theLLMs

Last checked: 2026-05-22

Scope: Global. Provider trust, security and governance references were checked on 2026-05-22; this is operational guidance, not legal advice.

AI draft model: gpt-5.4-mini

AI review model: llm-editor (deepseek-v4-pro)

Key terms:

>_ large language model (LLM) >_ JSON mode >_ reasoning model >_ model card >_ MCP (Model Context Protocol) >_ EU AI Act

Enterprise AI procurement: questions before buying a platform

Buying an AI platform is not just a model choice. It is also a data choice, a security choice, a support choice and an exit choice.

A shiny demo can hide a lot of boring questions: who sees the data, where it is stored, how long it is kept, whether you can export it, how logs are handled, what happens if the vendor changes the model, and what your fallback is when the service is unavailable.

Quick answer

If you are buying an AI platform, do not start with features.

Start with the questions that decide whether you can safely use it: data retention, access control, audit logs, SSO, admin controls, support levels, model update policy, export options and how easily you can leave later. If the answers are weak, the product is not ready for serious procurement.

Questions to ask first

A good procurement review usually covers these areas:

Data and privacy

  • What data is stored?
  • Is customer data used for training?
  • How long are prompts, outputs and logs retained?
  • Can you opt out of training or analytics uses?
  • Can you delete or export the data later?

Security and access

  • Is SSO supported?
  • Are roles and permissions granular enough?
  • Are audit logs available?
  • Can you limit access by team, project or workspace?
  • What happens to logs and attachments?

Product and vendor behaviour

  • Which model is actually used?
  • Can the model be swapped without warning?
  • Are there clear release notes or changelogs?
  • Is the platform transparent about downtime and incidents?
  • What support exists when things fail?

Exit and portability

  • Can you export prompts, logs, evaluations and configuration?
  • How much work would it take to switch vendors?
  • Are you locked into proprietary workflows or data formats?
  • What happens if pricing changes or a feature disappears?

If a platform cannot answer these cleanly, the procurement risk is already visible.

What teams often miss

The common mistakes are predictable:

  1. they compare feature checklists but ignore retention policy;
  2. they buy a pilot and forget the operational controls needed for scale;
  3. they assume “enterprise” means safe by default;
  4. they do not check export or exit options until it is too late;
  5. they ignore who can see logs, prompts and attachments;
  6. they treat vendor marketing as if it were a contract.

The right procurement question is not “does it do the demo thing?” It is “can we run this safely next year?”

Practical decision check

Before you buy, ask:

  • Does the platform fit our data classification rules?
  • Can we explain the retention and training policy to users and auditors?
  • Is access control strong enough for our team structure?
  • Can we monitor incidents and changes?
  • Can we export the data if we leave?
  • Is the vendor’s model/update policy acceptable?
  • Do we have a fallback if the platform goes down or changes terms?

If the answer to any of those is weak, keep negotiating or keep looking.

What this page cannot tell you

This page cannot tell you whether a specific contract is legally safe.

It cannot tell you:

  • whether your privacy notice is sufficient;
  • whether your DPIA or security review is complete;
  • whether a specific jurisdiction requires extra controls;
  • whether the platform is a good fit for a regulated sector;
  • whether the vendor’s public documentation matches the signed contract.

It can only help you avoid buying a problem you will later have to unwind.

Global applicability

This article is global. There is no UK, GB or Northern Ireland split to apply here.

The useful caution is universal: enterprise AI procurement is mostly about control, transparency and exit risk.

Methodology and sources

Check date: 2026-05-22

What was checked: provider trust, security and governance documentation plus general AI-risk guidance.

What the sources were used for:

  • data retention, access control and audit questions;
  • model update and incident transparency;
  • the need to think about export and exit before signing.

Assumptions and limits:

  • vendor terms change;
  • contract language may differ from public docs;
  • this is operational guidance, not legal advice;
  • procurement risk depends on the organisation’s own controls and regulatory context.

Change log

  • 2026-05-22: first draft built from the llm-editor-approved brief, with a procurement-first checklist focused on control, transparency and exit risk.

Source list