A founder who runs a small accounts practice has spent three months integrating an AI tool into her document review workflow. Her team uses it daily. Client turnaround time has improved. Then, one unremarkable Tuesday, an email arrives from the vendor: operations are ceasing in 30 days. What happens to the client documents sitting in that vendor’s cloud? Who controls them under UK law? And what, precisely, should she do by Friday?
That question sits behind a commercial risk that many UK SME founders haven’t built into their AI procurement thinking. The UK Government’s insolvency statistics record thousands of company insolvencies per quarter in England and Wales, information and communication sectors included. A niche AI vendor shutting down mid-contract is not a hypothetical. Concentrated AI dependency, built quickly on a single managed platform, is a risk that grows heavier as adoption deepens.
What choice are you actually facing?
Every AI procurement decision is also, quietly, a business continuity decision. The choice is between concentrating your capability in a single managed platform, fast and cheap to start but exposed if the vendor fails, and spreading it across portable, interchangeable components that take more setup work but are far easier to recover from. Many UK SMEs think only about the demo when they sign up.
The underlying architecture question breaks into two structures. Option A is the fully managed SaaS platform, where one vendor provides end-to-end AI capability, handles security and model updates, and bundles data storage into the same environment. Option B is a modular arrangement where you use widely available API-based models, hold your data in your own or a general-purpose cloud environment, and connect the pieces with a thin orchestration layer.
The CMA’s 2023 review of AI foundation models flagged a further dimension: market concentration. A small number of providers control the foundational infrastructure underpinning many AI tools. Depending on a single vendor built on a single foundation model adds concentration risk at two levels, not one. That’s worth knowing before you sign anything.
When does a single AI vendor make sense for your business?
A fully managed, single-vendor approach makes commercial sense when the use case is useful but not critical, when downtime wouldn’t breach a regulatory obligation or SLA to your own clients, and when you have limited technical capacity to manage integrations. Faster deployment, lower overhead, and the vendor handling security and model updates are real advantages. The UK Government’s Hidden AI Risks Toolkit flags this trade-off directly.
Specific conditions where this approach is reasonable include marketing content drafting, internal document summarisation, and customer-service triage for lower-stakes queries, where a day’s outage is inconvenient but not commercially damaging. Internal knowledge management, where the business logic is still being proved, also fits this pattern.
Two practical questions confirm whether you’re in this territory. First, can your business operate, with manual workarounds if necessary, if this tool goes down for a week? Second, if the vendor disappeared tomorrow, would any regulatory obligation or client SLA be breached? If both answers are yes, the single-vendor approach carries manageable risk. If either answer is no, the calculation shifts.
When does a modular, portable approach make sense?
Where vendor failure would cause material harm, the calculus shifts. If you process volumes of client or payment data, operate in or supply regulated sectors, or have workflows that genuinely depend on a tool staying live, a modular architecture with your data in your own environment is worth the extra setup cost. The NCSC explicitly recommends planning for vendor loss from the start of any SaaS procurement.
The regulatory case is particularly clear for UK data-protection obligations. The ICO is explicit: UK SMEs remain data controllers when they send personal data to AI vendors. Those vendors become processors, and UK GDPR requires that the contract between controller and processor specifies what happens to personal data on termination, including return or deletion procedures. A vendor going insolvent is not a defence against a failure to meet that obligation.
There is also an EU AI Act dimension for firms supplying to EU markets. High-risk AI systems require logging, technical documentation, and human oversight arrangements that support audits and switching. An architecture where your data is portable and your audit logs are your own is significantly easier to demonstrate to a regulator or a major client than one where everything lives in a single vendor’s proprietary environment. For the FCA-regulated or their direct suppliers, operational resilience guidance sets equivalent expectations regardless of vendor choice.
What does getting this wrong actually cost?
The costs fall into three buckets. Payment-related downtime is measurable: Access PaySuite research puts typical SME exposure to payment-related disruption at £5,000 to £100,000 a year, with 8% of finance leaders reporting losses above £1 million. Regulatory exposure comes from the ICO: UK SMEs remain data controllers when they send personal data to AI vendors, so a vendor collapse that leaves data unrecoverable is a potential UK GDPR breach requiring notification within 72 hours.
The third cost bucket is operational: workflow redesign under pressure. When a business has rebuilt its team’s processes around a single AI tool, losing that tool mid-contract means rebuilding on an unplanned timeline. The Hidden AI Risks Toolkit puts this plainly, noting that failures in AI tools can have far-reaching consequences precisely because workflows have been redesigned around them.
A fourth, quieter cost is negotiating power. Vendors whose tools are deeply embedded in your operations know their position. Proprietary data formats, API lock-in, and bundled data storage all reduce your ability to resist unfavourable contract renewals, price increases, or changes to data terms. The NCSC’s SaaS guidance is specific on this: concentration in a single managed environment limits your ability to negotiate or switch without significant disruption.
What should you ask before you commit to any AI vendor?
Good vendor due diligence doesn’t need a legal team. The NCSC recommends planning your vendor exit from the start of any SaaS procurement, not as an afterthought. Four questions before you sign cover the material risk: what the disaster-recovery plan looks like; where your data sits on insolvency; whether full export is available on demand; and what the exit and migration window actually looks like.
On disaster recovery, ask for the vendor’s Recovery Time Objective and Recovery Point Objective, ideally backed by an independent audit. Ask whether they rely on a single cloud region or have multi-region failover. The November 2023 OpenAI outage and the January 2023 Microsoft WAN configuration failure both demonstrated that even large, well-resourced providers create temporary but material disruption for SMEs with workflow dependencies on a single service.
On data access, ask whether your export includes not just raw data but logs, metadata, and any model artefacts tied to your account. The ICO requires controller-processor contracts to address data return or deletion on termination. Ask specifically who holds legal control of your data if the vendor enters administration and whether you have any direct access to the underlying infrastructure provider.
On exit terms, the NCSC recommends testing data export before you need it in an emergency. Establish the timeline from termination notice to full data return, whether migration support is included, and whether material changes to terms come with enough notice for an orderly transition. These questions cost nothing to ask. Skipping them can cost considerably more.
The vendor failure question isn’t the most exciting part of AI procurement. For a UK SME founder who has rebuilt workflows around a tool that disappears overnight, though, it becomes the only question that matters. The architecture decision, made at procurement, determines how much of a crisis that moment becomes. Concentrated capability is faster to build. Portable, modular capability is faster to recover from. Knowing which you need, before you sign anything, is the work worth doing upfront.
