There's a noticeable gap in the discourse around AI governance. While policy discussions, frameworks, and responsible AI statements abound—signaling good intentions and a compliance-driven mindset—the real action unfolds elsewhere, far from these documented aspirations.

The critical decisions about AI are being made in contracts. This might seem like an obvious observation, but the implications are profound and often overlooked. These contracts are not just mere documentation of AI engagements; they structure and define them. They decide who has the rights to use data, who is accountable for the outputs, and what kind of evidence is required to demonstrate system behavior. They also determine the conditions under which a customer can suspend or revoke access. These elements represent the nuts and bolts of governance.

As AI technology transitions from experimental phases to core infrastructural elements, the shortcomings of traditional governance frameworks become starkly apparent. The pace of this transition outstrips the evolution of related regulations, insurance norms, and internal organizational processes, leaving contracts to fill the governance void effectively.

Contracts have evolved from high-level, aspirational clauses to specific, enforceable provisions that reflect the intricacies of AI operations. Training rights, input, and output specifications are now explicitly defined, with governance terms integrated throughout the agreement rather than being isolated. This shift from a stylistic to a structural approach in contract drafting marks a significant evolution in how AI governance is being implemented.

However, one critical area remains poorly understood and implemented—training rights. Traditionally, data clauses held the spotlight in vendor agreements, but as the focus shifts towards training rights, the complexities increase. Clauses that bundle "use," "train," and "fine-tune" under a single permission fail to recognize the distinct risks and values associated with each. This often results in a misallocation of rights that isn't immediately apparent to the contracting parties.

Interestingly, the move towards more detailed contracts has proven to expedite, rather than hinder, deal closures. Clear governance reduces uncertainty and makes permission grants and risk assessments more straightforward, thereby speeding up the agreement process. These contracts act not only as legal documents but also as indicators of a company's approach to managing risk, control, and accountability.

Furthermore, the shift towards verifiable controls in contracts—such as logs, audits, and traceability—is replacing the traditional reliance on assurances. This change reflects a broader need for ongoing verification and accountability, driven by the dynamic nature of AI systems and the uncertainties they introduce.

In conclusion, AI governance isn't failing; it has simply shifted arenas. The focus now must turn to contracts, where the real governance is taking place. By reexamining existing agreements through a governance lens and insisting on clear, separated definitions of rights and responsibilities, organizations can ensure that their AI deployments are not only compliant but also aligned with their operational realities and ethical commitments.