What is AI procurement and contracting?
Global AI regulation
AI procurement and contracting is the process of buying AI from another party in a way that turns risk, legal duties and operational expectations into enforceable terms. It covers pre-award diligence, tender questions, representations, data and IP terms, audit rights, logging, incident reporting, change control, human oversight, and exit planning. In practice, it is how a buyer makes a third-party AI system governable before use and controllable after deployment.
What this means
AI procurement is not just ordinary software buying with new jargon. When an organisation acquires an AI tool, model, API, platform feature or bespoke system from someone else, it may be relying on training data it did not assemble, models it cannot fully inspect, and update cycles it does not control. That creates a different buying problem from standard IT purchasing.
The procurement part is the front end. It asks whether AI is appropriate at all, what use is intended, how risky the use is, what the supplier must disclose, and what evidence the buyer needs before award. The contracting part is the legal instrument that carries those answers forward into obligations, rights, restrictions and evidence requirements.
It is also narrower than a full third-party AI risk management programme. Third-party AI risk management covers the whole lifecycle. AI procurement and contracting is the point where the organisation translates broad governance expectations into specific vendor questions, schedules, approvals, controls and escalation routes.
Why it matters
Many organisations now deploy AI they did not build. That can be efficient, but it also means important design choices may sit outside the buyer's direct control. The buyer may still carry the practical burden if the system is inaccurate, unfair, insecure, hard to explain, hard to switch off, or incompatible with data protection, public law or sector expectations.
This is why AI procurement matters in regulation and governance. It is one of the main mechanisms that turns abstract duties such as transparency, human oversight, logging, privacy, security, documentation and accountability into something operational. If those controls are not built into the buying process and the contract, the organisation can end up responsible for the effects of a system without having the leverage or evidence needed to manage it.
How it works
Start with the use case and the role map
AI procurement starts by defining what is actually being bought and how it will be used. A buyer might be purchasing access to a model through an API, a finished application, an embedded AI feature inside another product, a bespoke build, or an integration layer that combines multiple third-party components. Those options look similar in a sales process, but they create different dependencies and different legal roles.
That role map matters because AI laws and control frameworks often attach duties to the role being performed, not just to the product label. Under the EU AI Act, responsibilities are spread across providers, deployers, importers, distributors and other parties in the value chain. A third party that changes intended purpose, makes a substantial modification, or puts its own name on a high-risk system can shift into provider obligations. For a buyer, that means procurement has to identify early whether the organisation is only a deployer, or whether its integration choices could move it into a heavier compliance position.
At this stage, the organisation should also decide whether the procurement needs enhanced control. Key triggers usually include use in decisions about people, use in public services, use of personal data, reliance on a general-purpose model or multiple sub-processors, difficult explainability, safety implications, cross-border data movement, or a critical dependence on the supplier for monitoring and maintenance.
Ownership usually sits with procurement or commercial leads and legal counsel, but the content must come from a multidisciplinary group. In practice that means technical owners, privacy, security, records, service operations, and the business team that will rely on the system in live use.
Turn AI risk into tender questions
Once the intended use is clear, the organisation turns risk into structured diligence. Official guidance is notably consistent on this point. Buyers should ask not just what the system does, but how it is built, what data it relies on, how it is tested, how it changes over time, and what restrictions apply to inspection, challenge and exit.
For many procurements, the core questions are durable. What is the model type and system architecture. What third-party models, data, tools or plug-ins sit underneath it. What categories of data were used for training, fine-tuning or reference retrieval. What information can be given about provenance, licensing and rights. What performance testing has been done, under what conditions, and with what limitations. What instructions for use, technical documentation, logs and support contacts will be available. What hosting, geographic transfer, retention or secondary-use practices apply. What human oversight assumptions does the system make. How are incidents, vulnerabilities and material changes reported. What fallbacks exist if the service is degraded, withdrawn or no longer suitable.
Good AI procurement also tests the supplier's operational maturity, not just the product description. NIST's playbook and GenAI profile both push buyers toward documentation of third-party components, independent testing and verification processes, monitoring plans, legal compliance checks, release-cycle awareness, and clear handling of vulnerabilities and external dependencies. UK government guidance similarly points buyers toward model and data questions, explainability, independent audit where useful, and early consideration of lock-in, liability, training and end-of-life.
