What is AI escrow?

Traditional software escrow protects source code and documentation. SaaS escrow expands that to cover cloud environments, deployment configurations, and live data. AI escrow goes further still, because what makes an AI system valuable isn't just the code running it; it's the intelligence built into it.

Consider what a mature AI deployment actually contains. There's the foundation model — often hosted and maintained by a third-party provider. There's the fine-tuning layer, which is trained on proprietary data and took significant time and compute to develop. There are system prompts, prompt chains, and agent definitions that encode months of engineering judgment. There are workflow orchestrations connecting the AI to other systems. And there are deployment configurations that make all of it accessible to the people and processes that depend on it.

Standard software escrow wasn't built to handle any of this. It doesn't know what model weights are, let alone how to store, verify, or release them. AI escrow is purpose-built for the full stack.

A complete AI escrow deposit covers the four layers of a production AI stack:

• Foundation models and weights: The base model or fine-tuned model versions the AI system depends on, including model weights, version histories, training data, and credentials. This is the intelligence layer — without it, the rest of the stack has nothing to run on.
• Model deployment configurations: API configurations, routing rules, rate limit settings, access controls, and infrastructure-as-code defining how the model is hosted and accessed. These are what allow the AI to be redeployed on different infrastructure if the original provider fails.
• Prompts and agent definitions: System prompts, prompt templates, prompt chains, agent logic, and tool definitions. For organizations that have invested heavily in prompt engineering, this layer represents significant intellectual effort, and it can be wiped out by a vendor decision with no notice.
• Workflow orchestrations: The configurations, integration mappings, and automation sequences that connect the AI to other systems and processes. This includes platform-specific workflow definitions from tools like Zapier, Make, n8n, and similar orchestration platforms.

A legal contract sets out what gets deposited, how often it's updated, and the specific conditions under which materials can be released. For AI escrow, this requires more careful scoping than traditional software escrow. The agreement needs to reflect the architecture of the AI system and account for assets — model weights, training data, prompt libraries — that standard escrow agreements don't typically address. Jurisdiction selection matters too, particularly for organizations with cross-border compliance obligations.

The AI system owner deposits the full stack: models, fine-tuning data, prompts, workflows, deployment configurations, and credentials. The deposit needs to be comprehensive enough that a qualified team could take these materials and restore full operational capability without the original vendor.

AI systems change constantly. New model versions get deployed. Prompts get refined. Workflows get updated. Keeping an escrow current requires automation — manual deposits fall out of date too quickly to be reliable. Codekeeper integrates directly with the platforms where AI assets live, syncing automatically on a daily basis so the escrow always reflects the current state of the system.

For AI escrow, verification goes beyond file integrity checks to include testing that the escrowed assets can be used to rebuild and run the AI system in a test environment. More on this below.

If a qualifying event occurs, the beneficiary notifies the escrow agent and requests a release. The agent manages the process: notifying the depositor, allowing a dispute window, then coordinating secure delivery of the materials. For urgent situations, this process runs around the clock.

Release conditions are defined in the agreement upfront, and nothing gets released outside of them. Standard triggers apply:

• Vendor insolvency or bankruptcy
• Cessation of operations
• Material breach of agreement
• Failure to maintain the AI system after formal notice
• Changes of ownership that affect support continuity

For AI specifically, it's worth negotiating additional release triggers that account for the ways AI vendor relationships can break down short of outright failure:

• Unilateral model deprecation or replacement that materially affects system performance, without adequate transition time
• Pricing changes that exceed a defined threshold within a specified period
• Terms of service changes that restrict access to or use of fine-tuned models or training data
• Sustained degradation of model performance beyond agreed benchmarks
• Vendor discontinuation of the specific model version or API tier the system depends on

Setting up an AI escrow agreement gives you the legal right to access your materials if something goes wrong. Verification gives you confidence that when you exercise that right, everything will work.

This is especially important for AI systems because the failure modes are more complex. A source code deposit that passes file integrity checks will probably build. An AI deposit that passes file integrity checks might still fail in practice if model weights are incomplete, if fine-tuning data references external dependencies that weren't captured, or if workflow configurations reference platform-specific features that don't translate to a new environment.

Codekeeper offers three verification levels for AI escrow:

• Validated uses automated scans to confirm all required materials were deposited and checks file integrity. It includes a Basic Software Resilience Certificate and is a solid baseline for lower-risk AI applications.
• Verified adds automated tracking of model changes and training data profiles over time. It includes an Enhanced Software Resilience Certificate and provides ongoing assurance that the deposit stays current as the AI system evolves.
• Certified is the highest level: expert engineers attempt to rebuild and run the AI system from the escrowed materials in an isolated test environment. They verify that models load correctly, prompts execute as expected, and workflows run properly — then issue a Premium Software Resilience Certificate documenting exactly what was tested and confirmed. For mission-critical AI systems where recovery needs to be provable, this is the right choice.

Which AI systems are now critical to operations? Which of those depend on third-party vendors for models, hosting, or orchestration? That's your starting list. If you want a structured approach, Codekeeper's risk assessment walks you through it and produces a report you can act on.

What models are you using, and are they hosted externally or self-deployed? What fine-tuning or custom training has been done? What platform handles orchestration and workflow? How is data structured and stored? These answers determine what the deposit needs to cover.

How quickly does the AI system need to be restored after a vendor failure? What does "operational" mean in that context? For systems where any downtime is unacceptable, this shapes both the deposit scope and the verification level you'll need.

Agree on your AI escrow terms, ideally at the same time as the vendor agreement. It's significantly easier to get alignment before the system is embedded than to retrofit escrow later. AI escrow requires more technical scoping than traditional software escrow, so having an escrow provider involved early helps. Our in-house legal team handles agreement drafting and can facilitate the conversation between parties.

Connect your platforms through Codekeeper's integrations. From that point, deposits update automatically on a daily basis without any manual intervention. Also, schedule verification reviews in line with your agreement terms and any audit cycles you're working to.