You paste a 40-page SaaS contract into Claude. You ask it to find problematic clauses. It gives you a neat summary. Looks thorough. Reads well.
Three weeks later, your vendor terminates your account with zero notice, walks away with derivative IP you built on their platform, and you discover the data processing agreement doesn't meet GDPR adequacy standards.
All three issues were in the contract. The AI read every word. It flagged none of them.
This is what happened on a real review we ran. And it is not an edge case.
The Setup
We took an actual enterprise SaaS contract — 38 pages, standard structure: master agreement, SLA, DPA, acceptable use policy, and three order forms. The kind of contract a mid-market company signs when onboarding a core infrastructure vendor.
We ran it through two approaches:
- Vanilla Claude — the contract pasted in with a straightforward prompt: "Review this SaaS contract. Identify problematic clauses, risks, and anything I should negotiate before signing."
- Expert legal skill — the same contract processed through a specialized SaaS contract review skill built on structured legal frameworks, jurisdiction-aware analysis, and adversarial clause detection.
Same model. Same contract. The outputs were not close.
Clause 1: IP Ownership Asymmetry
What the contract said (Section 8.3):
"Any modifications, derivative works, or integrations developed by Customer using or in connection with the Service shall be deemed works made for hire and shall be the exclusive property of Provider."
What vanilla Claude said:
"Section 8.3 addresses IP ownership. The Provider retains ownership of the Service and related modifications. This is standard for SaaS agreements. Consider whether this aligns with your IP strategy."
That reads like a summary, not a review. The actual risk is buried in the phrase "in connection with." It means anything you build that touches their API — internal tools, customer-facing features, data pipelines — becomes their property. Not just modifications to their software. Anything adjacent to it.
What the expert skill flagged:
The skill identified this as an overbroad IP assignment clause with three specific risks: (1) "in connection with" extends far beyond derivative works of the service itself, (2) the "works made for hire" characterization may not hold in jurisdictions where it requires an employment relationship, and (3) there is no carve-out for pre-existing IP. It recommended narrowing the scope to "modifications made directly to Provider's proprietary code" and adding an explicit pre-existing IP exclusion.
The difference: vanilla Claude told you the clause exists. The expert skill told you it could cost you ownership of your own product.
Clause 2: Termination Without Cure Period
What the contract said (Section 12.2(b)):
"Provider may terminate this Agreement immediately upon written notice if Customer breaches any provision of this Agreement."
What vanilla Claude said:
"Section 12.2(b) allows Provider to terminate for breach. This is a standard termination clause. You may want to negotiate mutual termination rights."
Standard. That word does heavy lifting here. Immediate termination for "any breach" — including minor, inadvertent, or technical violations — with no cure period is not standard. It is predatory.
What the expert skill flagged:
The skill identified the missing cure period as a critical negotiation point. Standard SaaS contracts provide 30 days to cure material breaches. This clause allows termination for any breach, material or not, with zero opportunity to fix the issue. It also flagged the asymmetry: Section 12.2(a) gave the customer termination rights only for "material breach" with a 60-day cure period. The vendor gets instant kill. You get a 60-day waiting room.
Recommended redline: "Provider may terminate this Agreement upon 30 days' written notice if Customer commits a material breach that remains uncured at the expiration of such notice period."
Clause 3: GDPR-Inadequate DPA
What the contract said (Exhibit C, Data Processing Agreement, Section 3.4):
"Provider shall implement appropriate technical and organizational measures to ensure the security of Personal Data."
What vanilla Claude said:
"The DPA includes provisions for data security measures. Consider verifying that these align with your specific compliance requirements."
What the expert skill flagged:
The skill flagged seven specific gaps against GDPR Article 28 requirements:
- No specification of processing purposes (Art. 28(3)(a))
- No sub-processor notification mechanism (Art. 28(2))
- No data deletion/return obligations upon termination (Art. 28(3)(g))
- No audit rights for the controller (Art. 28(3)(h))
- "Appropriate measures" without defined standards fails the specificity requirement
- No cross-border transfer mechanisms (missing SCCs or adequacy references)
- No breach notification timeline (GDPR requires 72-hour notification chain)
If you sign this DPA and a regulator audits your vendor relationships, you are exposed. Not because of a technicality — because the DPA is substantively incomplete. The fine ceiling is 4% of annual global turnover or EUR 20 million, whichever is higher.
Why This Happens
Generic AI treats contracts as text to summarize. It reads clauses and describes what they say. It does not evaluate what they mean in context, compare them against market standards, or identify what is missing.
Contract review is not summarization. It is adversarial analysis. You need to know:
- What does this clause allow the other party to do to me?
- How does this compare to what is standard?
- What is conspicuously absent?
- What happens when things go wrong?
Vanilla Claude is good at the first question. It struggles with the other three because they require domain-specific frameworks — knowledge of standard market terms, regulatory requirements by jurisdiction, and the patterns that signal one-sided drafting.
An expert legal skill carries that context. It knows that a SaaS contract without a cure period is unusual. It knows what GDPR Article 28 requires. It knows that "in connection with" is a red flag in IP clauses. Not because it was told in the prompt — because the skill was built with those frameworks embedded.
The Human Outcome
Here is what matters. After the expert review, the contracting team went back with specific redlines. They negotiated:
- IP scope narrowed to direct modifications of Provider code, with a pre-existing IP carve-out
- 30-day cure period for material breaches, mutual termination symmetry
- A compliant DPA with sub-processor lists, audit rights, 48-hour breach notification, and SCCs for cross-border transfers
The vendor accepted all three changes with minor modifications. They were reasonable asks — the vendor's own counsel likely knew the original terms were aggressive. But you cannot negotiate what you do not catch.
The contract was worth roughly EUR 200K annually. The IP clause alone, if triggered, could have cost multiples of that in product value. A 30-second paste into a generic chatbot told the team everything looked fine. It was not fine.
The question is not whether AI can help with contract review. It obviously can. The question is whether the AI you are using knows what to look for — or whether it just knows how to read.