Key Insights from Our Webinar on Multi Vendor Contracts, AI, and Escrow

We recently hosted our much‑anticipated live webinar, ‘Multi‑Vendor Contracts, AI, and Escrow for Legal Professionals’, delivered in collaboration with SCL and Marks & Clerk. Building on the momentum of our previous session with SCL, this latest session offered fresh insight into the rapidly evolving IP and technology risk landscape.

Chaired by Fiona Phillips (Partner at Marks & Clerk – AI and Cybersecurity) and featuring expert contributions from Mark Ryan (Head of Escrow & Continuity at SES Secure) and Tom Sweet (Head of Technology at SES Secure), the session explored the new pressures shaping today’s tech‑driven services and unpacked how legal professionals can stay ahead of the curve.

This blog summarises the main themes, discussion points, and key takeaways from the webinar. If you’d like access to the full recording, please get in touch.

The Modern Day Dependency on Third-Party Technology

Over the past 15 years, the software risk landscape has experienced a major transformation. What was once viewed as a single‑application concern is now recognised as a deeply interconnected web of dependencies across modern digital ecosystems. Today, organisations rely on:

• Multiple software vendors - each powering different layers of core operations.
• Cloud infrastructure providers - often hosting mission‑critical workloads.
• Third‑party APIs - essential for functionality but outside direct control.
• Outsourced support providers - whose availability directly affects service continuity.
• Offshore development teams - adding jurisdictional and operational complexity.
• AI functionality - increasingly embedded across platforms.

During the webinar, Mark and Tom highlighted a key disconnect:

“While legal and procurement teams often assess contracts individually, operational reality is far more interconnected.”

A single supplier issue rarely stays isolated as disruption can spread quickly across systems, departments, and business functions. This growing interdependence is why boards, regulators, and risk teams are paying closer attention. The exposure is no longer purely technical; it is simultaneously operational, financial, regulatory, and reputational.

The Growing Regulatory & Operational Resilience Pressures

A major organisational theme discussed in the webinar was the regulatory shift that became prevalent in 2025. This shift moved the focus from simply being resilient to actively proving resilience under real‑world stress, demonstrating that continuity measures can withstand genuine disruption in practice.

Essentially, the question has evolved from: “Do you have a continuity plan?” to “Can you survive an actual disruption?”

Regulators now expect organisations to demonstrate that they can continue operating even when critical systems or suppliers fail. Key concerns include supplier insolvency, loss of system access, geopolitical instability, and AI outputs that cannot be validated or audited.

Operational resilience has developed into a cross‑functional priority. In the present day, it’s seen as a priority for legal, risk, compliance, procurement, and operational teams. As SES Secure’s Mark Ryan put it: “It’s now a governance issue, a legal issue, a regulatory issue, a board‑level issue.”

Multi-Vendor & AI Dependency Risks

‍Currently, many organisations underestimate the depth of their dependency in relation to cloud platforms, AI providers, data feeds, developers, and external APIs.

This creates layered risk. For example, a single SaaS platform may rely on multiple vendors and technologies beneath the surface. As a result, any outage, pricing change, feature removal, API deprecation, acquisition, or supplier failure can quickly impact service availability.

Ultimately, the SaaS model doesn’t remove risk. Instead, it shifts it further down the supply chain. For organisations, understanding these dependencies is essential before they become points of failure.

Why Traditional Contracts Often Fail

Contracts matter…but they are not continuity plans.

Legal agreements may state that:

• The customer owns the data.
• The supplier must cooperate.
• Source code will be released.
• Assistance will be provided.

However, it’s important to consider that contracts alone frequently fail to provide practical continuity in real-world disruption scenarios.

It’s crucial for organisations to anticipate every plausible “what if” scenario:

• What if the supplier becomes insolvent?
• What if key staff leave unexpectedly?
• What if critical systems are encrypted or otherwise compromised?
• What if geopolitical restrictions suddenly apply?
• What if there’s simply no one left with the capability to assist?

A legal right is not the same as operational recoverability. This is where Software Escrow becomes valuable, transitioning protection from theoretical rights to practical continuity.

Escrow as a Practical Risk Mitigation Tool

In the simplest of terms, Software Escrow is a risk‑mitigation tool that protects a business’s access to critical software if the vendor can no longer support it.

