There is a question that circulates in AI practitioner communities but rarely surfaces in formal GRC discussions: when an AI system you paid for produces output that is wrong, harmful, or materially worse than what you were sold, who is responsible and what recourse do you have?
The question sounds deceptively simple. In practice it touches the intersection of consumer protection law, digital services contract doctrine, software liability jurisprudence, and the novel governance problems introduced by probabilistic systems that can behave differently tomorrow than they did today. Most organizations — and most individuals — who deploy AI services have not thought through this intersection carefully. Their vendor contracts, risk registers, and procurement policies reflect the assumptions of a pre-AI era: that a tool you purchase will perform consistently, that service degradation will be visible, and that fault will be assignable.
None of those assumptions is reliably true for AI platforms. This essay maps the terrain. It connects to the structural governance analysis in The Four Blind Spots of Force-Fitting AI Into Traditional Governance and to the regulatory landscape in Navigating the Wave: Part One.
The AI credit problem has two dimensions. The first is transactional: a specific session, query, or task produces output that is wrong, unusable, or harmful, and the user believes the platform should bear some accountability. The second is temporal: a platform or model that performed adequately at the time of subscription has, over weeks or months, degraded — changed behavior, lost capability, introduced regressions — and the user is paying for a service that no longer matches what they purchased.
Both dimensions are underaddressed by current platform terms of service. The first because platforms generally disclaim output quality warranties entirely. The second because the concept of output-quality drift as a service conformity issue has not been translated from the world of software SLAs — where performance degradation typically triggers contractual consequences — into the world of AI subscriptions.
The practical result is an accountability vacuum. Organizations deploy AI tools, integrate them into workflows, train staff on them, and build dependencies on their capabilities — then discover, when something goes wrong or performance degrades, that their contractual position is far weaker than they assumed. The risk belongs to the buyer. That this risk has not entered most organizations' formal risk registers or vendor management frameworks is a governance failure in its own right.
The distinction between platform fault and model behavior is the foundational categorization for any analysis of AI refund rights. Platform fault encompasses failures in the infrastructure that delivers the AI service: server outages, API unavailability, authentication failures, billing errors, data loss, and security breaches. These are the failures that traditional SLA frameworks are built to address, and most enterprise AI agreements include provisions — however limited — for these scenarios. Credit for platform downtime is the category most likely to be explicitly addressed in a vendor contract.
Model behavior encompasses the quality, accuracy, and consistency of the AI system's outputs. This includes hallucination, reasoning errors, harmful content generation, refusal to perform described tasks, and the output-quality degradation that accompanies model drift. Most current enterprise AI agreements explicitly disclaim liability for model behavior in their terms of service. The standard formulation — that the platform provides access to the AI system on an "as is" basis and that the provider makes no representations regarding output accuracy, completeness, or fitness for any particular purpose — is present in substantially similar form in the terms of the major commercial AI providers.
A more complex category emerges with agentic AI platforms — systems like Manus that do not merely generate text but execute sequences of actions to complete tasks. When an agentic platform fails to complete a task, the failure may lie in the underlying model (it cannot reason through the required steps), in the orchestration logic (the scaffolding that sequences model calls and tool use), in the tool integrations (external APIs or systems the agent relies on), or in some combination. The attribution question — which component failed and who owns the failure — is genuinely unresolved in current contract law and is not addressed in any clear way in agentic platform terms of service.
From a GRC perspective, the orchestration grey zone matters for vendor risk management: an organization that has deployed an agentic AI system for a consequential workflow has accepted risk across multiple failure modes with contractual coverage for almost none of them. The appropriate response is not to avoid agentic AI but to build the risk into the formal vendor risk assessment and to negotiate bespoke provisions where the deployment is material enough to warrant it.
Model drift — the degradation of AI model performance as production data diverges from training data — creates a particularly sharp version of the credit justice problem for organizations using AI in long-duration projects. The governance implications of model drift are analyzed in detail in the four blind spots essay. The credit justice implication is distinct: an organization that subscribes to an AI service at the beginning of a twelve-month engagement and discovers six months in that the model's capability in the relevant domain has materially declined faces a question about whether it is still receiving the service it contracted for.
Drift in the credit context takes two forms. The first is capability regression: a provider updates the underlying model in a way that reduces performance in specific task categories, sometimes as a deliberate trade-off (reducing one capability to improve another, or to reduce operational costs). Users who relied on pre-update capabilities have no contractual basis to demand their restoration under standard platform terms.
The second is environmental drift: the model's training data is no longer current relative to the user's domain. A legal research AI that was trained through a specific date will produce increasingly incomplete results as new case law, regulatory guidance, and statutory changes accumulate beyond its knowledge cutoff. Again, standard platform terms treat this as an inherent limitation rather than a service degradation.
