Procurement contract review

AI vendor contract red flags before you sign?Use this procurement checklist in 2026.

An AI vendor contract review checks whether training-use rights, deletion terms, export clauses, security obligations, liability limits, and model-change remedies are explicit before approval. Use it after diligence and before signature so the commercial paper matches the real operational, legal, and rollout risk.

Open due diligence checklist Review shortlist scorecard Open RFP template Review pricing guide

contract risk areas

related decision pages

BOFU

approval-stage framing

What to score first

Paper beats demo when the paper is clean.

Evidence first

Training-use and retention language

Deletion, export, and exit rights

Security, liability, and change control

If the clause set is vague, the risk is not vague. It just gets pushed onto the buyer after signature.

Questions procurement should send before legal redlines

Can you contractually exclude prompts, uploads, outputs, and logs from model training or product tuning by default?

What are the exact retention, deletion, backup, and account-closure timelines for customer data and telemetry?

Which assets can we export in usable form if we exit: prompts, workflows, logs, evaluation history, and admin settings?

Which security controls are obligations in the contract today, not roadmap promises in a sales deck?

What customer remedy applies if model changes, pricing shifts, or feature removals materially alter the operating model?

How to use it

Contract review is the buyer's last clean checkpoint.

Use this page after the RFP and diligence checklist, check commercial exposure with the pricing guide, then carry the unresolved terms into the shortlist scorecard and pilot checklist. That keeps commercial risk visible instead of letting it disappear between procurement, legal, and rollout owners.

If the contract language is vague, score it as unresolved risk until the vendor fixes the clause or accepts a buyer-friendly remedy. Signature should follow clarity, not pressure.

The clean path is methodology to RFP to diligence to pricing review to contract review to pilot validation to decision matrix.

Decision rule

If a clause changes the operating risk, it needs explicit language or a remedy.

Do not let the buyer absorb risk that the vendor refuses to define in writing.

Contract review lenses

Data use, retention, deletion, and export rights
Liability allocation, remedies, and change control
Whether the paper supports the rollout model you plan to run

The contract red flags that matter

1. Training-use language is vague

If the contract does not clearly state whether prompts, files, outputs, logs, or metadata can be used for model training, product improvement, or benchmarking, that is a red flag. “We may use service data to improve the platform” is not good enough when regulated or commercially sensitive data is involved.

2. Deletion rights are soft or undefined

If the vendor cannot state retention windows, backup behavior, deletion timing, and what survives account closure, the team does not really control the data lifecycle. A DPA without operational deletion detail is theater.

3. Export and exit terms are weak

If workflow configuration, scoring logic, prompt assets, logs, or evaluation history cannot be exported in a usable format, the vendor is selling lock-in disguised as convenience. Exit friction should be treated as a cost, not an afterthought.

4. Security promises are generic

Words like “enterprise-grade security” mean nothing without explicit obligations around SSO, MFA, RBAC, audit logs, incident notice, subprocessors, and breach handling windows. Procurement should score contractual controls, not sales-deck adjectives.

5. Liability is misaligned with actual risk

If the contract limits liability so aggressively that a data leak, outage, or compliance failure leaves the buyer carrying the real loss, the risk transfer is fake. AI vendors love upside pricing and downside disclaimers.

6. Model-change rights are one-sided

If the vendor can materially change models, pricing, rate limits, retention terms, or feature access without a meaningful customer remedy, the operating model is unstable. Teams buying AI capability are also buying change risk.

What to request before approval

A plain-language data-use schedule covering prompts, files, logs, outputs, and training rights.

A retention and deletion schedule with backup handling and closure timelines.

A subprocessor list and notice process for changes.

Security-control mapping for SSO, audit logs, role boundaries, and incident response.

Export definitions for prompts, workflows, scores, logs, and evaluation evidence.

Commercial terms covering renewal caps, support SLAs, termination rights, and change notice periods.

Recommended snippet candidates

AI vendor contract red flags usually appear in data-use clauses, deletion terms, export rights, security obligations, liability caps, and one-sided model-change language. Teams should review these terms before pilot approval or procurement sign-off because contract wording often decides whether operational and compliance risk is actually controllable.

A strong AI vendor contract should define training-use boundaries, deletion timing, subprocessor visibility, audit and access controls, export rights, support obligations, and termination remedies. If those details are vague, the buyer is accepting platform and compliance risk that the sales process probably hid.

Use this page with the diligence stack

Contract red flags are only useful when they flow into due diligence, shortlist scoring, pilot testing, and the final decision memo. Otherwise you have a clever note, not a controlled buying process.

Open due diligence checklist Open pilot evaluation checklist Open decision matrix

Related enterprise AI guides