👋 The OnlyLawyer newsletter breaks down legal topics that tech companies should know. Whether you are in legal, finance, or even the CEO, these are important topics to understand.

For today’s post, I asked Rachel Harris (GC and AI Governance Officer at a Series D tech company) to write a guest post on the hidden customer costs that no one thinks about and why your legal team should be involved in ICP discussions.

Legal’s View on ICP

As a General Counsel in tech, I see deals close all the time that look identical on paper—same ARR, same contract structure—but create wildly different obligations for the company.

• One customer triggers quarterly compliance attestations that never end.

• Another embeds audit rights that consume Security and Engineering for weeks each year.

• A third demands contractual commitments that lock you into roadmap decisions you can’t easily reverse.

Finance sees the revenue. Legal sees the obligation.

These obligations have a cost structure that most Ideal Customer Profiles (ICPs) never account for.

The Pattern Often Overlooked

Here’s what I’ve learned: customer type and vertical drive obligation exposure in ways that don’t show up in traditional sales or finance models.

A regional bank and a tech startup might pay the same subscription fee, but they don’t trigger the same regulatory requirements, security controls, insurance provisions, indemnification scope, or audit obligations. Some of those costs are one-time. Many are recurring. Almost all of them require sustained internal capacity that’s difficult to price and even harder to unwind.

This matters more now than ever in the age of AI because the regulatory surface area is larger and less settled. New data flows create new compliance obligations. AI outputs create new liability questions. Transparency requirements create new documentation burdens.

And every one of those requirements shows up differently depending on who your customer is, not just what your product does.

Traditional ICP models are built to capture: who can buy, how much they’ll spend, and whether they’ll expand. Traditional finance models are built to capture direct costs: COGS, infrastructure spend, etc. What can be missed is obligation: the sustained capacity commitments that don’t flow through standard accounting but compound across teams and quarters.

Obligation Compounds

The challenge isn’t that Sales and Finance don’t care about costs. It’s that many of these costs are invisible until they’re already embedded in the operating model.

• Contract negotiations that extend 6+ months don’t show up as COGS. They show up as Legal, Security, and Sales capacity that can’t be redeployed elsewhere.

• Custom security controls required by a single vertical don’t appear as direct costs. They appear as engineering drag and architectural constraints that slow down the roadmap for everyone else.

• Annual SOC 2 audits are standard, but when three enterprise customers each demand their own bespoke audit process on top of that, the marginal cost is real; it just doesn’t get allocated cleanly.

By the time Finance can model the impact clearly, the contractual commitments are already signed.

Where This Shows Up: The Regulated Enterprise Customer

Take a healthcare or financial services customer. They’re often strategic wins: credible logos, large contracts, validation for the product. They also come with obligations that persist long after the deal closes.

You’ll face industry-specific regulations you didn’t have to meet before. Security frameworks that require new controls or certifications. Contractual representations and warranties that expose you to ongoing compliance work. Audit rights that give the customer visibility into your operations on their timeline, not yours. And indemnification provisions that broaden your risk surface in ways that compound with each similar deal you sign.

Some of this is manageable. Some of it is expensive. And some of it reshapes your business model in ways you didn’t anticipate.

A single $500K healthcare contract can easily consume 400+ hours of Legal, Security, and Engineering time in Year 1 alone. Not for implementation, but for compliance attestations, audit preparation, and bespoke security reviews. That’s $200K+ in fully-loaded cost that never appeared in the deal economics.

That’s not a Finance failure. It’s a timing problem. Legal sees these obligations at contract review, when they’re still negotiable. Finance sees the cost impact quarters later, when the commitments are already locked in. By then, the only levers left are pricing adjustments or renegotiation (both expensive and often impractical).

ICPs Built Without Legal Input Miss Part of the Picture

Most ICPs are built by Sales and Marketing, sometimes with Finance input on unit economics or pricing models. The goal is to identify who can buy, who will expand, and who fits the growth model.

What’s missing is the question Legal is uniquely positioned to answer: What does it actually cost—in obligation, risk, and sustained capacity—to serve this customer over time?

This isn’t about being risk-averse. It’s about being precise. Some enterprise customers are worth the complexity. Some aren’t. And the only way to know the difference is to model the obligation structure before it’s embedded in your contracts and operating model.

What the Partnership Actually Looks Like

When Legal and Finance build ICPs together, the questions evolve:

• Which regulatory obligations are triggered by customer type, not product features?

• How many annual audits, assessments, or compliance reviews does a given vertical realistically require?

• Which contract terms create recurring work that never appears in a pricing model?

• What’s the true opportunity cost when Legal, Security, and Engineering resources are dedicated to one customer’s demands?

• Where do we have contractual flexibility, and where are we locked in?

The exercise is operational and strategic. And it’s the difference between a profitable ICP and one that quietly erodes margin for years.

Why This Matters Now

AI products accelerate this dynamic. Regulatory scrutiny is higher. Data obligations are more complex. Transparency and auditability expectations are stricter. And customers in regulated industries are asking harder questions earlier in the sales process.

If your ICP assumes that all revenue carries the same obligation structure, you’re forecasting with blind spots.

Legal can help surface cost drivers that traditional models might miss. And obligation, once embedded, is expensive to unwind.

Where to Start

If you’re a GC or CFO looking to enhance your modeling and ICP frameworks:

• Start with your most recent 5-10 enterprise deals. Map the actual Legal, Security, Support, and Engineering hours consumed in the first 12 months post-signature.

• Identify which obligations were one-time vs. recurring. Most teams underestimate how much “recurring” actually recurs.

• Bring those POVs into the next ICP planning session for cost modeling. Ask them to walk through the obligation structure by customer vertical.

• Build these insights into your pricing models before the next enterprise deal closes.

The goal isn’t to avoid complexity, but to price for it and choose it intentionally.

Final Thought

Revenue is easy to model. Obligation is harder. But if your ICP doesn’t account for what your company is actually committing to, it isn’t a strategy. It’s a hope.

For companies still building their ICP frameworks, the challenge is often definitional: Sales thinks of ICPs as “who will buy,” Marketing thinks of them as “who we should target,” and Finance thinks of them as “who is profitable to serve.” Legal adds a fourth lens: “who can we realistically commit to serving without breaking the business model.”

Footnotes:

• Thanks Rachel for the great write-up! So many companies fail to consider these additional costs

• Subscribe to this weekly newsletter and share it with your legal team

  Subscribe