Are the big AI vendors safer than the smaller ones?

Mostly yes for compliance posture and BAA availability. Niche vendors sometimes have specialized regulatory expertise. Pick the big vendor as foundation; add specialized when specialization is real.

Worst version of AI vendor selection?

Letting the team that wants the tool also do the diligence. Diligence should run through Procurement / IT / Security / Legal.

How does this connect to OCC 2023-17 for Lincoln banks?

Directly. AI vendors are third parties under the rule. Risk-based oversight across the lifecycle. 'Use of third parties does not diminish' the bank's responsibility.

Healthcare provider without a BAA from the vendor?

You don't use the vendor with PHI. Full stop.

What about state contracts under NITC 8-609?

If you're a Lincoln vendor supporting state agencies, NITC 8-609 pulls you into OCIO security review and privacy impact assessments. Vendor selection has to factor that workflow.

How long should diligence take?

4–8 weeks for a major AI vendor. Less than 4 weeks means you skipped something.

AI vendor selection, plainly

How to pick an AI vendor

For Lincoln mid-market leaders. The diligence checklist, the regulatory must-haves, and the questions vendors hate that are exactly the ones you should ask first.

Omaha companies asking the same? See the Omaha view →

Text Rosey · Schedule a call →

Definition

AI vendor selection follows third-party risk patterns with one extra layer: how the vendor handles your data once it's in their system.

Six checks. (1) **Data handling**: enterprise tier with no-training guarantees in writing, data residency, retention, audit-trail availability. (2) **Compliance posture**: SOC 2 Type II current, BAA available for healthcare, third-party documentation for OCC 2023-17 / FDIC FIL-29-2023, AIS Program docs for NAIC IGD-H1, NITC 8-609 alignment if state-contracting. (3) **Sub-processor disclosure**: which downstream processors does the vendor use? (4) **Roadmap and stability**: 12-month roadmap, funding runway, sector references. (5) **Contract terms**: indemnification, liability caps, exit data portability. (6) **Customer references in your sector** — actual calls, not generic case studies.

Questions vendors don't love that you should ask first: data flow diagram, log access, incident-response SLA, no-training default-vs-contractual, reference customer in your industry of your size.

Common follow-up questions

Are the big AI vendors safer than the smaller ones?: Mostly yes for compliance posture and BAA availability. Niche vendors sometimes have specialized regulatory expertise. Pick the big vendor as foundation; add specialized when specialization is real.
Worst version of AI vendor selection?: Letting the team that wants the tool also do the diligence. Diligence should run through Procurement / IT / Security / Legal.
How does this connect to OCC 2023-17 for Lincoln banks?: Directly. AI vendors are third parties under the rule. Risk-based oversight across the lifecycle. 'Use of third parties does not diminish' the bank's responsibility.
Healthcare provider without a BAA from the vendor?: You don't use the vendor with PHI. Full stop.
What about state contracts under NITC 8-609?: If you're a Lincoln vendor supporting state agencies, NITC 8-609 pulls you into OCIO security review and privacy impact assessments. Vendor selection has to factor that workflow.
How long should diligence take?: 4–8 weeks for a major AI vendor. Less than 4 weeks means you skipped something.

Sources

Use of a third party (including an AI vendor) does not reduce a bank's responsibility for safety, soundness, and consumer protection — Third-Party Relationships: Interagency Guidance on Risk Management, Office of the Comptroller of the Currency (OCC), with FDIC and Federal Reserve, 2023
Banks must apply risk-based oversight across the third-party lifecycle: planning, due diligence, contract negotiation, ongoing monitoring, termination — Third-Party Relationships: Interagency Guidance on Risk Management, Office of the Comptroller of the Currency (OCC), with FDIC and Federal Reserve, 2023
Insurers must develop, implement, and maintain a written AI Systems (AIS) Program for the responsible use of AI systems making or supporting decisions related to regulated insurance practices — Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, National Association of Insurance Commissioners (NAIC), 2023
Section 1557 prohibits discrimination through the use of patient care decision support tools, including AI/clinical algorithms — Section 1557 Final Rule — Nondiscrimination Through Patient Care Decision Support Tools, HHS Office for Civil Rights, 2024
Only 36% of companies provide a list of approved or preferred AI tools — 8 in 10 Employees Say They Need AI Training — After Their Companies Already Rolled Out the Tools, Express Employment Professionals (Harris Poll fielding), 2026

Answer

AI vendor selection

Concern

the AI data leak risk

Concern

we have too many AI tools

Answer

AI use policy explained

Answer

what does AI actually cost

Service

drafting your AI policy

→ Start here

Text Rosey to begin.

Rosey is our executive-assistant bot. Text the number below — she'll ask two questions, offer three calendar slots, and put a 30-minute call on Jim's calendar.

Text Rosey · Schedule a call →

or call 415 481 2629

How to pick an AI vendor

Definition

Common follow-up questions

Sources

Related

Text Rosey to begin.