AI Governance in Procurement: The Questions You Must Ask Every AI Vendor Before You Sign

The deployer liability most buyers do not understand

The EU AI Act creates a distinction between AI providers (who develop AI systems) and AI deployers (who use AI systems in their operations). The compliance obligations and potential penalties for high-risk AI systems attach to both — but in different ways and for different things. What most AI buyers do not understand is that buying AI from a compliant vendor does not make the buyer compliant. The deployer has their own independent obligations: ensuring the AI is used within its intended purpose, implementing human oversight, maintaining logs, monitoring performance, and reporting serious incidents. These obligations cannot be contracted away.

This means that when your organisation uses an AI hiring tool, an AI credit scoring system, or an AI medical triage tool — regardless of how mature that vendor's compliance program is — your organisation is also directly subject to high-risk AI obligations under the EU AI Act. Your contracts with the vendor should reflect this allocation of responsibility clearly. Most standard AI vendor contracts, including contracts from major technology vendors, do not.

The five governance questions vendors must answer

Before signing any AI vendor contract for a system that will be used in significant business decisions, procurement should require written answers to five governance questions. First: is this system classified as high-risk under the EU AI Act, and if so, what conformity assessment has been completed? Second: what is the training data composition for this system, and what bias testing has been conducted? Third: what monitoring is in place for model performance in production, and how will you notify us if performance degrades materially? Fourth: what is your AI incident notification process, and what is the timeline for notifying us of incidents affecting this system? Fifth: what audit rights do we have over this system's performance and documentation?

A vendor who cannot answer these questions specifically — not with marketing language about their commitment to responsible AI, but with specific documented answers — is a vendor whose AI governance is immature. That immaturity becomes your problem the moment you deploy their system.