It acts as a safety net whereby the source code and essential materials are held by a neutral third party and released only if predefined conditions (like vendor bankruptcy, service failure, or discontinued support) are triggered. This provides a means for maintaining business operations and addressing risks such as financial loss and reputational damage.

Traditional Escrow Model

- Software installed within the beneficiary’s infrastructure Source code held in Escrow.

- Data retained by the beneficiary.

- In the event of supplier disruption, operations can typically continue immediately

Modern Day Escrow

-Software delivered via a 3rd party (e.g., hosting partner such as AWS, GCP, Azure etc.).

-Source code and data must both be protected.

- Loss of supplier access can result in immediate service and data loss.

-A clearly defined exit strategy is essential.

‍

Traditional Software Escrow focused on source code, but modern solutions now include data, SaaS environments, infrastructure‑as‑code, containers, AI models, and operational documentation.

The goal is not simply storing materials . The goal is ensuring they can be deployed and used independently. Validation and testing are essential, as organisations often discover too late that deposits are incomplete or dependent on undocumented components.

Foreign Jurisdiction & Geopolitical Risks

Cross‑border technology dependencies introduce a significant legal and operational complexity. Data, development teams, parent companies, and cloud infrastructure often span multiple jurisdictions, making rights harder to enforce during insolvency, sanctions, or regulatory intervention.

With rising scrutiny around data sovereignty, export controls, and access restrictions, organisations must ask: If access is disrupted, what safeguards are in place that do not rely on supplier cooperation?

Now, this is where Software Escrow becomes a crucial independent safeguard, mitigating both supplier risk and the uncertainties associated with operating across different jurisdictions.

The Rise of AI Dependency

AI (and its limitations) is creating a new category of continuity and governance risk. Unlike traditional software, AI systems are opaque, constantly evolving, and heavily dependent on external providers.

Key concerns include:

• Whether outputs can be reproduced if models change.
• What is owned, licensed, or recoverable.
• How to maintain continuity if access is removed.

Many organisations assume AI is clearly covered by standard software contracts. However, the underlying dependency chain is often far more complex.

What Is AI Escrow?

AI Escrow extends traditional Escrow principles to the components that make AI systems operational.

AI Escrow May Include:

• Vector databases
• Supporting codebases
• Deployment environments
• Documentation and governance records
• AI model weights
• Prompt frameworks
• Training configurations
• Fine‑tuning artefacts
• Retrieval systems

Through the implementation of AI Escrow, the aim is not to recreate entire AI ecosystems, but to preserve continuity for bespoke, regulated, or mission‑critical AI solutions.  While Escrow cannot eliminate every AI‑related risk, it delivers a far higher level of operational resilience than relying on contractual commitments alone.

AI Escrow strengthens governance by clarifying:

• What can be accessed
• What can be recovered
• Whether the system can continue operating if access is disrupted
• How dependent the organisation is on a single provider or model

Practical Considerations for Legal Teams

Legal teams are becoming increasingly central to organisational resilience. For these teams, the conversation is changing from simply asking ‘Is there a contract?’ to addressing broader continuity questions such as:

• Can continuity actually be achieved?
• What sits outside contractual protection?
• Are AI components properly addressed?
• Who controls operational recovery (e.g., escrow)?
• What systems are truly business‑critical?
• Where are the hidden dependencies?
• Where is the data stored?
• What jurisdictional risks exist?

Legal teams are now emerging as central stakeholders in operational resilience governance, a responsibility that will continue to substantially grow in the years ahead.

Key Takeaways

As Ryan put it:  “In a multi-vendor, AI-driven world, resilience depends not on what contracts say, but on whether your business can actually continue when things go wrong.”.

Some key takeaway points from the webinar are:

• Technology dependency has fundamentally changed. Organisations no longer rely on a single system . They operate across complex ecosystems of SaaS, cloud, APIs, and increasingly AI.
• Regulators now expect organisations not just to plan for disruption, but to prove they can operate through it.
• Contracts alone cannot guarantee continuity. They may provide rights on paper, but not the practical ability to keep the business running.
• AI adds further complexity around control, visibility, and long‑term access.
• The core message: Resilience isn’t about what the contract says. It’s about whether your business can continue when something goes wrong.

Modern Escrow and continuity planning bridge the gap between legal protection and operational reality.

To learn more or to schedule a conversation with our team, please don’t hesitate to get in touch.