Buying an AI tool without proper due diligence is one of the most common and costly mistakes businesses make when building their AI stack. The market is crowded with tools that make similar claims, some of which are well-built and genuinely valuable while others are thin wrappers around general-purpose APIs with limited differentiation. A structured due diligence process applied consistently before any significant AI tool purchase saves money, avoids lock-in, and prevents security incidents that occur when teams adopt tools without evaluating their data handling practices.
Security and Data Handling
The first and most important due diligence category is how the vendor handles your data. Key questions: Does the vendor use your data to train their models? Most reputable vendors offer an opt-out or have API tiers that explicitly exclude training use; confirm this in writing, not just in marketing. Where is data stored and processed? The answer matters for GDPR compliance (EU data must stay in the EU or a jurisdiction with equivalent protections) and for businesses with specific data residency requirements. Does the vendor offer a Data Processing Agreement? A DPA is a contractual requirement before sending personal data to any third-party processor; a vendor that does not offer one is not suitable for any workflow involving personal data. What is the vendor’s security certification status? SOC 2 Type II and ISO 27001 are the minimum baseline for enterprise AI tools; ask for the current report, not just a claim of certification.
Request the vendor’s security whitepaper or trust and safety documentation. Reputable vendors publish these proactively; those that make you ask multiple times for security documentation are a yellow flag.
Reliability and Support
AI tools fail, APIs return errors, and model updates change output behaviour. Before purchasing, evaluate the vendor’s track record on reliability: check their status page for uptime history over the past twelve months, read recent incident reports to understand how they communicate during outages, and ask what their SLA commitment is and what remediation they offer when they fail to meet it. For business-critical applications, a vendor with 99.9% uptime commitment and proactive incident communication is meaningfully different from one with no published uptime commitments.
Support quality varies enormously between AI tool vendors. Ask specifically: what is the support channel (email, chat, dedicated CSM), what is the committed response time for critical issues, and is there a human escalation path for production-impacting problems? Free and low-tier plans typically offer community support only — evaluate whether that is adequate for a production workflow where downtime has business impact.
AI Vendor Due Diligence Checklist
| Category | Key Questions | Minimum Bar |
|---|---|---|
| Data handling | Training use? Data residency? DPA available? | DPA available, no training on API data |
| Security | SOC 2? ISO 27001? Pen test history? | SOC 2 Type II current report |
| Reliability | Uptime SLA? Status page? Incident comms? | 99.9% SLA with published status page |
| Support | Response SLA? Human escalation? CSM? | Committed response time in contract |
| Lock-in | Data export? Migration support? Contract terms? | Full data export at any time, monthly billing option |
Evaluating Vendor Lock-In Risk
AI tools that accumulate your data — conversation history, fine-tuned model weights, custom embeddings, workflow configurations — create switching costs that grow with usage. Evaluate lock-in risk before adoption rather than after. Key questions: can you export all your data in a standard format at any time? If you cancel, how long do you have to export before data is deleted? Does the vendor’s pricing model make switching costs explicit? Are there proprietary data formats or APIs that would require significant re-engineering to migrate away from?
Prefer vendors with open data export standards, month-to-month billing options (even if you choose annual for the discount), and API designs that do not require extensive vendor-specific implementation. The vendor that makes migration easy demonstrates confidence in their product — the one that makes migration difficult is protecting themselves from competition rather than earning your continued business.
Commercial Terms and Pricing Stability
AI vendor pricing has been volatile. Several major providers have both raised and lowered prices significantly as the market matures and as compute costs change. Before committing to annual contracts or long-term integrations, evaluate the vendor’s pricing history and what contractual protections exist against price changes. Questions to ask: are prices locked for the contract duration? What notice is required for price increases? Are rate limits fixed or subject to change? Are there volume commitments that might lock you into higher spend than you end up needing?
For tools where you are building significant integration work — connecting the vendor’s API to your workflows, fine-tuning on the vendor’s platform, migrating your data — the integration investment should be proportional to the vendor’s commercial stability. A seed-stage startup AI tool may have excellent capabilities but represents a different risk profile than an established vendor with multi-year customer relationships and predictable pricing history. Weight commercial stability more heavily for integrations that will take months to build and will be difficult to migrate.
Reference Checks and Trial Validation
Marketing materials and sales demonstrations show the best-case performance of any AI tool. Reference checks and trial evaluations show how the tool performs on your specific use case, with your actual data, under conditions that match your production environment. Ask vendors for references from customers in your industry or with similar use cases — and actually call them. Ask: what has not worked as expected? What took longer to implement than anticipated? What would you do differently? These questions surface the failure modes that reference customers are rarely volunteered upfront.
Run every significant AI tool through a structured trial before purchasing. Define the evaluation criteria before the trial starts, not after: what specific tasks will you test, what quality standard constitutes passing, and what comparison will you make against your current approach. A trial that produces evidence against these pre-defined criteria is more useful than an open-ended exploration that confirms the vendor’s demo story.
Building an AI Vendor Registry
As AI tool adoption expands across an organisation, maintaining a vendor registry becomes operationally important. The registry tracks: vendor name, tool category, primary use case, team or function using it, monthly cost, contract renewal date, DPA status, and the person responsible for the vendor relationship. This registry enables the quarterly subscription audit, provides the information needed for compliance assessments, and makes renewal decisions informed rather than reactive. Build it as a shared spreadsheet or Notion database that is updated whenever a new AI tool is adopted — a five-minute update at adoption time prevents the hour of research needed to reconstruct it at audit time.
AI Vendor Due Diligence as Risk Management
The due diligence process pays back most clearly on the decisions it prevents — the vendor with attractive capabilities but inadequate security practices that would have created a data incident; the vendor with impressive demos but no reference customers who would have wasted months of integration time on a product that was not production-ready; the vendor with aggressive introductory pricing that reset unfavourably at renewal. These prevented bad outcomes are invisible in your business results, but they represent real value from a systematic evaluation process applied consistently across your AI vendor portfolio.
Red Flags in AI Vendor Responses
How an AI vendor responds to your due diligence questions reveals as much as the answers themselves. Red flags that should trigger deeper scrutiny or reconsideration: vague answers to specific questions about data retention periods; reluctance to provide a signed DPA without significant negotiation; inability to provide a current SOC 2 report or explanation of their security certification status; confident assertions about data privacy without corresponding contractual commitments; and pressure to sign before completing your evaluation process. Vendors with strong security and compliance practices answer due diligence questions readily and specifically — they have done the work and are prepared to demonstrate it. Vendors who treat due diligence as an obstacle rather than a standard business process are signalling that the underlying practices may not withstand scrutiny.
Incorporating AI Due Diligence Into Procurement Approval
The most sustainable way to ensure AI vendor due diligence happens consistently is to make it a required step in the procurement approval workflow rather than a recommended practice. If your organisation requires a security review and a data processing assessment before any software vendor is approved for use with company data, extend that requirement to AI vendors specifically — with the AI-specific checklist items added to the standard review. Finance approval workflows that require a completed vendor assessment before purchase order creation prevent the scenario where an employee adopts an AI tool, builds workflows around it, and the compliance assessment happens retroactively if at all. Process integration makes compliance the path of least resistance rather than an optional extra step that busy teams skip.