Commercial AI Deployments: Legal and Regulatory Considerations for AI as a SaaS or Product Offering 

I. Regulatory Characterisation of AI: Product, Service, or Infrastructure 

A threshold legal question in assessing AI risk under Indian Law is the regulatory characterisation of artificial intelligence systems, specifically whether AI is to be treated as a product, a service, or a form of digital infrastructure. This classification is not merely academic; it directly determines the applicable liability standard, regulatory oversight, and enforceability of contractual risk allocation. Under the Consumer Protection Act, 2019 (“CPA”), AI systems deployed through software platforms may fall within both “goods” and “services” depending on functionality and market positioning. Where an AI system is marketed as an autonomous or semi-autonomous decision-making tool, particularly in domains such as finance, legal analysis, healthcare, or compliance, courts and regulators are increasingly likely to treat the AI model and its outputs as a product, thereby attracting strict product liability standards irrespective of fault. 

Conversely, where AI is positioned as an assistive or advisory tool delivered through a Legal and Regulatory Considerations for AI as a SaaS / Product Offering (“SaaS”) framework, it may be characterised as a service, exposing providers to claims of deficiency in service, negligence, and unfair trade practices. It is pertinent to mention here that the Indian consumer jurisprudence has consistently favoured substance over form, and disclaimers describing AI outputs as “non-binding” or “informational” may not be determined where users are reasonably induced to rely on such outputs for consequential decision-making. 

In practice, AI systems are likely to be treated as hybrid constructs, combining elements of both products and services. Model training, architecture, and deployment design are increasingly viewed as product attributes, while inference, updates, and output delivery are assessed as ongoing service obligations. This hybrid treatment materially expands liability exposure, as providers may be held accountable for both inherent design defects and post-deployment performance failures. 

This evolving classification framework signals a departure from traditional SaaS risk assumptions and underscores that AI regulation in India will be driven by functional impact rather than contractual labels. 

II. Product Liability 

Traditional SaaS liability was simple: if the server went down, you owed a credit as per service level agreements (SLAs). With AI, the liability is about output quality and unintended consequences. 

1. The "Black Box" Problem: It is often impossible to explain why an AI made a specific error (the "black box"). Under the current legal push, the burden of proof is shifting; courts may now presume the product is defective if the company cannot explain the AI's logic. 

2. Design vs. Dynamic Defects: Standard products are static. AI evolves. A SaaS tool that was safe at launch might become "defective" after learning from bad user data. Indian courts may begin to view this as a continuous design defect, making the developer liable even for post-launch behaviour. 

3. Professional Negligence: For "Coworker" style agents (Legal, Finance, Medical), errors are no longer just "bugs"; they are treated as professional malpractice. If an AI agent executes a bad trade or signs a flawed merger, the SaaS provider may be held to the same standard as a human professional. 

Beyond horizontal liability regimes, AI deployments intersect with sector-specific regulatory frameworks that impose heightened standards of care. In financial services, algorithmic decision-making tools may attract oversight from the Reserve Bank of India or SEBI, particularly where AI influences credit underwriting, trading, or investment advice. In healthcare, AI systems providing diagnostics or treatment recommendations may be scrutinised as medical devices or clinical decision-support systems. Legal and compliance-focused AI tools risk exposure to unauthorised practice concerns where outputs substitute licensed professional judgment. 

Sectoral regulators are increasingly adopting a substance-over-form approach, evaluating the functional role of AI rather than its technical architecture. Failure to account for these overlays may result in regulatory intervention irrespective of general compliance with IT or data protection laws. 

III. Contractual Allocation of Risk in AI Deployments 

Contractual frameworks governing AI deployments are under increasing judicial and regulatory scrutiny, as traditional SaaS-based risk allocation models prove inadequate for autonomous or decision-influencing systems. Indian courts have historically upheld freedom of contract; however, this autonomy is increasingly constrained where AI systems generate scalable harm or substitute human professional judgment. 

1. Output Risk and Reliance Limitations: Blanket “no-reliance” or “as-is” disclaimers are unlikely to provide absolute protection where AI systems are designed to automate or materially influence business decisions. Courts may assess whether the provider implicitly encouraged reliance through marketing claims, system design, or workflow integration. The emerging expectation is a calibrated reliance model, incorporating human-in-the-loop safeguards, audit trails, and contextual confidence disclosures. 

2. Indemnities and Regulatory Exposure: AI contracts must expressly address indemnification for (i) intellectual property infringement arising from training data, (ii) regulatory penalties under the DPDP Act, IT Act, and sectoral regulations, and (iii) third-party claims arising from AI-generated outputs. Notably, regulators and adjudicatory bodies may disregard private indemnity arrangements when assessing statutory liability, leaving parties to resolve risk allocation inter se post-enforcement. 

3. Liability Caps and Enforceability: Standard liability caps linked to subscription fees or annual contract value may be judicially diluted where AI failures result in disproportionate downstream harm. Indian courts have shown a willingness to read down contractual caps in cases involving public interest, consumer harm, or gross negligence. Risk-tiered caps aligned to use cases and deployment criticality are therefore more defensible than uniform limitations. 

4. Explainability and Audit Covenants: Explainability obligations are no longer merely ethical commitments; they are emerging as legal risk mitigants. Contractual rights to audit model logic, training datasets, and decision parameters may become central to defending defect and negligence claims, particularly where evidentiary burdens shift toward the AI provider. 

