Vendor Questions That Cut Through the Noise
The 12-question core set
- What exact tasks are model-driven vs rules-driven?
- What training data is used (sources, coverage, and update cadence)?
- How do you measure performance, and can we see results?
- How do you handle edge cases and “unknowns”?
- What human oversight is required for defensible outputs?
- What explainability features exist (why did it flag X)?
- Where is data stored and processed (regions, residency)?
- Do you use our data for training? If yes, how is consent handled?
- What security certifications do you maintain (SOC 2, ISO 27001)?
- What is your breach notification process and timeline?
- How do we export our data on exit (format, timeline, cost)?
- What support and implementation resources are included?
Pro tip
If a vendor can’t answer these clearly, you’ve learned something important.