AI Procurement Governance Guide

Executive overview

Enterprises cannot rely on boilerplate vendor diligence when procuring AI services. Regulation (EU) 2024/1689 assigns joint responsibility to providers and deployers for high-risk systems, requiring contractually enforceable access to technical documentation, risk management evidence, and post-market monitoring data.^{Regulation (EU) 2024/1689} U.S. OMB Memorandum M-24-10 compels agencies to collect independent evaluation artefacts, incident response commitments, and transparency disclosures from suppliers before deployment.^{OMB M-24-10} UK Crown Commercial Service guidance instructs public buyers to embed ethics, accountability, and sustainability clauses into AI procurements, expecting equivalent diligence from private-sector participants.^{Guidelines for AI procurement}

This guide provides the structure required to align procurement pipelines with those mandates. It defines intake workflows that classify AI use cases, due diligence routines that collect technical and socio-technical evidence, contract controls that enforce transparency and audit rights, and monitoring cadences that keep supplier portfolios compliant. Cross-functional stakeholders—procurement officers, CAIOs, legal counsel, third-party risk managers, security, and HR—receive clear responsibilities tied to regulatory references.

Readers will learn how to integrate Zeph Tech’s nightly research into sourcing decisions: Article 5 withdrawal briefings inform vendor offboarding plans, OMB safety-control updates drive Appendix C questionnaires, Department of Labor principles guide workforce impact reviews, and Data Act portability coverage ensures exit readiness. The goal is an accountable procurement programme that anticipates audits, prevents shadow AI usage, and supports innovation without compromising compliance.

A closing roadmap details the first ninety days of standing up or remediating AI procurement governance, followed by a maturity model to assess progress. Supporting checklists, templates, and metrics help organisations demonstrate due diligence to regulators, customers, and investors.

Policy drivers shaping AI procurement

EU AI Act. Articles 25–30 impose obligations on providers to establish quality management systems, supply technical documentation, log automatic events, and cooperate with market surveillance authorities.^{Regulation (EU) 2024/1689} Deployers must ensure that providers meet those obligations and must retain the ability to prove compliance when authorities request evidence. Contracts must therefore include rights to obtain Annex IV documentation, notified-body certificates, and incident reports.

U.S. OMB M-24-10. Sections 5, 8, and 9 require agencies to inventory AI use cases, assess risks before procurement, embed contract terms mandating performance guarantees and transparency, and publish annual reports covering AI deployments.^{OMB M-24-10} Suppliers must deliver evaluation artefacts, incident reporting commitments, and human oversight plans. Commercial vendors supporting public-sector customers should align their standard offerings with these expectations to remain competitive.

UK Crown Commercial Service. The UK government’s AI procurement guidelines emphasise risk management, ethics, explainability, and responsible data use.^{Guidelines for AI procurement} They recommend multi-disciplinary buying teams, supplier transparency questionnaires, and post-award performance reviews. Even outside the public sector, these guidelines offer a structured approach for evaluating supplier maturity.

Sector-specific mandates. The DoD’s Responsible AI Toolkit provides acquisition checklists covering governance, warfighter trust, and lifecycle support commitments for defence programmes.^{DoD RAI Toolkit} Financial regulators, such as the Monetary Authority of Singapore, require fairness testing evidence for AI used in credit or insurance, which must be reflected in vendor contracts. Healthcare buyers must align with FDA software-as-a-medical-device guidance, while employment-focused systems must satisfy Department of Labor worker protections.

Procurement governance must integrate all these drivers into a single playbook. The following sections detail how to operationalise that playbook.

Intake and screening

Start by establishing a central intake portal for all AI-related procurement requests. Require requesters to describe the intended purpose, data inputs, affected stakeholders, automation boundaries, and whether the system influences safety, rights, or financial outcomes. Align intake questions with EU AI Act risk tiers, OMB M-24-10 use case categories, and internal risk taxonomies.

Screen each request for regulatory scope. Use decision trees that identify prohibited practices, high-risk categories, GPAI dependencies, or workforce impact triggers. Requests that may fall under Article 5 prohibitions should be automatically rejected or escalated to legal review, referencing Zeph Tech’s supplier cutover briefing for immediate actions.

Assign risk ratings using scoring models that account for impact severity, data sensitivity, model autonomy, transparency, and human oversight availability. Systems flagged as high risk trigger enhanced due diligence, independent evaluation requirements, and executive approval. Low-risk automations can follow expedited procurement paths with periodic reassessment.

Maintain intake records in the enterprise AI inventory, linking procurement requests to existing systems, evaluations, and incident history. This ensures that the evaluation programme described in the companion guide can reference procurement context and avoids duplicative purchases.

