Enterprise diligence checklist

AI vendor due diligence checklist 2026,for buyers who need proof.

An AI vendor due diligence checklist is a buyer-side review framework used to verify security controls, data rights, architecture, pricing, and contract risk before shortlist approval or legal sign-off. Use it after initial comparison so weak vendors are removed on evidence instead of sales confidence.

Open shortlist scorecard RFP templateContract red flagsPilot checklist
Confirm the vendor can prove identity controls, audit logging, and role boundaries in writing.
Ask whether customer data, prompts, files, or telemetry are used for model training or product tuning.
Verify retention, deletion, export, and backup behavior before anyone treats the platform as safe.
Document integration dependencies, vendor lock-in risks, and the operational owner for every control gap.
Why this exists
Stop bad vendors early
BOFU
Security and access
SSO, MFA, RBAC, audit logs, incident response, admin review paths.
Data governance
Training usage, retention, deletion, export, residency, subprocessors.
Architecture and reliability
Deployment model, latency, rollback, rate limits, failure handling.
Commercial discipline
Pricing model, overages, support minimums, renewal and exit terms.
Questions procurement should send before the next call
Can you contractually confirm whether prompts, uploaded files, outputs, logs, and metadata are excluded from model training by default?
What are the exact retention, deletion, backup, and account-closure timelines for customer content and telemetry?
Which controls are native today for SSO, MFA, RBAC, audit logs, API tokens, and admin approval workflows?
What happens to workflows, prompts, evaluation history, and exported data if we terminate in year one?
Which price levers can change after signature: seats, usage, model tiers, support, rate limits, or overage terms?
How to use it

Ask hard questions before the vendor gets comfortable.

This checklist sits between the RFP and the final scorecard. It gives procurement, security, and business owners one shared review layer so every answer gets tested against evidence instead of sales language.

The buyer path should stay consistent: methodology, RFP, diligence, shortlist scorecard, contract review, pilot validation, then decision matrix. That loop keeps teams from treating diligence as an isolated worksheet.

If a vendor cannot answer clearly here, do not assume the pilot will rescue the deal. Move unresolved terms into contract review, turn operational uncertainty into pilot test conditions, and keep weak answers visible in the final score.

Rule
Evidence beats confidence every time.

If the answer is vague, score it as risk until proven otherwise.

Diligence dimensions
  • Security and access controls
  • Data handling and privacy
  • Architecture, integration, and rollout risk
Review sequence

Run diligence like a gate, not a meeting.

Strong teams do not collect answers and hope someone remembers them later. They force each claim into proof, mark unresolved risk clearly, and route every outcome to the next buyer control.

1. Validate the claim
Ask the vendor to answer in plain language first so the real control or gap is visible.
2. Request proof
Push for policy text, product screenshots, admin settings, or contract language instead of promises.
3. Score the exposure
Mark the issue as pass, gap, workaround, or escalation so the shortlist stays comparable.
4. Route the next step
Move clean answers to the scorecard and unresolved items to contract review or pilot conditions.
What counts as enough evidence
Security proof
Identity controls, logs, approvals, and incident ownership should be documented and reviewable.
Data-rights proof
Training usage, retention, deletion, export, and residency need explicit written confirmation.
Commercial proof
Pricing mechanics, support limits, renewal logic, and exit terms should be contract-ready before approval.
Buyer reminder

A clean diligence pass does not mean the vendor wins. It means the vendor has earned the right to be compared fairly in the shortlist scorecard and challenged again in the decision matrix.

Next step

Keep the buyer flow moving after diligence.

Once the checklist is complete, the team should either move validated evidence into ranking, escalate unresolved risk into legal review, or convert open operational questions into pilot conditions. Do not let the work disappear into notes.

Open shortlist scorecard Talk to SitePilot
Shortlist scorecard
Move validated answers into a weighted finalist ranking.
Contract red flags
Escalate unresolved commercial or legal exposure before signature.
Pilot evaluation checklist
Turn open diligence items into test conditions instead of assumptions.
Decision matrix
Convert the full buyer record into an approve, hold, or reject call.
Talk to SitePilot
Get outside help if the review is stalling or the evidence is weak.