Home  ›  Blog  ›  AI Vendor Risk Assessment
AI Procurement · Vendor Risk

AI vendor risk - the questions you ask before the contract goes to legal.

Most AI vendor diligence happens after the term sheet is signed. By then, the major commercial decisions have been made and the risk assessment becomes a compliance exercise. The buyers who do this best front-load the risk assessment: the diligence shapes the commercial terms, not the other way round. Here is the framework we use across 200+ AI vendor reviews, the questions that matter, and the warning signs we have seen most often in the past 18 months.

Updated: May 2, 2026 Reading time: 11 min Audience: CIO, Chief Risk Officer, Procurement, General Counsel
AI vendor risk assessment
Five risk dimensions

The vendors that fail fail along the same lines.

AI vendor risk assessment covers five dimensions: financial stability, technology stability, commercial stability, data and IP posture, and operational maturity. A vendor that scores well on four out of five is usually acceptable. A vendor that scores poorly on financial stability is almost never acceptable - the AI market has seen enough failures and acqui-hires in 2024-2025 that financial diligence is non-negotiable for any meaningful commitment.

Financial stability

The questions to ask: how much capital has the vendor raised, what is the last-round valuation, how long is the runway at current burn, who are the existing investors and what is their reputation for follow-on funding? For private vendors, demand a quarterly cash position update through the term of the contract - this is unusual but achievable for deals above $1M annual. For public vendors, the diligence is easier (10-Ks, 10-Qs, earnings calls) but the warning signs are different: declining gross margins on AI segments, accelerating customer acquisition cost, large concentration in a few enterprise customers.

The warning signs to look for: dependence on a single funding round that is about to run out; inability to articulate a path to profitability or breakeven; a customer concentration where the top five customers represent more than 40% of revenue; a recent partner or investor exit; a CEO or CTO transition within the last six months. Any single warning sign is a yellow flag. Two or more are a red flag that should change the deal structure or kill the deal.

Technology stability

The questions to ask: how often does the vendor deprecate models, what is the average notice period, what is the migration support, how often are the API contracts changed, and what is the vendor's track record on backwards compatibility? Some vendors deprecate aggressively (3-6 month notice on major models is common) and some maintain models for years. The deprecation cadence matters more than the model quality for production deployments. A model that ships a 5% accuracy improvement every quarter is operationally worse than a model that ships a 2% improvement annually if the migration cost exceeds the accuracy gain.

Stuck assessing a fast-moving AI vendor?

We can tell you what we have seen across the same vendor in the past 12 months.

Contact Us →

Commercial stability

The questions to ask: how often does the vendor change its pricing, what is the typical price-change cadence, what is the renewal price-protection history, and what is the vendor's posture on multi-year commitments? AI pricing has moved both directions in the past 24 months - models have generally gotten cheaper per token, but some vendors have introduced new pricing dimensions (output tokens charged separately, premium tiers, capacity reservations) that shift costs to the customer. Demand contractual price protection: a cap on per-token price increases over the term, and a most-favoured-customer clause if the vendor introduces a cheaper alternative.

Data and IP posture

Covered extensively in our data rights clauses and IP ownership articles. The diligence question is whether the vendor's standard enterprise tier provides defensible data-rights protection and output IP indemnity. Some vendors have invested heavily here and the standard terms are close to acceptable with minor redlines. Other vendors are still operating on terms that require substantial rewriting. The diligence should reveal which camp the vendor is in.

Operational maturity

The questions to ask: what is the vendor's uptime track record over the last 12 months, what is the SLA, what is the support response time, how mature is the security posture (SOC 2, ISO 27001, HIPAA, FedRAMP as applicable), and what is the incident-response history? AI services have generally lower availability than traditional SaaS - the underlying compute infrastructure is more fragile and the demand spikes are more pronounced. Demand SLAs that match your operational tolerance and incident-response commitments that match your regulatory exposure.

Download the AI Vendor Contract Red Flags playbook.

The diligence checklist and the redlines that follow it.

Get the playbook →
Warning signs

The patterns we see most often.

Some warning signs we have seen in the past 18 months that have correlated with bad outcomes: a vendor that cannot provide a clear answer on data residency for the inference, model-hosting and telemetry layers separately; a vendor that requires the customer to accept an "AI Acceptable Use Policy" by URL reference rather than by signed addendum; a vendor whose standard contract has no output IP indemnity at all (still seen on smaller vendors in 2026); a vendor that requires the customer to grant rights to "use Customer Data for any purpose consistent with the Service"; a vendor whose pricing has changed more than twice in the past 12 months without contractual price protection.

The list is not exhaustive but the pattern is consistent: vendors that operate without enterprise-grade contractual hygiene are the vendors most likely to create surprises at renewal or termination. We capture each of these signals in a structured software license compliance assessment so the diligence findings carry directly into the negotiation position.

Diligence checklist

A practical question list.

  1. Current cash position, last fundraise, runway in months at current burn.
  2. Model deprecation policy, notice period, migration support, historical deprecations.
  3. API stability policy, breaking-change cadence, backwards-compatibility commitments.
  4. Data residency for inference, model hosting and telemetry, with contractual commitments.
  5. Standard output IP indemnity terms, carve-outs and cap structure.
  6. SOC 2 Type 2, ISO 27001, HIPAA / FedRAMP availability as applicable.
  7. Uptime track record (12-month rolling) and incident-response history.
  8. Reference customers at similar scale in similar industries.
  9. Pricing-change history over 24 months and protection on renewal.
  10. Termination terms - data deletion, derivative deletion, transition period.

Need a structured AI vendor diligence run-through?

We can complete the full diligence checklist in 2-3 weeks for most vendors.

Contact Us →
FAQ

Common diligence questions.

How long should AI vendor diligence take?

Two to four weeks for a typical enterprise deal. Longer if regulatory scrutiny is involved.

Should I demand financial information from a private AI vendor?

Yes, for any deal above $500k annual. The vendor's willingness to provide it is itself a signal.

What is the single most important diligence question?

"Walk me through your last model deprecation - notice period, migration support, customer impact." The answer reveals more about the vendor's enterprise maturity than any pricing or feature conversation.

AI vendor in diligence?
Front-load the assessment. The commercial terms follow it.

Our AI & SaaS team has assessed 200+ AI vendors. We know what good answers look like.

The Compliance Brief

Weekly compliance intelligence for IT leaders.