Whether a material capability regression constitutes a breach of the service contract under applicable law depends on the jurisdiction and the specific contract terms, but the analysis is not obviously in the platform's favor in all cases. A service sold as capable of a specific function that is subsequently modified to no longer perform that function may, in some contract law frameworks, constitute a failure of conformity. The EU's Digital Content Directive is the most developed expression of this analysis in current law, and its application to AI capability regressions is an active area of legal commentary.
For GRC teams, the practical implication is not to wait for courts to resolve the question but to negotiate contractual provisions that address capability changes proactively. This is discussed in the procurement guidance section below.
The following survey maps refund policies and accountability provisions as of early 2026. These policies are subject to change; organizations should verify current terms directly with providers.
| Platform | Output-Quality Refund Right | Drift or Regression Right | Notable Provisions |
|---|---|---|---|
| OpenAI (ChatGPT / API) | None in standard terms. Discretionary billing error credits only. | None. Model updates at provider discretion. | Enterprise agreements may include custom SLAs. Deprecation notices typically 30–90 days for API models. |
| Anthropic (Claude) | None in standard terms. Service availability SLA for enterprise. | None. Model transitions managed through deprecation schedule. | Enterprise agreements include model transition commitments. Consumer plans: case-by-case support discretion. |
| Google (Gemini / Vertex AI) | None for output quality. API downtime credits per standard GCP SLA. | None. Model updates governed by product lifecycle policy. | Vertex AI offers stable model channels that may mitigate regression risk. Enterprise SLA covers availability. |
| Perplexity | None in standard terms. | None. | Consumer subscription: support team handles billing disputes case by case. No formal credit policy published. |
| Manus | No published output-quality policy as of early 2026. | No published drift or regression policy. | As an agentic platform, task-failure accountability spans model behavior, orchestration logic, and tool integrations — none explicitly covered in standard terms. |
The pattern is consistent: major AI platforms treat output quality as outside the scope of contractual accountability. Refund rights, where they exist, cover platform availability and billing errors — not the substance of what the platform produces. This is a rational commercial position for providers facing unpredictable output quality at scale. It is a poor position for organizational risk management and a contested position in jurisdictions with strong digital consumer protection law.
The chief AI compliance officer role — one of the most rapidly evolving positions in the GRC talent landscape — is in many organizations the first locus of responsibility for managing this contractual exposure. For role-specific career guidance, see the Chief AI Compliance Officer profile and the foundational analysis of why AI governance requires new professional expertise.
The EU Consumer Rights Directive (2011/83/EU) provides consumers with a 14-day right to withdraw from distance contracts for digital content and digital services without providing a reason. The right applies unless the consumer has expressly consented to immediate delivery and acknowledged that the withdrawal right is forfeited upon delivery — a consent that many subscription platforms collect through their onboarding flow, meaning the 14-day right is often waived in practice for ongoing subscription services.
For initial subscriptions where the consent has not been properly obtained, the withdrawal period may extend to 12 months. Enforcement by EU member state consumer protection authorities has focused on clarity of consent disclosures, and several cases have found that standard "I accept" checkbox flows do not satisfy the explicit consent requirement for digital content withdrawal waiver.
The more operationally significant instrument is the Digital Content Directive (2019/770/EU), which requires that digital services conform throughout the duration of the contract with their described functionality, purpose, and quality. Conformity is assessed against both the contractual description and the reasonable expectations of the consumer based on how the service was marketed.
Applied to AI services, the conformity requirement raises several questions that are live in European consumer law scholarship: whether an AI platform that markets itself as capable of a specific function and subsequently removes or degrades that function has breached the conformity requirement; whether a model update that materially changes output quality constitutes a non-conforming modification; and whether an AI system's inherent tendency to produce inaccurate output in specific domains, if that tendency was not disclosed at point of sale, creates a conformity defect.
The remedies for non-conformity under the Directive include repair, replacement, proportionate price reduction, and in cases of significant non-conformity, termination of the contract. These are stronger remedies than anything available under standard platform terms of service, and EU-based consumers — individual and enterprise — may have rights that exceed what platform policies acknowledge.
In the United States, there is no federal equivalent to the EU's digital content conformity framework. The FTC's unfair and deceptive practices authority (Section 5 of the FTC Act) applies in principle to AI platforms that make material misrepresentations about their capabilities, and the FTC has signaled increasing attention to AI marketing claims. But the remedial framework — FTC enforcement actions, cease-and-desist orders, potentially civil penalties — operates at the regulatory level, not the individual consumer level. Individual consumers seeking refunds for AI service failures must rely on state consumer protection statutes, credit card chargebacks, and the discretion of platform support teams.
The governance implication for organizations operating in multiple jurisdictions is that their vendor management frameworks must account for the fact that the legal baseline for AI service accountability differs significantly between the US and EU. An enterprise agreement with a US-headquartered AI provider may contain terms that are unenforceable against EU-based business units under applicable consumer and digital services law.
