The 5 legal mistakes quietly destroying your agency's margins

I've been writing enterprise statements of work for over a decade. I've got the scars to prove it.

So when I sat in on a legal session recently with a brilliant M&A-turned-agency lawyer named Dan, I wasn't expecting to learn much. I was wrong. Not because the principles were new to me — but because he named things I'd been living through for years without ever having clean language for them.

Here are the five legal mistakes Dan says consistently erode agency margins. I'd bet at least three of them apply to you.

1. Weak scope — and the change you don't catch in the moment

Everyone knows scope creep is a problem. What's less obvious is when you have to deal with it.

The answer, as Dan put it bluntly: "at the time, not months later." A client redirects the project mid-engagement, your team adapts (because that's what good teams do), and nobody pauses to flag that the original agreement no longer reflects reality. Then you're sitting across from a client at invoice time saying, "Actually, we did about 20% more than we scoped." That conversation is almost impossible to win.

I'd add two things from experience. First, the conversation about scope change is almost always easier when it's not the delivery team having it — an exec sponsor role creates healthy separation. Second, even if you absorb extra work for legitimate reasons (marquee client, competitive situation, whatever), document it anyway. It shows the client what you delivered, it protects you later, and frankly it leaves a much better taste than a surprise invoice.

2. Missing commercial protections — the 1% that saves you

Most of the time, nobody reads the boilerplate. That's fine. But when a client goes difficult, stops paying, or starts behaving badly — that small print is the only lever you have.

Dan calls these the "1%" protections: CPI increase clauses, auto-renewal terms, the right to pause work if a client fails to pay or fails to provide what you need. Not every agency needs every clause. But not having any of this? That's avoidable risk for minimal effort.

The smart approach, which I'm increasingly convinced is right: keep your T&Cs on a URL and sign a short order form each time. No 40-page negotiation. No barrier to getting the deal done. But full protection in the background for when things go sideways.

3. IP confusion — especially with freelancers

Here's one that genuinely surprised people in the room: if your freelancers don't have signed contracts assigning IP to you, you may not actually own the work they created for your clients.

This isn't theoretical. Dan shared a story of a Japanese font on a kiosk that nearly derailed a £5–10k problem during a business sale. Luke shared a campaign that cost his former agency nearly £50k when a PR team used the London Underground map creatively — no IP clearance, huge press coverage, then a letter from Transport for London.

The fix is simple: standard freelancer agreement, deployed consistently, covers all past and future work. The complexity is just in doing it.

4. Over-promising on outcomes

You are not responsible for your client's sales figures. You can't guarantee conversions, visibility, or revenue — because those outcomes depend on factors entirely outside your control.

Review your contracts for any language that implies otherwise. This is especially worth doing if you're using agreements that haven't been updated in a few years. One unhappy client pointing to a poorly worded clause can turn a billing dispute into something much messier.

5. AI risk — and why you need a policy now

The legal landscape around AI is still developing, but the practical risks are real today.

The two big ones: putting client confidential information into public LLMs (which likely breaches your confidentiality agreements), and shipping AI-generated output to clients without proper human review. The copyright question — whether these models are scraping protected work — is primarily the AI companies' problem, not yours. But the data leakage risk is yours.

Dan's recommendation: don't write a bespoke 50-page policy. Write a short, practical one. Identify the five to ten key behaviours you actually need people to follow, and operationalise those. A policy nobody reads is worth nothing.