Most of the AI procurement problems we are called in to clean up trace back to three questions that nobody asked before signing. They are not technical questions. Any executive can ask them, and the way a vendor answers tells you most of what you need to know.
1. Where does our data go after the model generates its output?
This is the question that separates serious vendors from the rest. You are looking for specifics: where is the data processed, where is it stored, for how long, and who can access it. The answer you do not want is vague reassurance.
Watch especially for clauses that reserve the right to use "de-identified" data for model improvement. For most business data that is a manageable risk. For sensitive data it is not. We assessed a transcription vendor for a private counselling clinic whose policy reserved exactly this right over recorded sessions, where de-identification is close to meaningless. The full story is in our case study on healthcare AI procurement. If a vendor cannot tell you precisely where your data goes, assume the answer is "somewhere you would not like."
2. Can we see your model card and bias testing methodology?
A model card documents what a model was trained on, how it was evaluated, its known limitations, and the conditions under which its performance claims hold. A vendor that takes its own product seriously will have one. A vendor that cannot produce one, or does not know what you mean, is telling you their evaluation is informal.
The bias testing methodology matters just as much. Ask how they test for bias, on what data, and how often. The answer reveals whether they treat fairness as an engineering practice or a marketing line. This question has surfaced more than one vendor whose headline accuracy number fell apart the moment you asked what it was measured against.
3. If we terminate, what happens to our data and any fine-tuning done on it?
People negotiate the start of a contract and ignore the end. Ask what happens on termination. Do you get your data back, in what format, and on what timeline. Is it deleted from their systems, and can they prove it. Critically, if they fine-tuned a model on your data, what happens to that model. Does the improvement you paid for, derived from your proprietary data, walk out the door and into their next client's deployment.
A vendor with clean answers here has thought about being a responsible custodian. A vendor that has not is one you may struggle to leave.
What the answers really tell you
You are not just collecting facts. You are watching how the vendor handles being asked. The good ones answer precisely and without defensiveness, because they have answered these questions before and built the product expecting them. The ones that deflect, generalise, or get uncomfortable are showing you how the relationship will go when something actually goes wrong.
If you are weighing an AI investment, acquisition, vendor selection, or training programme, our team is happy to start with a conversation about scope and approach.
The views and findings in this article are shared for general information only. They are high-level perspectives, not legal, financial, regulatory, or other professional advice, and should not be relied upon for any specific decision or circumstance. For guidance tailored to your situation, please consult a qualified adviser.