AI Vendor Due Diligence: What to Check Before You Buy

AI vendor due diligence is the work a team does before it trusts an AI product with data, users, or business decisions. A good buying process checks privacy, security, model behavior, workflow fit, contracts, and governance before a tool enters production.

Why AI vendor due diligence matters now

In 2026, AI buying is no longer only a productivity decision. NIST’s Generative AI Profile, the EU AI Act timeline, and enterprise security reviews have pushed AI procurement into risk management. The buyer must understand what the vendor does with data, prompts, outputs, logs, and human review.

IBM’s 2025 Cost of a Data Breach Report also warns that shadow AI is showing up in real incidents. That does not mean teams should block every AI vendor. It means they need a repeatable checklist that separates useful automation from unmanaged exposure.

Start with the business workflow

Do not start with the model name. Start with the work. A vendor that looks impressive in a 30 minute demo may fail when the task includes Dutch invoices, German customer emails, Salesforce fields, approval limits, or a manager who needs a clear exception report.

• Which workflow will the AI vendor support in the first 90 days?
• Which users, teams, systems, and data sources are involved?
• What decisions can the AI make, draft, recommend, or automate?
• Where must a human approve before anything changes?
• What evidence will prove the tool saves time or reduces errors?

Check data privacy before the demo expands

Ask exactly what data the vendor collects, stores, trains on, shares, and deletes. For teams in Amsterdam, Berlin, Paris, or Dublin, this also means checking GDPR roles, data residency, subprocessors, retention periods, breach notification terms, and whether prompts become training data.

Security review should include identity, access, encryption, audit logs, incident response, SOC 2 or ISO 27001 evidence, and how the AI product connects to email, documents, CRM, ticketing, finance, or internal databases. The risk grows when the vendor can take actions, not only write text.

Ask how the vendor tests model behavior

A serious AI vendor should explain how it evaluates accuracy, grounding, hallucination risk, harmful outputs, tool use, and prompt-injection attempts. Ask for eval methods, sample test cases, failure thresholds, monitoring practices, and how customer incidents improve future releases.

Review contracts for AI-specific risk

Standard SaaS terms are not enough for AI systems. Check ownership of inputs and outputs, training rights, audit support, liability limits, confidentiality, deletion rights, model-change notice, service levels, subcontractors, and exit options if the vendor changes pricing or product direction.

Test the vendor against your real workflow

Run a vendor proof of concept with real but sanitized work. Give the vendor ten common cases, five edge cases, and two failure cases. Measure whether the system improves the workflow, respects policy, explains uncertainty, and knows when to route work back to a person.

The proof of concept should use the same permissions, files, formats, and handoffs the team will use later. A vendor that cannot explain failures during a pilot will be harder to trust after rollout, when the workflow touches customers, contracts, payments, or regulated records.

Watch for vendor red flags

• The vendor cannot explain where customer data is stored or processed.
• The demo works only with perfect examples and no messy edge cases.
• The contract allows broad training rights without clear opt-out language.
• There is no audit log for prompts, outputs, tool calls, or approvals.
• The product connects to sensitive systems without role-based permissions.
• The vendor cannot describe evals, monitoring, incident response, or rollback.

A practical AI vendor checklist

• Define the workflow, users, data, systems, and success metrics before vendor demos.
• Ask for security evidence, privacy terms, subprocessors, retention rules, and deletion rights.
• Test the product with real sanitized cases, not only vendor-provided examples.
• Review model behavior, eval methods, monitoring, failure handling, and human escalation.
• Check contract terms for training rights, output ownership, audit support, and exit options.
• Decide who owns the vendor internally after launch and how issues will be reviewed.

The best AI vendor is not always the loudest or newest. It is the vendor that can prove fit, protect data, support governance, explain failures, and improve the workflow without creating unmanaged risk. Due diligence turns AI buying from guesswork into a controlled business decision.

A buying decision should also connect to governance controls after launch. That means one owner, one review cadence, one escalation path, and one clear record of who approved the vendor, the workflow, the permissions, and the production rollout.