Due diligence playbook

Due diligence must validate supplier claims and gather documentary evidence. Build a questionnaire that covers governance, data management, model development, evaluation, security, privacy, workforce impact, and sustainability. Align questions with NIST SP 1270 bias management techniques, ISO/IEC 42001 governance clauses, and OMB Appendix C expectations.^{NIST SP 1270}^{OMB M-24-10}

Collect primary artefacts: model cards, data sheets, risk assessments, evaluation reports, vulnerability management policies, access controls, and incident response playbooks. Require vendors to share Annex IV technical documentation or equivalent summaries, even if conformity assessments are pending. For workforce-impacting systems, demand evidence that vendors align with Department of Labor AI principles.

Perform reference checks with existing customers and verify claims via third-party audits (SOC 2, ISO/IEC 27001, ISO/IEC 42001, or sector-specific certifications). Cross-reference public enforcement actions, regulatory filings, and academic research to validate vendor track records.

Document diligence findings in a risk register. For high or critical findings, design remediation plans with clear deadlines. Procurement should withhold award decisions until required controls are implemented or compensating controls are approved by governance bodies.

Contracting controls

Contracts must enforce transparency, accountability, and resilience. Key clauses include:

Transparency and documentation. Suppliers must provide technical documentation, training data summaries, evaluation reports, and model update notices on defined schedules. Align deliverables with Annex IV, Annex VIII, and Appendix C artefacts.
Performance guarantees. Set measurable service levels for accuracy, availability, latency, safety filter efficacy, and human oversight integration. Define remedies, credits, or termination rights for failures.
Audit and access rights. Reserve rights to inspect systems, data, and controls, either directly or via third-party assessors. Require cooperation with regulators, including EU market surveillance authorities, the European AI Office, or U.S. inspectors general.
Incident response. Mandate 24-hour notification for incidents meeting OMB Section 7 thresholds or EU AI Act serious incident criteria. Define joint investigation protocols and evidence sharing.^{OMB M-24-10}
Change management. Require advance notice for model retraining, new features, or deprecations. Allow customers to test updates before production and to delay deployment if safety or compliance concerns arise.
Switching and exit support. Incorporate EU Data Act Article 23 switching rights by mandating export tooling, fee caps, and assistance transferring data, embeddings, and configuration artefacts.^{EU Data Act}
Workforce protections. For HR or workplace analytics tools, enforce compliance with Department of Labor principles, worker notification, contestability, and bias mitigation obligations.

Support clauses with clear schedules, templates, and penalty structures. Maintain a contract library that tracks clause adoption and renewal dates so procurement teams can monitor adherence.

Supplier monitoring and change control

Post-award governance ensures suppliers continue to meet obligations. Establish quarterly business reviews that assess performance metrics, compliance status, incident history, and roadmap changes. Include evaluation leads, security, privacy, and business owners in the review.

Implement automated monitoring where possible. Track service performance via APIs, collect model telemetry, and integrate vendor notifications into ticketing systems. Align monitoring thresholds with the incident response guide to ensure serious events trigger escalation.

Maintain a supplier scorecard that includes regulatory alignment (EU AI Act, OMB M-24-10, Crown Commercial Service guidelines), evaluation coverage, workforce impacts, and exit readiness. Update risk ratings based on findings and drive remediation through contractual mechanisms.

For systemic-risk suppliers—such as foundation model providers—align monitoring with European AI Office expectations documented in Zeph Tech’s GPAI safety testing drills. Participate in provider-run transparency briefings and request participation in shared assurance initiatives like AISIC.

Cross-border contracting scenarios

Global procurement teams must reconcile divergent legal regimes when negotiating a single AI service. Start by mapping applicable jurisdictions—EU, U.S., UK, Singapore, and others—and associating each with statutory obligations and documentation expectations. The EU AI Act requires deployers to ensure providers comply with quality management, logging, and technical documentation duties, even when providers are established outside the Union.^{Regulation (EU) 2024/1689} Contracts with non-EU vendors should explicitly reference these duties, mandate data localisation where necessary, and provide cooperation clauses for market surveillance authorities.

U.S. federal-style procurements may require suppliers to align with FedRAMP, FISMA, or agency-specific privacy and civil-rights safeguards in addition to OMB M-24-10 controls. Document how vendors segregate federal workloads, protect controlled unclassified information, and respond to inspector general inquiries.^{OMB M-24-10} For UK buyers, reference the Crown Commercial Service’s AI frameworks, which emphasise explainability, ethics assessments, and ongoing assurance.^{Guidelines for AI procurement}

Include jurisdictional annexes detailing documentation flows, escalation contacts, and regulatory deadlines. Annexes should identify which party submits EU AI Act technical files, which team handles U.S. Appendix C reporting, and how UK public interest disclosures will be managed. Maintain translation-ready templates and designate local counsel or compliance officers to handle regulator outreach when incidents arise.

Supply-chain transparency is equally critical. Require upstream providers to disclose sub-processors, model dependencies, and evaluation attestations. Incorporate flow-down clauses so subcontractors uphold the same transparency, security, and incident reporting obligations as prime vendors. Maintain a cross-border dependency map linking each supplier to regulatory filings and risk assessments so procurement, security, and legal teams can respond quickly to new requirements.

