AI procurement is not just another software buying cycle. Model behaviour shifts as data, prompts and tools change, which means contracts, risk assessments and vendor management need to adapt to ongoing variability.
Start with clarity on data boundaries. Define what data leaves your environment, where it is stored, how it is encrypted and how long it is retained. Ask vendors to document training data sources, fine-tuning policies and whether any customer data feeds future models.
Control for jurisdictional risk. For regulated industries, insist on regionally pinned inference, auditable deletion paths and segregation between customer tenants. Contract for breach notification SLAs that reflect the sensitivity of model outputs as well as raw data.
Shift vendor due diligence from static questionnaires to capability testing. Run proof-of-value pilots with realistic workloads and safety checks. Compare vendors on observability, access controls, model lineage and exit options, not just pricing.
Embed governance into the contract. Require change notifications for model or API updates, clear rollback paths, and transparency into third-party dependencies. Define shared responsibility for safety incidents and red-teaming, and ensure indemnities reflect AI-specific risks.
Finally, build an internal procurement playbook that pairs legal, security, risk and product teams. The organisations that move fastest are the ones with a repeatable path from idea to approved vendor, with no ambiguity about who owns which decisions.