Get Started

Procurement

Enterprise AI procurement

A documentation-grade reference for evaluating AI vendors: security review, compliance review, vendor risk, AI governance and a reusable procurement checklist.

Review Privian BlueprintOpen Trust Center

Definition

Enterprise AI procurement is the coordinated security, compliance, vendor-risk, governance and commercial review an organization runs before adopting an AI vendor or feature, ending in a documented decision with conditions and review cadence.

Overview

What enterprise AI procurement involves

Enterprise AI procurement is no longer a software-purchase exercise. Security, compliance, procurement, architecture and legal all need a defensible answer to one question: "what happens to our data inside this vendor's system?" The pages linked from this hub exist to make that answer short, specific and verifiable.

Clarity about the AI data path is more persuasive in a procurement review than any single security claim.

Process

Security review process

Five evenly spaced pillars: data path, retention, access, controls, and governance. Modern AI security reviews combine some or all of these.01Data pathWhat enters / leaves02RetentionPer hop, per role03AccessWho can read what04ControlsMasking · BYOK · models05GovernancePolicy + audit
Enterprise AI review — the five pillarsMost modern AI security reviews reduce to some combination of these.

Framework

AI procurement process

  1. 01

    Intake

    Capture the use case, data classes, model providers and business owner.

  2. 02

    Security review

    Data handling, retention, encryption, authentication, logging, incident response.

  3. 03

    Compliance review

    GDPR/DPA, sectoral rules, subprocessor map, data residency.

  4. 04

    Risk assessment

    Operational, privacy, dependency, exposure and governance risk.

  5. 05

    Governance review

    Model use policy, human oversight, audit trail, change control.

  6. 06

    Approval

    Documented decision, conditions, review cadence, sunset criteria.

The process is the same whether the vendor is a model provider, a gateway like Privian, or a SaaS product that embeds a model. The depth at each step scales with the data classes involved.

Compliance

Compliance review process

The compliance review confirms that the vendor's data handling, subprocessor map and contractual posture are compatible with the buyer's obligations. For European buyers this includes GDPR (lawful basis, data minimisation, transfer mechanism), a DPA, and an up-to-date subprocessor list. Sectoral rules (HIPAA, PCI, financial-services regulation, the EU AI Act) apply on top.

Framework

Core compliance checks

  1. 01

    Lawful basis & purpose

    Is the use case compatible with how the data was originally collected?

  2. 02

    Data minimisation

    Are only the fields needed for the AI feature actually reaching the model?

  3. 03

    Transfer mechanism

    Where does the data physically travel, and under which transfer regime?

  4. 04

    Subprocessors

    Which third parties does the vendor rely on, and are they on the buyer's allow list?

Privian's posture: see GDPR & LLMs, DPA, subprocessors and the security resource.

Vendor risk

Vendor risk assessment

From top to bottom: governance and policy, application minimization, a gateway that masks and routes, the BYOK provider boundary, and provider-side controls.01 · Governance & policyDocuments intent02 · Application minimizationDrops fields upstream03 · Gateway: mask + route + retainIn the request path04 · BYOK provider boundaryCustomer owns the key05 · Provider-side controlsTier, retention, region
Layered AI controlsNo single layer is sufficient. Each compensates for the others' gaps.

A vendor risk assessment looks across six dimensions — operational, privacy, compliance, dependency, data exposure and governance — and asks where the failure modes are and what compensates for them. The full framework lives in the AI vendor risk assessment article.

Framework

AI vendor risk dimensions

  1. 01

    Operational

    Availability, capacity, change control, runbook quality.

  2. 02

    Privacy

    What the vendor sees and stores, in raw or processed form.

  3. 03

    Compliance

    Fit with GDPR, sectoral rules, contractual obligations.

  4. 04

    Dependency

    Lock-in to a single provider, model or routing layer.

  5. 05

    Data exposure

    Cross-tenant, cross-region or cross-customer leakage paths.

  6. 06

    Governance

    Audit trail, human oversight, model-use policy, sunset criteria.

Governance

AI governance review

An AI governance review is about the controls that survive the purchase: the model-use policy, who can approve new use cases, how human oversight is wired in, what is logged for audit, and the conditions under which the feature is retired. Vendors should make it easy for buyers to wire these controls in — not require them to be invented.

Framework

Governance checkpoints

  1. 01

    Model-use policy

    Which models are allowed for which data classes, and who owns the list.

  2. 02

    Human oversight

    Where a human is in the loop, and how that is enforced.

  3. 03

    Audit trail

    What is logged about model use, by whom and with what retention.

  4. 04

    Sunset criteria

    Conditions under which the feature is paused or removed.

Checklist

Procurement checklist

A short, reusable checklist for AI vendor reviews. The full questionnaire framework is in the AI security questionnaire article.

Data handling

  • What prompt data reaches the model and in what form?
  • Which fields are masked, redacted or dropped before egress?
  • Are responses post-processed before they return to the application?
  • Is anything retained in raw form, and for how long?

Authentication & credentials

  • How are vendor API keys issued, rotated and revoked?
  • Are provider credentials BYOK or pooled?
  • How are keys protected at rest, and what metadata is exposed?

Logging & observability

  • What is logged on the request hot path, and what is sanitized?
  • Who can read logs, and under what controls?
  • What is the retention window for logs, metrics and traces?

Compliance & subprocessors

  • Is there a DPA and a current subprocessor list?
  • What is the data residency story per provider?
  • Does the vendor publish a Trust Center or equivalent?

Incident response

  • Is there a documented incident-response plan with notification timing?
  • What is the security-contact path?
  • Are post-incident write-ups published or shared on request?

Blueprint

Privian Blueprint

Related resources

Where to go next

FAQ

Frequently asked questions

What does enterprise AI procurement involve?
Five overlapping reviews: a security review of the vendor's controls and data handling, a compliance review (GDPR/DPA, sectoral rules), a vendor risk assessment, an AI governance review (model use, retention, human oversight) and a commercial / contractual review. The order varies; the set does not.
How does Privian fit into a procurement review?
Privian is a single, narrow hop in the AI data path — masking before egress, BYOK to the provider, rehydration on the response, zero raw retention. The Privian Blueprint answers most procurement and security questionnaires in one document, with links into the data path, architecture and trust pages for depth.
What documents should an AI vendor provide?
Typically: a data-path description, a subprocessor list, an architecture overview, a security and retention policy, a DPA, an incident-response summary, and answers to the buyer's specific security questionnaire. Privian publishes all of these on the Trust Center and ships the Blueprint as a single PDF.
Is this page a compliance framework?
No. It is a buyer-facing reference for organising an AI vendor evaluation. Compliance regimes (GDPR, SOC 2, HIPAA, the EU AI Act) sit on top of it. The page links to the specific Privian assets that procurement teams routinely request.