requesting it later is a contractual action, not an unwelcome surprise. The clause is strongest when it references emerging standards the buyer can point to, NIST AI RMF, ISO/IEC 42001, or a future FMTI revision, rather than bespoke buyer-defined criteria, because the right to verify is only as useful as the framework the verification can be conducted against. This is how regulated industries have handled the same problem for decades, and it is the clause most easily dropped by a legal team that wants the deal closed fast.
What Changes When the Clauses Are There
A vendor call that includes all four clauses goes differently. The buyer is no longer asking the vendor to be trustworthy. The buyer is asking the vendor what the contract permits. That shift changes the tone of the relationship without changing the commercial terms.
It also changes what gets reported internally. The CFO, the board audit committee, and the risk function now have a specific contractual basis for their AI oversight. The workflow redesign lens applies at the procurement layer too: the companies that extract returns from AI spend are the ones that build management infrastructure around it, not the ones that add tools on top. Contract language is part of that infrastructure.
Some of the FMTI regression reflects real security tradeoffs and legitimate safety calibration, not bad faith. The clauses are not a demand for everything. They are a demand to know what was traded, how you would be told if it changed, and what right you have to verify.
The Question Procurement Should Be Asking
Stanford’s co-chairs describe the report’s theme as “a field that is scaling faster than the systems around it can adapt.” Enterprise AI governance in 2026 is catching up on the inside. The frontier of governance practice is moving to the contract, because the contract is where the internal policy meets the vendor firewall.
So before you sign the next AI vendor agreement, ask the question that matters more than any of the feature comparisons: which of these four clauses did your contract keep, and which one did legal drop to close the deal faster?