Home  ›  Blog  ›  AI Vendor RFP Process
AI · Procurement · RFP

AI vendor RFP — the 12 criteria that drive buyer-side procurement.

AI vendor selection moves at a pace that breaks standard enterprise procurement. RFPs run in weeks rather than months, contracts are version 0.7 not version 4.0, and pricing models change quarterly. This article walks through the 12 evaluation criteria a buyer-side AI RFP should test, the clauses that protect against the most common AI vendor failure modes, and the pricing patterns to expect.

Updated: May 2026 Reading time: 13 min Audience: Procurement, CIO, CISO, Data Officer, General Counsel
AI neural network visualization
Why AI RFPs are different

AI procurement runs at speeds that break standard enterprise process.

Enterprise AI procurement collides with two structural problems. The first is market velocity: leading AI vendors release new model versions quarterly, new pricing models semi-annually, and new product categories every 12–18 months. A six-month RFP is obsolete by signature. The second is contract immaturity: the standard AI vendor MSA is version 0.7, not version 4.0. The boilerplate that exists for SaaS — data residency, audit rights, indemnification scope, deprecation notice — is incomplete or absent in most AI vendor templates.

The result is that enterprises that approach AI procurement with standard playbooks produce either deals that are too slow to capture the value or contracts that don't protect against AI-specific failure modes. The buyer-side AI RFP that works compresses the timeline, sequences technical validation against pricing negotiation, and front-loads the data rights and termination clauses that most templates underspecify.

The 12 RFP evaluation criteria

  1. Use case fit. Does the vendor's actual product capability address the specific use case, validated by technical evaluation — not by vendor demo.
  2. Model performance. Independent benchmarking on customer-representative tasks, not vendor-supplied benchmarks.
  3. Data rights. Training, retention, deletion, residency. The single most consequential criterion.
  4. Termination and exit. Convenience termination, model deprecation, data export, survival of obligations.
  5. Pricing model. Token vs seat vs flat vs hybrid. Normalised to cost per typical task.
  6. Pricing predictability. How much variance is possible month-to-month under the contract.
  7. Security and compliance. SOC 2, ISO 27001, sector-specific (HIPAA, FedRAMP), penetration testing posture.
  8. Integration. APIs, SDKs, partner ecosystem, customer's existing identity and data infrastructure.
  9. Roadmap visibility. What the vendor will release in the next 18 months, with credible commitment.
  10. Support and SLA. Response time, availability, model behaviour guarantees.
  11. Reference architecture. Customers running the same use case at comparable scale.
  12. Total cost of ownership. Beyond subscription — implementation, integration, internal team cost.

Running an AI vendor RFP this quarter?

We run the 12-criteria framework end to end, with vendor longlist, technical validation, and contract negotiation. 8–12 week engagement.

Contact Us →
Data rights — the consequential criterion

Why data rights clauses determine whether the AI contract survives deployment.

Data rights is the criterion most underspecified in AI vendor proposals and the one that creates the most disputes at scale. The standard concerns are three: whether the vendor trains on customer data, whether the vendor retains data after termination, and whether data residency is contractually committed. Each has a buyer-favourable default and a vendor-favourable default; AI vendor templates almost always start at the vendor-favourable position.

The defensible AI data rights position requires four clauses. First, no training on customer data without explicit opt-in, with a contractually defined definition of "customer data" that includes inputs, outputs, and metadata. Second, data retention limited to the operational window required to deliver the service, with automatic deletion at termination. Third, data residency committed at the region level with audit rights. Fourth, indemnification for IP and privacy claims arising from outputs that incorporate customer data. Vendors will resist all four; the resistance pattern reveals which vendors are mature buyer-side partners and which are not.

The training data position

The buyer position should be: vendor may not train its foundation models or fine-tuning processes on customer data. The vendor position is usually: vendor may train on aggregated or de-identified customer data unless opted out. The negotiation typically settles at: vendor may not train on enterprise customer data, with explicit clauses for evaluation, fine-tuning, and inference. The clause language matters — vague terms like "anonymised" or "improving the service" carry different meanings to different vendors.

Retention and deletion

Most AI vendors retain inputs, outputs, and prompt history for service operation, abuse monitoring, and product improvement. Retention windows of 30–90 days are common; some vendors retain indefinitely unless contractually constrained. The buyer position should be: minimum retention required for service operation, with definite deletion at termination. The clause should include verification rights — the customer can audit deletion.

Download the AI Vendor Contract Red Flags playbook.