This is the point where the organisation should decide what evidence must exist before contract signature. That usually includes technical and user documentation, risk assessments, privacy materials where personal data is involved, security materials, supplier responses on model limitations, sub-processor information, and a documented escalation path for incidents and changes.
Write clauses that allocate responsibility, not just risk
A strong AI contract does more than shift liability. It makes the system governable. In practice, this means using the contract to define purpose, transparency, control points, evidence creation and cooperation duties.
The first class of clauses covers vendor representations and factual commitments. Depending on the use case, buyers often seek representations about the supplier's authority to provide the system, the rights attached to data and model components it brings into the service, the accuracy of information supplied during procurement, the existence of known material limitations, and the supplier's ability to back up important performance, security or provenance claims. For generative AI, NIST specifically points buyers toward ownership, usage rights, quality standards, security requirements, provenance expectations, due diligence on IP and privacy risk, and contractual risk controls including indemnity language and dispute mechanisms where appropriate.
The second class covers data and privacy. If the supplier processes personal data on the buyer's behalf, ordinary procurement terms are not enough. The contract also needs controller-processor terms. GDPR Article 28 is the clearest mature example of what that means: documented instructions, confidentiality, security measures, sub-processor controls, assistance with rights requests and impact assessments, return or deletion of data at the end of service, and access to information needed for audits and inspections. If data leaves the relevant legal area, international transfer clauses may also be needed. This is where data-residency and data-sovereignty questions come into the contract, even though they are not the same topic as AI procurement itself.
The third class covers AI-specific documentation and operating controls. The AI buyer usually needs technical documentation, instructions for use, logging arrangements, human oversight requirements, accuracy and robustness thresholds, cybersecurity expectations, incident notification, and change control. The EU public buyer model clauses are useful because they lay these topics out plainly: risk management, data and data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, cybersecurity, dataset rights, handover and indemnities. Even where those clauses are not used directly, they show the current anatomy of a serious AI contract.
The fourth class covers IP, datasets and exit. AI procurement often fails when buyers focus on access during the contract but ignore what happens at the end. Dataset rights, access to exportable records, handover of buyer data, rights to continue using documentation, transition support, knowledge transfer, and decommissioning obligations should be designed up front. That matters not only for continuity but also for reducing lock-in and preserving the evidence needed for later audit or challenge.
Make audit, monitoring and change control real
Audit rights in AI contracts are important, but they are often misunderstood. They are not only about source code access, and they are not useful if left as vague boilerplate. The real question is what the buyer must be able to inspect or verify to operate lawfully and safely in context.
A proportionate audit model usually works best. For lower-risk uses, that may mean rights to review policies, documentation, logs, incident notices, test summaries, system instructions and sub-processor lists. For higher-risk uses, it may extend to deeper technical information, access for independent assessors, real-time or periodic log access, validation of change controls, and evidence that the supplier is maintaining the controls promised at award. NIST's playbook is especially clear that third-party AI should be documented, tested, monitored and subjected to documented risk controls. It also notes that transparency should be supported without forcing unnecessary disclosure of proprietary algorithms.
Monitoring after signature is just as important as pre-award diligence. Many AI systems change through retraining, tuning, model substitution, feature updates, modified thresholds, or shifting external dependencies. Contracts therefore need a practical change-management regime. Buyers usually need notice of material changes, a right to re-assess impact when the system changes, the ability to pause or narrow use when risk rises, and a fallback process if a critical model or service is disabled. For generative AI in particular, NIST points to contingency planning, incident response, management of third-party dependencies, and review of non-standard vendor terms that may amplify or defer liability in unexpected ways.
This monitoring layer is also where record retention becomes a governance asset. Good procurement and contracting should produce an evidence trail, not just a signed agreement. That evidence usually includes tender responses, technical schedules, privacy schedules, risk assessments, approvals, logs, change notices, incident records, review reports, training records and exit materials. Together, those records help the organisation answer regulators, auditors, customers, boards and internal reviewers.
Adapt the control set to public sector and high-impact uses
Public sector and other high-impact environments often need more structure because the buyer must be able to justify the use of AI in administrative or rights-affecting settings, not merely run a procurement process.
