A few years into my federal career, I learned an uncomfortable lesson about procurement and contracts: what a vendor says in a sales meeting and what's in the contract are often two very different things. With AI vendors, the stakes are higher and the fine print is often overlooked in small businesses, local government agencies, and nonprofits.
When organizations adopt an AI tool (e.g. a chatbot, a scheduling platform, a grant-screening tool, a HR system), they’re entering into a data relationship with the vendor that’s more convoluted than your typical software license purchases.
This new contractual relationship allows the AI vendor to use your organization’s internal and client data to train its system. In other words, you’re agreeing to trade data from your organization, your staff, and in many cases, the people you serve for convenience. This isn’t new, we’ve been trading our data unknowingly for years. It’s essentially how AI has advanced: feeding off of our collective data. However, you have a right to question the terms before starting a relationship with an AI vendor.
Most small businesses, nonprofits, and local government agencies don't have the legal bandwidth to deeply scrutinize every AI vendor agreement. But that doesn't mean you're powerless. It means you need the right questions before you sign.
10 Questions Every Organization Should Ask an AI Vendor
1. Who owns the data we input into your system?
2. Is our data used to train your models? Can we opt out?
3. Where is our data stored, and who has access to it?
4. What happens to our data if we cancel the contract or you go out of business?
5. Has this tool been independently tested for accuracy, bias, and ethical considerations?
6. What is your breach notification and remediation process and timeline?
7. Are you compliant with relevant regulations (FERPA, HIPAA, state privacy laws)?
8. What human oversight mechanisms are built into your system?
9. What is your process for handling errors or contested AI outputs?10. What are your AI risk management practices?
The AI vendor landscape is moving fast with new tools launching constantly. The marketing is sophisticated and most organizations are making adoption decisions under board, political, or competitive pressure. You are not behind! A responsible AI vendor will welcome and answer these questions, some of them before you ask. If not, that’s a red flag.
Third-party vendor risk is one of the most underexamined areas in AI governance for small organizations. Don’t allow your vendor's AI practices become your organization's liability.
Not sure how to evaluate your current or prospective AI vendors? I offer vendor risk assessments and procurement guidance built for organizations without enterprise legal teams. Let's talk at TawanaTownsendConsulting.com.