AI Vendor Due‑Diligence: Questions to Ask

AI Vendor Due‑Diligence: Questions to Ask

How to Vet LLM Vendors: Practical Steps for Risk-Aligned Procurement

Reduce deployment risk and choose the right LLM vendor with a repeatable vetting framework — assess objectives, security, data governance, and contracts. Start now.

Selecting a large language model (LLM) vendor requires aligning business goals with risk tolerance, technical capabilities, and legal protections. This guide gives a practical, repeatable checklist and the key questions to ask at each stage, with examples and quick assessments you can use in procurement conversations.

  • TL;DR: Focus on objectives, measurable model testing, data provenance, and contractual protections.
  • Ask for verifiable evidence (benchmarks, test logs, team bios) and run your own evaluation on representative prompts.
  • Prioritize vendors who demonstrate secure infrastructure, clear data governance, and explicit SLAs for safety and uptime.

Clarify objectives and risk appetite

Before engaging vendors, document what you need the LLM to do and what you cannot accept. Clear objectives narrow vendor selection and define acceptable failure modes.

  • Primary use cases: customer support, summarization, code generation, decision support, etc.
  • Risk categories: factual errors, hallucinations, biased outputs, data leakage, legal noncompliance, availability.
  • Impact matrix: map severity (low/medium/high) against likelihood for each use case.

Example impact matrix (simplified):

Example impact assessment for LLM use cases
Use caseRiskImpactAcceptable mitigation
Customer support (FAQ)Factual errorLow–MediumHuman review on escalations
Contract draftingLegal liabilityHighLegal sign-off, conservative templates
Internal knowledge base searchData leakageHighStrict access controls, on-prem or private tenancy

Quick answer — 1-paragraph summary

Choose vendors who align with your documented objectives and risk appetite, provide verifiable evidence of model behavior and provenance, allow realistic testing on representative data, demonstrate robust security and access controls, and offer clear contractual protections and SLAs that include remediation for safety incidents.

Verify vendor identity, team, and track record

Trust starts with transparency. Verify who you’re contracting with, who built the model, and whether the team has relevant domain experience.

  • Corporate identity: legal entity, registrations, insurance, and primary contacts.
  • Team credentials: bios for founders, safety engineers, data scientists, and SREs.
  • Track record: case studies, references, uptime history, incident reports, and timelines for any major outages or safety incidents.

Ask for redacted customer references in the same industry and written summaries of past incidents, their root causes, and remediation steps.

Assess model performance, limitations, and testing

Performance claims need reproducible evidence. Combine vendor-provided benchmarks with your own tests on representative prompts and edge cases.

  • Benchmarks: ask which standard benchmarks were used (e.g., MMLU, TruthfulQA) and request raw results and test configs.
  • Custom testing: supply a holdout set of representative prompts and evaluate for accuracy, bias, and safety failures.
  • Adversarial testing: include prompt injections, data exfiltration attempts, and ambiguous queries to probe hallucination and model steering.
  • Evaluation metrics: precision/recall, factuality rates, hallucination frequency, latency, token cost, and throughput.

Example testing plan:

  • 100 representative prompts from production logs (anonymized) + 50 adversarial prompts.
  • Measure exact match/ROUGE for structured outputs, factuality score via ground-truth checks, and rate of unsafe content.
  • Repeat tests across peak and low loads to check consistency.

Evaluate data governance, provenance, and privacy

Understanding how training and inference data are handled is essential for compliance and IP protection.

  • Training data provenance: ask for documentation on data sources, licensing, and filtering steps used to build the model.
  • Fine-tuning data: require evidence of consent/rights for any customer data used in fine-tuning.
  • Inference data handling: clarify whether prompts, responses, and metadata are logged, how long they’re retained, and whether they’re used to further train models.
  • Data residency: verify geographic storage and processing locations to meet regulatory requirements.