The UK government's AI procurement guidance shows one route. It treats AI buying as a multidisciplinary exercise, calls for a data assessment before going to market, expects buyers to remain open to non-AI approaches, asks for transparency about models and training data, encourages thinking about independent audits, pushes against black-box dependence, and brings liability, training, maintenance and end-of-life into the procurement design. This is guidance rather than binding law, but it is influential because it translates broad governance aims into concrete procurement practice.
Canada's federal framework adds a more formal assessment layer for automated administrative decision systems. The Algorithmic Impact Assessment is mandatory for systems in scope, assigns impact levels, and links those levels to scaled requirements. The official guidance expects privacy and legal consultation, documentary evidence for AIA responses, updates when system functionality or scope changes, and appropriate privacy clauses in contracts with outside vendors. The peer review guidance adds another operational layer by expecting publication of peer review for projects at impact level 2 or above and by listing the kinds of documentation reviewers should receive, including audit trails, system documentation, data provenance, risk mitigation, supply chain security materials and procurement details for third-party systems.
In the EU, the legal position is stronger still. The AI Act imposes binding duties on high-risk system providers and deployers, including written arrangements along the value chain, technical and organisational measures for use in line with instructions, human oversight, monitoring, log retention, and in some cases a fundamental rights impact assessment before deployment. The right to explanation for certain individual decisions gives buyers another reason to contract for enough transparency and cooperation to explain how the system influenced a decision. The EU public buyer model clauses are not law and are written for public organisations, but they are a practical bridge between the Act's legal duties and day-to-day purchasing.
Know what this mechanism can and cannot do
AI procurement and contracting is powerful, but it is not magic. A contract cannot make an opaque system explainable if the supplier cannot technically support explanation. It cannot cure weak internal governance. It cannot remove the need for impact assessment, logging, staff training, human review or post-deployment monitoring. It can only secure the rights, duties, evidence and cooperation the organisation needs in order to govern the system properly.
It also needs proportion. Not every AI feature justifies a heavy high-risk clause set. The EU public buyer commentary is helpful here because it explicitly recognises lighter and fuller variants, and it explains that even non-high-risk uses may still call for contractual terms on risk management, data governance, technical documentation, dataset rights and registers. The point is not to copy the harshest drafting into every deal. The point is to match the control set to the use case.
Finally, legal status differs across instruments. NIST's framework and profiles are voluntary. The UK procurement guidance is a government toolkit. Canada's federal framework is a public-sector policy instrument. The EU AI Act and GDPR are binding legal regimes. Good AI procurement recognises that mix and uses the voluntary material to operationalise the binding material, not to replace it.
Examples
A public authority in the EU wants to buy a system that will fall into a high-risk category under the AI Act. Before deployment, it needs enough supplier information to use the system in line with instructions, assign meaningful human oversight, keep logs, and, where the Act requires it, complete a fundamental rights impact assessment. The public buyer can use the EU model clauses as a drafting template for risk management, data governance, technical documentation, transparency, human oversight, cybersecurity, dataset rights and handover.
A Canadian federal department wants to procure an automated decision tool for an administrative process. The project team completes the Algorithmic Impact Assessment at design stage and again before production. If the project reaches impact level 2 or above, it commissions peer review and publishes the review or a plain-language summary before the system goes live. The review pack is expected to include audit trails, model and system documentation, data provenance, privacy materials, risk mitigation, supply chain security information for externally developed or procured software, and procurement details for third-party systems.
A UK public body is considering an externally supplied AI tool to support service triage. Before tender, it runs a data assessment, documents why AI is relevant to the problem, and keeps the requirement open enough for suppliers to propose different approaches. In the invitation to tender, it asks about algorithms, data origin, model limitations, explainability, possible independent audit, IP arrangements, training, support and end-of-life. It then carries those points into the contract so the supplier's promises do not disappear after award.
Common misunderstandings
A common misunderstanding is that if the supplier says it is "compliant", the buyer is covered. In reality, buyers often keep their own duties as deployers, controllers, employers, service providers or regulated firms. Supplier compliance helps, but it does not replace the buyer's obligations.
Another mistake is to treat AI procurement as mainly a security review. Security matters, but AI contracts also need documentation, data governance, human oversight, explainability, logging, change control, IP and exit planning.
Some teams assume audit rights always mean source code access. They do not. A workable audit model can be layered and proportionate. It may rely on documentation, logs, testing records, independent assurance and incident reporting, with deeper access reserved for higher-risk cases.
