この記事は現在英語でのみご利用いただけます。
AI Governance in Procurement: The Questions You Must Ask Every AI Vendor Before You Sign
Procurement teams are signing AI vendor contracts without adequate governance due diligence. The liability for vendor AI governance failures flows to the buyer. Here are the questions that sophisticated procurement teams are asking in 2026.
Key Takeaways
When you buy AI from a vendor, you become the deployer under the EU AI Act — the regulatory obligations and potential penalties attach to you, not the vendor, unless your contract explicitly allocates them differently.
Standard vendor AI governance representations are inadequate — most cover data processing under GDPR but do not address AI-specific obligations including model documentation, bias testing, and incident notification.
The three contract clauses every AI procurement should include: AI-specific incident notification (shorter than standard data breach notification), model drift notification obligations, and audit rights over AI system performance.
Vendors who cannot answer specific AI governance questions during procurement are a governance risk regardless of their reputational standing — inability to provide governance documentation is itself a red flag.
A 20-question AI vendor due diligence questionnaire structured around the EU AI Act deployer obligations, for use in enterprise AI procurement.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
The deployer liability most buyers do not understand
The EU AI Act creates a distinction between AI providers (who develop AI systems) and AI deployers (who use AI systems in their operations). The compliance obligations and potential penalties for high-risk AI systems attach to both — but in different ways and for different things. What most AI buyers do not understand is that buying AI from a compliant vendor does not make the buyer compliant. The deployer has their own independent obligations: ensuring the AI is used within its intended purpose, implementing human oversight, maintaining logs, monitoring performance, and reporting serious incidents. These obligations cannot be contracted away.
This means that when your organisation uses an AI hiring tool, an AI credit scoring system, or an AI medical triage tool — regardless of how mature that vendor's compliance program is — your organisation is also directly subject to high-risk AI obligations under the EU AI Act. Your contracts with the vendor should reflect this allocation of responsibility clearly. Most standard AI vendor contracts, including contracts from major technology vendors, do not.
The five governance questions vendors must answer
Before signing any AI vendor contract for a system that will be used in significant business decisions, procurement should require written answers to five governance questions. First: is this system classified as high-risk under the EU AI Act, and if so, what conformity assessment has been completed? Second: what is the training data composition for this system, and what bias testing has been conducted? Third: what monitoring is in place for model performance in production, and how will you notify us if performance degrades materially? Fourth: what is your AI incident notification process, and what is the timeline for notifying us of incidents affecting this system? Fifth: what audit rights do we have over this system's performance and documentation?
A vendor who cannot answer these questions specifically — not with marketing language about their commitment to responsible AI, but with specific documented answers — is a vendor whose AI governance is immature. That immaturity becomes your problem the moment you deploy their system.