Taken together, AI contracting is evolving from liability avoidance toward structured risk governance, with courts increasingly willing to intervene where private ordering undermines public accountability. 

IV. Intermediary Liability and the IT Act  

Indian intermediary law is undergoing a structural recalibration from passive hosting toward active governance obligations for AI-enabled platforms. MeitY’s advisories and proposed rule amendments collectively signal that platforms facilitating synthetic content creation are no longer viewed as neutral conduits but as risk-enabling infrastructures.

AI platforms that modify or curate content may lose Safe Harbor protection under Section 79 of the IT Act, if they take an active role in content creation. Additionally, Draft amendments to the IT Rules (2025) require platforms facilitating the creation of AI content to embed permanent labels covering at least 10% of the content’s area or duration. Failure to implement provenance verification may lead to secondary liability for third-party harms like deepfakes. 

On 10^th February 2026, the Ministry of Electronics and Information Technology (MeitY) notified draft amendment to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, targeting the growing prevalence of AI-generated and synthetically modified media online. The Amendment introduces a statutory definition of synthetically generated information, encompassing deepfakes, algorithmically generated imagery, voice clones, and other forms of AI-produced content, and seeks to impose mandatory labelling and metadata embedding obligations on intermediaries and significant social media intermediaries (SSMIs). 

Under the rules, intermediaries that enable or facilitate the creation or modification of synthetic content must ensure such information is permanently and prominently labelled as synthetic, with visual labels covering at least 10% of the surface area or audible identifiers during the first 10% of audio duration. Additional obligations compel SSMIs to require user declarations on synthetic content and to deploy reasonable technical measures to verify such declarations prior to publication.  

Non-compliance with these labelling and verification duties could result in a breach of due diligence requirements and the consequent loss of safe-harbour protection under Section 79 of the IT Act, shaping a de facto “know-your-content” regime for AI-driven media on Indian platforms. 

V. Consumer Protection Exposure under Indian Law 

AI deployment significantly expands consumer protection exposure under the CPA, 2019, particularly where AI tools are offered to individuals, SMEs, or enterprises acting outside their core commercial expertise. The statutory definition of “consumer” under Indian law is broad and may encompass users of AI-driven platforms even in B2B contexts where bargaining power is unequal, or reliance is induced. 

AI-related risks may manifest as a deficiency in service where outputs are materially inaccurate, biased, or inconsistent with represented capabilities. Additionally, exaggerated claims regarding accuracy, autonomy, or efficiency of AI systems may constitute misleading advertisements or unfair trade practices, triggering regulatory action by the Central Consumer Protection Authority (“CCPA”). 

Further, AI-driven interfaces that nudge user behaviour through opaque decision logic or adaptive persuasion mechanisms may attract scrutiny under emerging enforcement actions against dark patterns. As AI errors scale instantaneously across user bases, the likelihood of collective consumer complaints and class-style proceedings increases materially, amplifying both financial and reputational risk. 

Consumer protection law thus operates as a parallel enforcement regime for AI accountability, independent of contractual privity or technical sophistication of users. 

VI. Cross-Border Data & Regulatory Considerations 

The DPDP Act adopts a blacklist approach, permitting data transfers by default unless a territory is specifically restricted by the Central Government.   

While more flexible than the EU's “whitelist” model, it creates uncertainty as transfers can be abruptly halted based on geopolitical considerations without the alternative of standard contractual clauses. Section 3 extends the Act to any processing outside India if it involves offering goods or services to individuals within India.    

Further, the absence of explicit onward-transfer safeguards means Indian fiduciaries may incur liability for downstream transfers beyond their immediate contractual counterpart, reinforcing the need for continuous transfer-chain monitoring rather than static compliance representations. 

The Anthropic Saga 

The "SaaSpocalypse" of 2026 was a huge wake-up call for the software world. When Anthropic released its 11 "Cowork" plugins, they didn't just make a better chatbot; they created a digital workforce. This caused a USD 300 billion crash because investors realised that AI wouldn't just help people use software, it would replace the software and the workers entirely. In India, the IT stock market lost INR 2 lakh crore in one day, showing that the old business of selling "human hours" is in serious trouble. 

1. The Financial Reality: The panic happened because of money. When a single AI tool can finish a legal audit in minutes, a job that used to take a team of junior staff weeks, the idea of "billable hours" disappears. Huge Indian companies like TCS and Infosys are worried because their business relies on providing people for repetitive tasks. Now, they have a competitor that costs only $100 a month, never sleeps, and doesn't need a work visa. 

2. The Legal Problem: This situation has created a legal mess regarding who is responsible when things go wrong. Since AI "agents" now handle sensitive company files, Indian firms must follow the DPDP Act (2023) to make sure private data isn't leaked. Anthropic also had to pay a USD 1.5 billion settlement for using stolen data to train its AI. This warns Indian startups that they can no longer just "scrape" data from the internet for free. Governments are now trying to decide who pays the bill when an AI makes a massive mistake in a legal or financial document. 

The Anthropic saga underscores the dual peril of market disruption and legal reckoning, where AI's efficiency erodes billable-hour models while exposing providers to indemnity claims, data provenance disputes, and cross-border transfer risks. For SaaS providers and product deployers, success hinges on proactive governance: embedding explainability, audit rights, and tiered indemnities in contracts; ensuring sectoral compliance; and monitoring geopolitical data flow shifts. 

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Ms. Kritika Krishnamurthy

Founding Partner

AK & Partners

info@akandpartners.in