AI Supplier Due Diligence: The Vendor Risk Checklist Every UK Buyer Needs in 2026

Agentic Business Design

2 December 2025 | By Ashley Marshall

Buying an AI product is no longer just a software decision. It is a data, governance, liability, and supplier-risk decision wrapped inside a shiny demo.

Why AI procurement is now a risk review, not just a feature comparison

Many AI buying processes still begin with the wrong question: which tool looks most impressive? The stronger question is what risk the tool creates once it is connected to real work. CITMA's recent procurement guidance makes the point clearly from a legal-services angle, but the lesson applies more broadly. Buyers need evidence on hallucination control, explainability, auditability, security, privacy, and compliance before they trust any system with consequential work.

That is because AI suppliers do not just provide software. They may process confidential data, influence decisions, rely on third-party models, and introduce a dependency that becomes expensive or awkward to unwind later. The more powerful the workflow, the more important due diligence becomes.

In 2026, buying an AI supplier without a structured risk review is the equivalent of buying cloud infrastructure without asking where the data lives or who can access it. It is not prudent procurement. It is optimism masquerading as speed.

The five checks every UK buyer should run

Start with data. What data goes into the system, where is it processed, how long is it retained, and is it used for model improvement? If the answers are vague, stop there. Next, security. Buyers should expect evidence of access controls, encryption, hosting arrangements, and incident handling, not generic reassurance.

Third, ask about auditability and explainability. Can the supplier show why an output was produced, what inputs were used, and what logs exist for review? Fourth, assess failure behaviour. What does the vendor do about hallucinations, policy breaches, or low-confidence outputs? CITMA specifically highlights confidence scoring, validation layers, and human review as signs of maturity.

Fifth, inspect the commercial terms. Who owns outputs, what happens at contract end, how portable is your data, and how dependent are you on one model provider hidden behind the supplier's interface? Good due diligence is not only technical. It is contractual as well.

Where buyers get caught out most often

The most common mistake is assuming an enterprise-looking interface means enterprise-grade controls. It does not. Some suppliers are essentially wrappers around third-party models with thin governance and weak support behind the scenes. Others have good security but poor transparency around retention, retraining, or model dependencies.

Another mistake is ignoring exit risk. AI suppliers are changing pricing, packaging, and model relationships quickly. If your workflow depends heavily on a vendor that cannot offer clear export paths, reasonable notice periods, or stable commercial terms, you may end up locked into a stack that no longer makes sense six months later.

UK buyers should also remember that sector obligations do not disappear because a tool uses AI. Client confidentiality, UK GDPR obligations, financial controls, and professional standards still apply. The supplier can share part of the work, but not the liability.

A practical checklist for the next buying cycle

Before any purchase, ask the supplier for a short due diligence pack covering security controls, hosting location, retention terms, model dependency, audit capability, and examples of failure handling. Then score suppliers against the same checklist instead of letting each demo create its own criteria.

For higher-risk use cases, run a limited pilot with real governance. Use the pilot to test not only the outputs but also logging, permissioning, human review, and support responsiveness when something goes wrong. That tells you much more than a polished sales presentation.

The right AI supplier is not necessarily the one with the flashiest capabilities. It is the one you can explain, govern, and exit without creating a problem for future-you.

Frequently Asked Questions

What is the biggest AI vendor due diligence mistake?

Focusing on features and demos before clarifying data handling, security, and contractual exit terms.

Should SMEs run the same due diligence as large enterprises?

The process can be lighter, but the core checks still matter. SMEs are often less able to absorb a security, compliance, or lock-in mistake.

What evidence should we ask an AI supplier for?

Ask for security documentation, hosting and retention details, audit and logging capability, failure-handling methods, and clear contract terms on ownership and exit.

Why does exit risk matter so much in AI?

Because providers, pricing, and model availability are changing quickly. If you cannot leave cleanly, future changes become your problem.