Sample questions to vendors:

  • Do you retain prompts and responses? If so, for how long and for what purpose?
  • Are customer inputs excluded from training unless explicitly opted in and contractually agreed?
  • Can you provide a data lineage statement for the model or the dataset used?

Inspect security, access controls, and infrastructure

Security of the model and the environment hosting it is non-negotiable. Confirm measures across network, application, and operational layers.

  • Infrastructure model: multi-tenant SaaS, VPC/private tenancy, or on-prem options?
  • Encryption: TLS in transit; AES-256 or equivalent at rest; key management and customer-held keys?
  • Identity and access: support for SSO (SAML/OIDC), role-based access control (RBAC), least privilege, and audit logs.
  • Penetration testing and third-party audits: request SOC 2, ISO 27001, or equivalent reports and recent pen-test summaries.
  • Secrets handling: how API keys, fine-tune secrets, and model weights are protected.

Example minimum controls to require in contract:

  • Encrypted storage with customer-managed keys for sensitive data.
  • Audit log retention policy and access to logs on incident requests.
  • Quarterly vulnerability scans and annual third-party security assessment reports.

Review regulatory compliance, contracts, and SLAs

Contracts should translate technical safeguards into enforceable obligations with measurable SLAs and remediation paths.

  • Compliance: GDPR, HIPAA (if applicable), sector-specific rules. Ask for DPIA outcomes when relevant.
  • Data processing addendum (DPA): explicit roles (controller/processor), subprocessors, and breach notification timelines.
  • Service-level agreements: uptime, latency, throughput, and support response times tied to remedies or credits.
  • Liability and indemnity: caps should reflect risk; ensure clarity around IP ownership and model outputs.
  • Right to audit: contractual right to audit security and data handling or a schedule for third-party attestations.

Contract clause examples to request:

  • Prohibition on using customer data for model retraining without explicit, documented consent.
  • 30-day breach notification and 90-day remediation plan for critical vulnerabilities.
  • Availability SLA of 99.9% (or appropriate level) with defined credits and escalation paths.

Common pitfalls and how to avoid them

  • Relying only on vendor claims — Remedy: require raw benchmark results and run independent tests.
  • Ignoring data lineage — Remedy: demand provenance documentation and contractually forbid unapproved retraining.
  • Underestimating adversarial risk — Remedy: include prompt-injection and red-team tests in evaluations.
  • Skipping legal safeguards — Remedy: negotiate clear DPAs, IP terms, and breach notification clauses.
  • No exit strategy — Remedy: include data export, model portability, and transition assistance in contract.

Implementation checklist

  • Document objectives, acceptable failures, and impact matrix.
  • Verify vendor identity, team credentials, and references.
  • Obtain benchmarks, run custom and adversarial tests on representative data.
  • Confirm training data provenance and inference data handling; require DPA.
  • Validate security controls, encryption standards, and audit reports.
  • Negotiate SLAs, liability, right-to-audit, and exit/portability clauses.
  • Plan pilot with monitoring, human-in-the-loop gating, and rollback criteria.

FAQ

Q: How much testing is enough before production?
A: Sufficient testing includes representative production prompts, adversarial cases, performance under load, and safety checks; typically multiple iterations until error rates meet your predefined acceptance thresholds.
Q: Should we prefer on-prem/private tenancy over SaaS?
A: Choose based on sensitivity and control needs: private tenancy/on-prem gives stronger data isolation but higher cost/operations; SaaS can be acceptable with strong contractual and technical safeguards.
Q: Can vendors be trusted not to use our data for retraining?
A: Only if contractually prohibited and technically enforced (e.g., exclusion flags, separate training pipelines). Require audit rights and attestations.
Q: What is a reasonable SLA for LLM services?
A: Common targets are 99.9% availability for production APIs; latency and throughput SLAs should match your application needs and include credit/remediation terms.
Q: Who should be involved from our side during vetting?
A: Product owners, security, legal/compliance, data/privacy officers, and SRE/ops should all participate in vendor evaluation and contract negotiation.