It is also wrong to think procurement is finished when the contract is signed. AI systems can change materially after award. Monitoring, retriggering assessments, reviewing releases, and keeping evidence are part of the procurement control logic, not an optional extra.
Finally, many teams think this only matters for public-sector or obviously high-risk uses. The legal intensity is higher there, but the same procurement logic also matters for lower-risk deployments when the system involves personal data, confidential data, important business processes, customer-facing content or hard-to-replace dependencies.
Risks and boundaries
AI procurement and contracting is not the same thing as an AI policy, an AI management system, or a full third-party AI risk management programme. It is one mechanism inside that wider governance stack. If internal approval, monitoring, records, escalation and staff training are weak, even a well-drafted contract will underperform.
There are also hard transparency limits. Some suppliers, especially around general-purpose and generative models, may not be able or willing to provide deep information about training data, model internals or upstream dependencies. That does not mean the buyer has to accept the gap. It means the buyer must decide whether lighter use, stronger human review, narrower data exposure, or non-procurement is the safer route.
Public model clauses also have limits. The EU MCC-AI commentary states plainly that the model clauses are not a full agreement. They do not replace the rest of the contract on payment, delivery, applicable law, acceptance or general liability. They also were not drafted specifically for general-purpose AI procurement, although they can still provide useful structure.
Some legal and operational details are still moving. Under the EU AI Act, harmonised standards are still developing, and the AI Office may publish voluntary model terms for contracts in high-risk AI value chains. That means buyers should avoid pretending that one template will settle every question for every model type or jurisdiction.
What to do next
First, decide which purchases need enhanced AI procurement. Not every AI feature requires the same level of diligence. Build a simple intake that classifies intended use, people impact, data sensitivity, external dependencies, explainability demands and replacement difficulty.
Second, create a reusable clause and evidence library. Separate baseline supplier terms from enhanced AI schedules so teams can scale controls up or down. Include data processing terms, logging, incident notice, change control, human oversight, documentation, dataset rights, audit rights and exit support where relevant.
Third, insist on evidence, not broad assurances. Ask what documentation will be available before award, what records will be retained during use, what changes must be notified, and what the supplier will hand over at exit. If the system is too important to trust blindly, it is important enough to document properly.
Fourth, link the buying process to the rest of your governance. Procurement should feed your AI policy, your AI management system, your third-party AI review, your data-location decisions and your record-retention approach. If these sit in silos, contract controls will drift away from operational reality.
Finally, train the people who buy and manage contracts. Commercial, legal, privacy, security and product teams need a shared vocabulary for model risk, data rights, explainability, monitoring and decommissioning. AI procurement becomes repeatable only when the organisation knows which questions to ask and what evidence is acceptable.
FAQs
Is AI procurement just software procurement with a new label?
No. It includes software buying, but it also deals with model opacity, training and reference data, changing system behaviour, human oversight, evidence retention, and value-chain dependencies that ordinary software contracts often leave implicit.
Who should own AI procurement and contracting inside an organisation?
Usually procurement or commercial and legal teams own the process, but they should not work alone. Effective ownership also needs technical, privacy, security, records, operations and business input.
What are the minimum AI-specific clauses to think about?
At minimum, think about intended purpose, documentation, data use, logging, incident reporting, change control, human oversight, performance testing, sub-processors, audit access, and exit or handover. Personal-data use may also require a dedicated data processing schedule.
Do I always need audit rights?
Not always in the same form, but some verification right is usually sensible. The higher the impact and the less transparent the system, the stronger the case for document review, log access, independent assurance, and structured change reporting.
How is this different from a data processing agreement?
A data processing agreement covers privacy duties where the supplier processes personal data for the buyer. AI procurement and contracting is broader. It also covers model documentation, explainability, performance, human review, incident handling, IP, continuity and exit.
What if the supplier relies on foundation models or other upstream providers?
Then the contract should address upstream dependency risk directly. Ask about sub-processors, model substitutions, release cycles, fallback plans, notice of changes, data use by upstream providers, and what transparency the supplier can realistically pass through.
When should we walk away from a supplier?
A buyer should be prepared to walk away when the supplier cannot provide the level of documentation, control, incident cooperation or exit support the use case needs, especially where the system affects people, public functions, sensitive data or critical operations.