The most effective governance mechanism for managing AI credit risk in enterprise deployments is a baseline performance benchmark agreed at contract inception. This means identifying, before signing, the specific capability dimensions that matter for the intended use case — output accuracy in specified domains, task-completion rates, latency, consistency across repeated similar queries — and documenting a measurable baseline that the vendor acknowledges.
A performance benchmark does not need to be a technically complex evaluation suite. For many enterprise use cases, a representative sample of twenty to fifty test cases, evaluated against agreed quality criteria, provides a sufficient baseline to detect material performance degradation over time. The key is that the benchmark is documented in the contract, that both parties acknowledge it reflects the service at the time of contracting, and that the contract specifies what happens — review, renegotiation, price adjustment, or termination right — if the benchmark is no longer met.
Organizations deploying AI in consequential workflows should negotiate two additional provisions: drift monitoring rights and model update notice requirements. Drift monitoring rights give the organization the right to periodically re-evaluate the platform against the baseline benchmark, using the agreed test cases, and to receive vendor response if material degradation is detected. Model update notice requirements obligate the vendor to provide advance notice — typically thirty to ninety days — before making model updates that may affect the performance characteristics the organization relies on.
These provisions are standard in sophisticated enterprise AI agreements but absent from most small and mid-market contracts. The size of the organization is not, however, an accurate predictor of risk exposure — a mid-size nonprofit that has integrated an AI platform into its grant-writing, compliance reporting, or financial analysis workflow has substantial dependency risk regardless of whether it has the negotiating leverage of a Fortune 500 company.
Standard AI platform agreements allocate essentially all output-quality risk to the customer. The governance question is not whether to accept this allocation for low-stakes use cases — where the cost of negotiating bespoke terms outweighs the risk — but whether to accept it for high-stakes deployments where AI output errors could generate legal liability, regulatory exposure, or material harm.
High-stakes deployments — legal document generation, compliance reporting, financial analysis, medical information, human resources decisions — warrant explicit contractual attention to output-error liability. At minimum, the contract should specify what representations the vendor is making about output accuracy (if any), what the vendor's obligation is if the organization can demonstrate that a specific output error was within the vendor's reasonable ability to prevent, and whether the vendor maintains any insurance coverage for AI output liability.
The credit justice problem is, at its root, a procurement governance problem that has not yet been mapped onto standard vendor risk management frameworks. The GRC function is the natural home for this governance work: it sits at the intersection of vendor management, risk assessment, legal exposure, and compliance — all of which are relevant to the AI credit question.
Operationally, this means GRC teams should be involved in AI vendor selection and contract negotiation — not after the contract is signed and the integration is built, but during the evaluation process. The questions of performance baseline, drift monitoring, model update rights, and output-error liability are easier to negotiate before a vendor relationship is established than after. For organizations building this capability, the AI governance leadership career resources provide context on the emerging roles that anchor this work.
The broader regulatory environment pressing organizations toward this governance rigor is analyzed in Navigating the Wave: How Corporate GRC Is (or Isn't) Keeping Pace. The vocabulary that GRC teams need to engage these questions precisely is in The 2026 GRC-AI Lexicon.
In the EU, AI subscription services fall within the Consumer Rights Directive and the Digital Content Directive, which provide a 14-day withdrawal right and conformity requirements throughout the subscription period. In the US, there is no federal equivalent — coverage depends on FTC enforcement authority and state consumer protection statutes, which vary significantly. EU-based organizations may have statutory rights that exceed what platform terms acknowledge.
Model drift is the degradation of AI model performance as production data diverges from training data. For refund purposes, whether drift constitutes a breach of the service contract depends on jurisdiction and contract terms. Most current terms are silent on drift. GRC teams negotiating enterprise agreements should require performance benchmarking provisions and drift-triggered SLA review rights. The governance analysis of model drift appears in The Four Blind Spots of Force-Fitting AI Into Traditional Governance.
No major AI platform currently provides automatic refund rights for output quality failures. OpenAI, Anthropic, Google, and Perplexity all disclaim output quality warranties in standard terms. Manus, as an agentic platform, adds the complexity of orchestration-layer failure attribution. EU-based users may have conformity remedy rights under the Digital Content Directive that are not reflected in platform terms.
The EU Consumer Rights Directive provides consumers a 14-day withdrawal right for digital services, unless they have explicitly consented to immediate delivery and acknowledged forfeiture of the right. The Digital Content Directive additionally requires conformity throughout the contract period — meaning a service that materially underperforms its described capabilities may give rise to repair, replacement, price reduction, or termination rights. These remedies exceed what standard platform terms offer.
GRC-informed procurement should include: a baseline performance benchmark at contract inception; drift monitoring rights; advance notice requirements for model updates; explicit liability allocation for output errors in high-stakes use cases; and a performance-based termination right. The Chief AI Compliance Officer role is increasingly the organizational home for this procurement governance work. Active compliance roles can be found at ExecSearches Compliance Jobs.