A vendor sends over their calendar link after a 30-minute demo. The AI clearly works. Pricing slides arrive the same afternoon. Six weeks later, the contract is signed.
For many owner-managers, that sequence will feel familiar. The UK Government’s 2024 Cyber Security Breaches Survey found that only 18 per cent of medium-sized businesses had reviewed risks from their immediate suppliers in the previous 12 months. The demo-to-contract window is where that gap opens.
The supplier assurance work in that gap takes a week to ten days and costs nothing except time.
What does due diligence on an AI supplier actually involve?
Due diligence on an AI supplier is a structured process of verifying three things before you commit: that the vendor has the security controls to protect your data, that their system will behave reliably and traceably, and that you have written obligations in place if either fails. It covers cyber security, data handling, continuity planning, and how the AI itself is governed internally.
Think of it as the same category of supplier assurance your bank or insurer would run on a new third party. What AI makes different is the chain of components involved: the model provider behind the product, the vector databases it might use, any plug-ins or retrieval pipelines in its stack. NCSC supply-chain guidance explicitly recommends understanding which third-party services a supplier chains together, where data is processed, and how incidents would be reported throughout the contract lifecycle.
The UK Government’s AI Playbook for public-sector buyers structures AI procurement around four areas: early risk assessment, clear allocation of responsibilities, alignment with data-protection law, and cyber-security standards from the outset. Owner-managed firms can follow the same logic at lighter weight, without a procurement committee.
The starting point is a due diligence pack you send to any supplier you shortlist: standardised questions, a test dataset, and a scoring matrix. That pack, not the demo, is where the real selection happens.
Why does it matter more than standard software procurement?
When you buy a standard SaaS tool, you are mostly trusting the vendor to keep the application running. With an AI tool that processes your business or client data, you also remain the UK GDPR controller for everything it does. Your obligations do not transfer to the vendor. If the vendor mishandles the data, the ICO’s enforcement action starts with you.
The ICO has been explicit: using AI does not remove a controller’s obligations. For high-risk processing, a Data Protection Impact Assessment is required. For any processing involving a vendor, you need a Data Processing Agreement that covers what the vendor can do with the data, which sub-processors they use, and your right to audit.
The financial stakes are concrete. IBM Security’s 2023 data breach cost report estimated that third-party supplier breaches cost on average 12.7% more than direct breaches. The same 2024 UK government survey that found only 18 per cent of businesses review supplier risks also reported that 50 per cent of medium-sized businesses experienced a cyber breach or attack in the preceding year.
AI also introduces risks that standard software procurement doesn’t surface. The NCSC has flagged prompt injection as a threat for systems built on large language models: an attacker, or a careless staff member, can cause a model to reveal data it should not. Samsung engineers accidentally exposed sensitive source code by pasting it into a public AI tool in 2023. Your checks need to anticipate both the deliberate and the accidental.
What does a minimum evidence pack look like?
A practical approach for SME buyers is to ask for five concrete proofs before any vendor gets onto a shortlist: a security certificate or attestation (Cyber Essentials or ISO 27001), a penetration test summary from the past 12 months, a data-handling document covering retention, deletion and sub-processors, service continuity evidence including incident-response procedures, and an explanation of how AI risks are managed internally.
A vendor that cannot assemble these five proofs promptly is signalling something about their maturity. Cyber Essentials is a UK government-backed baseline, mandated for many central government suppliers; a capable vendor should be able to evidence it within days. ISO 27001 is the broader information security management standard. Absence of either is not automatically a disqualifier, but absence of a coherent explanation for why not is.
Beyond the evidence pack, a short test-based evaluation works well. Spend the first two days defining one or two real business tasks and preparing a small, legally shareable dataset with known correct answers. Send the pack to three to five vendors. Give shortlisted vendors 48 hours of controlled sandbox access with usage caps and dummy data. Score responses against a pre-defined matrix before you see any more demos. By the end of ten days you have a scored shortlist and a pilot plan.
The discipline is to score against your criteria before any further demos, because demos are designed to impress and your criteria are designed to protect you.
When should you run the full checks, and when can you simplify?
The full checklist is proportionate to risk. If your use case involves personal data, client records, commercially sensitive information, or any output that carries legal or financial weight, apply it in full. If the use case is genuinely low-risk, say generating ideas from publicly available information with no client data involved, a standard SaaS review and basic security check may be enough.
Two other situations allow a lighter approach. If your firm has strong internal data and security capability, you may choose to self-host an open-source model rather than rely on an external vendor, shifting the due diligence focus to your own infrastructure and internal governance. And in niche verticals where only one or two credible AI vendors exist, you may have less bargaining power to demand every proof; additional internal controls or specialist insurance can compensate.
One rule applies regardless of the use case: put your data-handling expectations in writing before you sign. NCSC guidance is clear that embedding security requirements and incident-reporting obligations from the outset of a contract is significantly cheaper than retrofitting them after something goes wrong. That discipline costs nothing extra and scales whether you use the full five-proof pack or a lighter version.
What frameworks sit behind the questions?
Two international frameworks give you a principled basis for vendor conversations without needing a legal or technical background. The NIST AI Risk Management Framework, published in 2023 and updated with a generative AI profile in 2024, covers four functions: govern, map, measure and manage. ISO/IEC 42001:2023 is the AI-specific management system standard, analogous to ISO 27001 for information security.
You do not need to be certified against either, and neither does your vendor. Asking how a vendor’s policies map to NIST AI RMF is a useful stress-test: a vendor who has thought seriously about AI-specific risks will have a coherent answer. One who has not will fill the silence with marketing language.
The EU AI Act is also worth raising, even for UK buyers. Formally adopted in 2024, it applies to providers and deployers of AI systems placed on the EU market or affecting individuals in the EU, regardless of where the provider is based. Penalties reach up to €35 million for the most serious breaches. If your vendor serves EU customers or is EU-registered, ask whether they have classified their systems under the Act and what their compliance timeline looks like.
The due diligence process described here takes a week to ten days and costs nothing except time to prepare. The £98,000 ICO fine issued to a UK law firm after a ransomware attack in 2023 offers a sense of the alternative; that firm had not embedded basic security requirements into its supplier relationships. Treat the checks as the cheapest insurance available to any SME buyer, and run them before the contract arrives, not after.