Twenty common AI vendor contract clauses that protect or expose the buyer, with proposed alternative language for each.

Get the playbook →
Pricing normalisation

How to compare AI vendor pricing across incompatible models.

AI vendor pricing models do not compare directly. OpenAI prices per million input and output tokens with variation by model. Anthropic prices similarly but at different rates and with different tiers. Microsoft's Azure OpenAI prices on a third structure with Azure consumption commitments overlaid. Google Vertex AI prices on yet another structure with regional and model-tier variation. AI-embedded SaaS prices per seat or per generation, often hiding the underlying model cost behind an aggregated SKU.

The buyer-side comparison requires normalisation. Define one or two representative tasks for the actual use case — "answer a customer support query end to end including retrieval and generation," "summarise a 50-page document," "generate a structured data extraction from unstructured input." Calculate the per-task cost on each vendor's pricing model using realistic input and output token estimates or seat consumption estimates. Compare the normalised cost across vendors. The spread is usually 2–4×, sometimes 5–8× for niche use cases.

The volume commitment leverage

AI vendors discount aggressively for volume commitments — both in dollar value and in token volume. Discounts of 30–50% off list are common at enterprise scale; some vendors will go further for marquee customer logos. The leverage is largest before the vendor has captured the account; after deployment, the discount band narrows because the buyer's switching cost is high. The implication is that the RFP-stage negotiation is the most valuable; renewal-stage negotiation is harder. This is why our AI and SaaS procurement advisory runs the commercial track in parallel with technical validation, so the volume commitment is priced while the buyer still holds maximum leverage.

Capacity reservation and rate limits

Production AI workloads require capacity reservation — committed throughput that the vendor guarantees, beyond pay-as-you-go API access. Capacity reservation pricing is usually opaque; vendors quote it case by case. The buyer position should be: capacity sized to peak workload with autoscale headroom, priced as a separate line item with reduced rates for committed capacity. Without capacity reservation, production workloads can be rate-limited at scale.

Need pricing benchmarks for an AI vendor proposal you've received?

We benchmark every line of the proposal against current market — token rates, capacity reservation, support tier, professional services.

Contact Us →

Internal next steps

Three actions start the AI RFP discipline. First, define one or two representative tasks for the actual use case, with token or seat consumption estimates. Second, build the data rights position before vendor conversations start — vendor contracts will arrive at the vendor-favourable default if the buyer doesn't define the position first. Third, sequence the RFP timeline to compress the decision window without compromising technical validation.

FAQ

Common questions.

How long should an AI vendor RFP take?
6–10 weeks for foundation model or AI platform RFPs; 4–6 weeks for AI-embedded SaaS. Faster than traditional enterprise RFPs because AI market velocity rewards decision speed. Slower than internal teams typically want because data rights and model behaviour need genuine technical validation.
What is the most overlooked AI RFP criterion?
Data rights — specifically, whether the vendor can train on or retain customer data, and what survives termination. The pricing and capability evaluations get most of the attention; the data rights clauses determine whether the contract is actually defensible at deployment scale.
How should AI vendor pricing be compared across RFP responses?
Normalise to a unit cost per typical task — cost per million input tokens, cost per generation, or cost per agent run. The list price comparison is misleading because vendor pricing models differ. The normalised comparison reveals the real cost spread, which is usually 2–4× across leading vendors.
Should an AI RFP include foundation model providers and AI platform vendors in the same evaluation?
Only when the use case is genuinely ambiguous between the two. More often, the decision is which layer of the AI stack to procure — model, platform, or application — and the RFP should focus on a single layer at a time. Mixed RFPs produce confused comparison.
What termination rights should be standard in an AI vendor contract?
Convenience termination with 60–90 day notice, model deprecation termination (without penalty if the vendor sunsets the model in use), data export rights with industry-standard formats, and survival of confidentiality and data rights obligations post-termination. Convenience termination is the single most important — AI vendor lock-in is real.
Where does Reveal Compliance fit in an AI vendor RFP?
We run buyer-side AI RFPs end to end — requirements, vendor longlist, scoring framework, technical validation, pricing benchmarking, and contract negotiation. Independent of all AI vendors. Engagements typically run 8–12 weeks.

Running an AI vendor RFP?
We run buyer-side AI RFPs end to end.

Our team has run AI vendor RFPs across foundation model providers, AI platforms, and AI-embedded SaaS. Independent. Buyer-side.

The Compliance Brief

Each issue breaks down one vendor's latest pricing or audit move — and the exact counter — so you walk into your next renewal already knowing the number.