AI procurement needs the same rigour as enterprise software contracts
The AI procurement problem is not that organisations are moving too slowly. It is that they are moving at two speeds simultaneously: very fast for tools that feel low-stakes, and very slow for anything that requires formal process. The result is a portfolio of AI services with inconsistent oversight, unclear data handling, and contractual terms that were not read carefully.
What your AI contracts probably do not cover
Standard AI service agreements are written to protect the vendor. They typically do not provide meaningful commitments on model behaviour, output accuracy, or what happens to your data when it is used to train or improve the model.
Three things are consistently missing: model versioning notification covering what happens when the provider updates the model and outputs change; data processing clarity on whether your inputs are used for model training; and SLA commitments for AI-specific failure modes beyond uptime, including output degradation and bias incidents.
The data residency question is not solved by region selection
Selecting a European data centre region does not automatically mean your data stays in the EU or meets GDPR requirements. AI service agreements often have carve-outs for model improvement, trust and safety review, and support functions that can involve data leaving the selected region. Legal needs to read the DPA, not just the product page.
Architecture review should precede procurement, not follow it
The most common AI procurement failure pattern is: business team selects a tool, starts using it, IT and legal are brought in when there is a problem. Architecture and legal review should be prerequisites for any AI service that touches customer data, makes or influences decisions, or integrates with core systems, regardless of how the tool is categorised commercially.
Build a vendor qualification checklist and use it consistently
A short, standardised AI vendor qualification checklist covering data handling, model transparency, contractual protections, regulatory compliance, and incident response, applied consistently across all AI procurement, will surface gaps before they become liabilities. It does not need to be complex. It needs to be used.
