Buyer guide

The AI vendor checklist: ten questions, all answerable with evidence.

Every question below has a checkable answer: a document, a hash, a log, a number, a name. That is the design. When you put these to an AI vendor, you are not testing whether they care about governance. You are testing whether their governance produces artifacts. A vendor who answers with adjectives instead of artifacts has answered the only question that matters.

The ten questions

  1. Are your governance rules published where I can read them? Evidence: a public URL, plain language, readable in one sitting. Not a policy summary. The rules.
  2. Are those rules locked? Evidence: a cryptographic hash of the canonical text, so any copy can be proven identical or proven tampered.
  3. Do you keep receipts of what the system actually did, including denials? Evidence: append-only, tamper-evident logs that record refusals and corrections, not just successes.
  4. Who can override the system, and at what tier? Evidence: a written human-authority model naming roles and thresholds, not a sentence that says humans are in the loop.
  5. Is there a kill switch, and has it ever been tested? Evidence: the mechanism described, plus a dated record of a real drill.
  6. Where is your incident and correction log? Evidence: public or contractually available records of what went wrong and what changed, with dates.
  7. Does the system label fact versus inference in its outputs? Evidence: visible source labeling a buyer can inspect in a live session.
  8. Which frameworks do you map to, and where is the mapping? Evidence: a document mapping practices to the NIST AI RMF, ISO/IEC 42001, or EU AI Act themes, with no certification claims the vendor cannot back with a certificate number.
  9. What do you log about my users, and what do you refuse to log? Evidence: a data statement covering retention, PII stance, and what is deliberately not collected.
  10. Can an outsider verify any of this in ten minutes without an NDA? Evidence: try it before the sales call. If verification requires trust, it is not verification.

How to score it

Do not expect ten for ten; almost nobody clears this bar today, including most household names. The scoring that matters is the ratio of artifacts to adjectives. A vendor with seven documents and three honest gaps is a partner. A vendor with ten confident paragraphs and zero artifacts is a risk you would be importing. If you want a fast structured read on any single claim a vendor makes, run it through The Gate, our free GREEN AMBER RED guardrail check.

Why these ten

The questions are not arbitrary; they are the load-bearing themes the major frameworks converge on. Published accountable rules and authority tiers are the heart of the RMF's GOVERN function and ISO 42001's management clauses. Receipts, incident logs, and data statements are the record-keeping and documentation discipline that the EU AI Act's high-risk chapter keeps returning to. Oversight tiers and kill switches are Article 14's human oversight made concrete. The outsider check is our addition, and the reason the rest works: evidence that cannot be inspected is indistinguishable from marketing. The full architecture is in the audit trail standard.

Run it on us

Fair is fair. Question one: our rules are a public 42-article constitution. Question two: the canonical text publishes a SHA-256 hash. Question three: the public ledger records actions, denials, and corrections. Questions four and five: the oversight page documents tiers, quotas, and the kill switch. Question seven: outputs label sources. Question eight: our framework pages claim alignment and evidence, never certification we do not hold. Question nine: the public stats page counts events with no cookies and no personal data. Question ten: everything above is reachable from this paragraph, no NDA, clock yourself. Where we have gaps, our pages say so in plain sentences, because that is the standard we are asking you to hold everyone to.

Use and share

This checklist is plain-language guidance for buyers, not legal or procurement advice. Adapt it freely for RFPs and vendor reviews. For federal buyers, the contractor guide and SDVOSB services page cover set-aside context, and the services page shows what we build. Last verified: July 8, 2026.