At Google I/O 2026 and Google Marketing Live (GML) 2026, a major shift took place in the way global digital commerce now operates. With the deployment of the Universal Cart ecosystem, driven by the Universal Commerce Protocol (UCP) and the Agent Payments Protocol (AP2), Google shifted from simply directing users to websites into becoming a fully integrated shopping environment.
Through this open-source infrastructure, co-developed with retail conglomerates like Shopify, Walmart, Target, and Wayfair, autonomous AI agents like Gemini Spark operate on a 24/7 basis, executing transactions and maintaining a persistent cross-platform memory across Search, Gemini, YouTube, and Gmail.
For businesses, this new system creates major risks that are not immediately visible. When transactions, customer intent data, and internal business operations all move through AI-managed systems, standard business contracts often stop providing meaningful protection. Digital platforms are no longer just organising information, they are now continuously collecting behavioural intelligence.
How Operational Convenience Becomes Contractual Surrender
The pattern is consistent across entity types, and it rarely begins with a dramatic decision.
Start-ups integrate AI developer tools rapidly to hit MVP timelines. The focus is speed, not long-term contractual protection. Default vendor agreements contain model training permissions buried three sections deep. Nobody reads them carefully under funding pressure. The company often gives up part of its intellectual property advantage before the product even launches.
Mid-market companies execute template SaaS agreements to manage overhead costs. Legal review becomes a routine formality instead of a deeper strategic review. Many enterprise software agreements already contain clauses allowing behavioural data collection, metadata usage, and aggregated optimisation rights. They remain in standard contracts largely because most companies are not actively searching for them.
Consulting firms permit employees to draft client methodologies using public conversational AI tools. The firm believes it is accelerating delivery. The platform may gradually absorb proprietary methods and frameworks into its training systems. The loss of commercial know-how happens slowly, and over time. By the time the pattern becomes visible, the institutional knowledge advantage has already migrated.
D2C brands optimise short-term conversion through platform interfaces. Customer intent data, purchase behaviour, and interaction cadence are captured at the platform layer rather than the merchant layer. The brand may keep the sale, but it gradually loses ownership over customer insight. The platform retains the customer intelligence and may eventually control the customer relationship itself.
PE-backed companies optimise for scaling velocity. Governance review is often postponed until investment or exit-stage diligence begins. By then, the company’s systems and data dependencies are already deeply embedded by then, vendor rights are contractually protected, and reversing dependency requires operational disruption the company cannot afford at that stage.
The common thread is not negligence. It is sequencing. Operational decisions precede governance review. Dependency becomes difficult to reverse before governance and contracts catch up.
What Legacy Contracts Cannot Protect
Most companies’ contracts were created for a very different business environment.
Standard NDAs protect static documents. They protect code marked confidential, presentations labelled proprietary, and databases explicitly identified as trade secrets. They are simply not designed to protect dynamic behavioural intelligence — the search intent patterns, pricing logic fluctuations, negotiation velocity data, customer-interaction cadence, and workflow habits that constitute actual enterprise value in modern commercial environments.
Google’s Universal Cart framework, operating through the Universal Commerce Protocol and Agent Payments Protocol, illustrates the architectural shift precisely. Transactions occur within the platform interface. Customer intent is captured at the AI layer before reaching the merchant. Behavioural patterns are aggregated across Search, Gemini, YouTube, and Gmail simultaneously. The merchant still handles fulfilment, but the platform increasingly controls the customer intelligence.
What businesses often see as better visibility, experienced advisers may see as gradual loss of customer ownership and first-party data. Those are not the same operational outcome, regardless of what the short-term conversion metrics suggest.
The due diligence implication is significant. Modern acquirers and institutional investors are no longer evaluating only static IP, patent registers, and software licenses. They now evaluate data control, API dependency, vendor training rights, and how much of the customer relationship is controlled by outside platforms. Companies that focused only on operational growth often realise these risks at the worst possible commercial stage.
Where Bargaining Power Migrates
Companies rarely lose leverage through one major agreement alone. It accumulates across individually harmless procurement decisions that collectively externalise the enterprise’s operational intelligence.
CRM platforms aggregate negotiation velocity, pricing concession patterns, and communication cadence across entire industry verticals. Productivity suites capture workflow habits and document structures. Browser-extension AI utilities create prompt leakage of internal parameters. Enterprise cloud agreements permit vendors to utilise aggregated anonymised metadata for model refinement. Each agreement, read in isolation, appears reasonable. Read collectively against the enterprise’s actual value system, together, these agreements can slowly transfer valuable institutional knowledge into platform ecosystems.
The problem becomes even worse when decisions are fragmented across teams.. When sales, marketing, HR, and product teams procure AI tools independently, under separate click-wrap agreements, without centralised governance review, the company’s commercial intelligence scatters across multiple unmonitored environments simultaneously. No single decision created the exposure. The company’s governance gaps allowed the problem to grow unnoticed over time.
Sophisticated corporate counsel does not enter this conversation after the dependency exists. The entry point is procurement strategy, specifically, identifying the point where operational convenience starts becoming long-term dependency, and designing contractual boundaries before the workflow integration makes renegotiation impractical.
The Governance Gap That Diligence Eventually Finds
These situations expose a major gap between how companies protect physical assets and how they manage behavioural intelligence and operational data.
Traditional corporate governance protects what can be registered, marked, and audited. Patents, trademarks, classified documents, formal IP registers. These systems still work well for the assets they were originally designed to protect. But they are not designed for the kinds of operational data and behavioural intelligence that now drive most enterprise value.
When this issue appears during diligence, the discussion quickly moves beyond basic legal compliance.It becomes a question of valuation and long-term business strength. Investors ask which AI systems are hardcoded into daily operations, what data rights have been granted to vendors, and whether the company’s workflows are still genuinely proprietary or have effectively become part of external platform systems. Companies that cannot clearly answer these questions often face valuation pressure, not just legal concerns.
The companies retaining long-term leverage are redesigning governance systems before platform dependency becomes permanent. Centralised procurement review committees covering all AI and platform integrations. Proprietary data is increasingly being separated behind zero-retention API systems. Vendor agreements amended to exclude behavioural data extraction, metadata harvesting, and model training rights. Audit rights built into technology agreements from the outset rather than requested retrospectively.
The companies protecting long-term leverage are not rejecting AI systems altogether. They are identifying where operational convenience becomes institutional dependence, and they are putting governance systems in place before operational convenience turns into irreversible dependency.
The companies discovering these issues only during diligence are usually facing a far more difficult conversation.
COMMERCIAL LAW BLOG 
Leave a comment