AI vendor selection, plainly
How to pick an AI vendor
For Omaha mid-market leaders. The diligence checklist, the regulatory must-haves, and the questions vendors hate that are exactly the ones you should ask first.
Text Rosey · Schedule a call →Definition
AI vendor selection follows the same pattern as any third-party risk decision — but with one extra layer that's specific to AI: how the vendor handles your data once it's in their system.
The discipline has six checks. (1) **Data handling**: enterprise tier with no-training guarantees in writing, data residency commitments, retention policies, and audit-trail availability. Free tiers and consumer tiers fail this check by default. (2) **Compliance posture**: SOC 2 Type II report current, BAA available for healthcare, signed third-party documentation suitable for OCC 2023-17 / FDIC FIL-29-2023 if you bank, AIS Program documentation for NAIC IGD-H1 if you write insurance. (3) **Sub-processor disclosure**: which downstream processors does the vendor use? Most use OpenAI / Anthropic / Microsoft / Google as the underlying model, but the layer between you and them is where data handling actually happens. (4) **Roadmap and stability**: 12-month roadmap visible, funding runway communicated, customer references in your sector. AI vendor mortality is real; mid-market companies need vendors that will be around. (5) **Contract terms**: indemnification for IP claims, liability caps, exit data portability, termination assistance. (6) **Customer references in your sector**: not generic case studies — actual reference calls with similar-sized companies in your industry.
Questions vendors don't love that you should ask first: 'Show me the data flow diagram for my data.' 'Who has access to logs containing my prompts?' 'What's your incident-response SLA for a confirmed data leak?' 'When you say no-training, is that a default-on toggle or contractually guaranteed?' 'Show me a customer in [my industry] of [my size] that you'd let me reference-call.' Vendors that handle these crisply tend to be the ones who've been examined and survived. Vendors that get defensive about them are signaling something.
Common follow-up questions
- Are the big AI vendors safer than the smaller ones?
- Mostly yes for compliance posture, mortality, and BAA availability. But not always for industry fit — niche vendors sometimes have specialized regulatory expertise that big horizontal vendors lack. Pick the big vendor as the foundation; add the specialized vendor when the specialization is real.
- What's the worst version of AI vendor selection?
- Letting the team that wants the tool also be the team that does the diligence. They have incentive to under-weight risk. Diligence should run through Procurement / IT / Security / Legal with the requesting team as input, not authority.
- How does this connect to OCC 2023-17 for Omaha banks?
- Directly. OCC Bulletin 2023-17 (and FDIC FIL-29-2023, FRB SR 23-4) is the binding interagency third-party guidance. AI vendors are third parties under the rule. The bank must apply risk-based oversight across the third-party lifecycle (planning, due diligence, contract negotiation, ongoing monitoring, termination). 'Use of third parties does not diminish or remove' the bank's responsibility.
- What if we're a healthcare provider and the vendor doesn't offer a BAA?
- You don't use the vendor with PHI. Full stop. There is no version of HIPAA-compliant PHI handling without a BAA. The vendor without a BAA can be used for non-PHI work; PHI workflows need a BAA-bearing vendor.
- How long should diligence take?
- For a major AI vendor: 4–8 weeks of due diligence, depending on regulatory complexity. Less than 4 weeks usually means you skipped something. More than 8 weeks usually means the vendor isn't ready for you.
Sources
- Use of a third party (including an AI vendor) does not reduce a bank's responsibility for safety, soundness, and consumer protection — Third-Party Relationships: Interagency Guidance on Risk Management, Office of the Comptroller of the Currency (OCC), with FDIC and Federal Reserve, 2023
- Banks must apply risk-based oversight across the third-party lifecycle: planning, due diligence, contract negotiation, ongoing monitoring, termination — Third-Party Relationships: Interagency Guidance on Risk Management, Office of the Comptroller of the Currency (OCC), with FDIC and Federal Reserve, 2023
- Insurers must develop, implement, and maintain a written AI Systems (AIS) Program for the responsible use of AI systems making or supporting decisions related to regulated insurance practices — Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, National Association of Insurance Commissioners (NAIC), 2023
- Section 1557 prohibits discrimination through the use of patient care decision support tools, including AI/clinical algorithms — Section 1557 Final Rule — Nondiscrimination Through Patient Care Decision Support Tools, HHS Office for Civil Rights, 2024
- Only 36% of companies provide a list of approved or preferred AI tools — 8 in 10 Employees Say They Need AI Training — After Their Companies Already Rolled Out the Tools, Express Employment Professionals (Harris Poll fielding), 2026
Related
→ Start here
Text Rosey to begin.
Rosey is our executive-assistant bot. Text the number below — she'll ask two questions, offer three calendar slots, and put a 30-minute call on Jim's calendar.
Text Rosey · Schedule a call →