Due Diligence Report: OpenRouter

Compliance Red Flag: API Key Instability and Vanishing (high) A recurring technical issue where users' API keys vanish after saving is identified as a 'compliance red flag' that could expose users to legal risks.. Unauthorized Model Switching Leading to Unjust Charges (high) The platform has a reported business practice of silently switching users from a selected free or unavailable model to a default model that charges the user, without alerting the user.. New ToS Grants Perpetual Commercial License to User Data (high) An update to OpenRouter's terms of service and privacy policy grants OpenRouter an 'irrevocable right to further commercial use of Inputs and Outputs' (prompts and responses) if chat logging is enabled. This raises significant IP and confidentiality concerns for users sending NDA-protected content.. Unsettled Legal Liability and IP Risk for Routed AI Output (high) The core business model of centralizing access to multiple third-party models introduces major legal complexity regarding IP ownership, attribution, and model liability (e.g., for harmful or infringing output). The legal framework for this federated inference is described as 'still catching up,' creating a major risk area for enterprise customers.. Operational Ban by OpenAI (high) OpenRouter was banned by OpenAI, indicating a severe breach of partnership terms or operational conflict with a major LLM provider. This poses a significant threat to OpenRouter's ability to offer a comprehensive model library.. Incompatibility with High-Privacy Regulatory Requirements (e.g., HIPAA) (medium) As OpenRouter acts as a reseller/middleman for other providers, it is explicitly noted that the service is unsuitable for clients requiring 'absolute privacy' or compliance with regulations like HIPAA.. Technical Instability: Models Failing Mid-Call (medium) Users building enterprise applications (specifically a transaction analysis pipeline) reported running into issues including 'models failing mid-call' and 'keys vanishing,' indicating poor technical reliability for critical workflows.