Operational collaboration patterns

AI procurement governance succeeds when sourcing, engineering, security, privacy, and workforce leaders collaborate continuously. Establish regular cadence meetings that review intake backlogs, diligence findings, evaluation results, and incident trends. Invite engineering or platform leads to demonstrate how vendor APIs integrate with internal systems, highlighting telemetry coverage and guardrails documented in Zeph Tech’s evaluation and incident response guides.

Coordinate procurement analytics with finance and budgeting. Track spending against business outcomes, savings, and risk reduction metrics. Link cost projections to evaluation and monitoring requirements—high-risk systems should include budget for red-teaming, external audits, or independent testing services. When procurement teams flag savings opportunities, confirm that proposed changes do not compromise regulatory documentation or evidence retention obligations.

Engage internal audit early. Provide auditors with access to procurement policies, clause libraries, diligence repositories, and monitoring dashboards. Schedule joint walkthroughs that follow a transaction from intake to renewal, demonstrating how documentation is captured at each step. This collaboration reduces audit findings and surfaces process improvements.

Finally, build feedback loops with business stakeholders. Collect satisfaction scores, remediation cycle times, and qualitative feedback from product owners, compliance officers, and workforce representatives. Use the data to prioritise training, tooling enhancements, or vendor replacements. Publishing quarterly summaries strengthens executive confidence and supports board oversight.

Cross-border contracting scenarios

Global procurement teams must reconcile divergent legal regimes when negotiating a single AI service. Start by mapping applicable jurisdictions—EU, U.S., UK, Singapore, and others—and associating each with statutory obligations and documentation expectations. The EU AI Act requires deployers to ensure providers comply with quality management, logging, and technical documentation duties, even when providers are established outside the Union.^{Regulation (EU) 2024/1689} Contracts with non-EU vendors should explicitly reference these duties, mandate data localisation where necessary, and provide cooperation clauses for market surveillance authorities.

U.S. federal-style procurements may require suppliers to align with FedRAMP, FISMA, or agency-specific privacy and civil-rights safeguards in addition to OMB M-24-10 controls. Document how vendors segregate federal workloads, protect controlled unclassified information, and respond to inspector general inquiries.^{OMB M-24-10} For UK buyers, reference the Crown Commercial Service’s AI frameworks, which emphasise explainability, ethics assessments, and ongoing assurance.^{Guidelines for AI procurement}

Include jurisdictional annexes detailing documentation flows, escalation contacts, and regulatory deadlines. Annexes should identify which party submits EU AI Act technical files, which team handles U.S. Appendix C reporting, and how UK public interest disclosures will be managed. Maintain translation-ready templates and designate local counsel or compliance officers to handle regulator outreach when incidents arise.

Supply-chain transparency is equally critical. Require upstream providers to disclose sub-processors, model dependencies, and evaluation attestations. Incorporate flow-down clauses so subcontractors uphold the same transparency, security, and incident reporting obligations as prime vendors. Maintain a cross-border dependency map linking each supplier to regulatory filings and risk assessments so procurement, security, and legal teams can respond quickly to new requirements.

Operational collaboration patterns

AI procurement governance succeeds when sourcing, engineering, security, privacy, and workforce leaders collaborate continuously. Establish regular cadence meetings that review intake backlogs, diligence findings, evaluation results, and incident trends. Invite engineering or platform leads to demonstrate how vendor APIs integrate with internal systems, highlighting telemetry coverage and guardrails documented in Zeph Tech’s evaluation and incident response guides.

Coordinate procurement analytics with finance and budgeting. Track spending against business outcomes, savings, and risk reduction metrics. Link cost projections to evaluation and monitoring requirements—high-risk systems should include budget for red-teaming, external audits, or independent testing services. When procurement teams flag savings opportunities, confirm that proposed changes do not compromise regulatory documentation or evidence retention obligations.

Engage internal audit early. Provide auditors with access to procurement policies, clause libraries, diligence repositories, and monitoring dashboards. Schedule joint walkthroughs that follow a transaction from intake to renewal, demonstrating how documentation is captured at each step. This collaboration reduces audit findings and surfaces process improvements.

Finally, build feedback loops with business stakeholders. Collect satisfaction scores, remediation cycle times, and qualitative feedback from product owners, compliance officers, and workforce representatives. Use the data to prioritise training, tooling enhancements, or vendor replacements. Publishing quarterly summaries strengthens executive confidence and supports board oversight.

Public-sector alignment

Enterprises selling into the public sector must align with procurement-specific guidance. The U.S. General Services Administration’s AI Guide for Government outlines acquisition planning, evaluation factors, and risk mitigations for agencies.^{GSA AI Guide} Vendors should map their capabilities to the guide’s checklists and be prepared to deliver documentation covering data governance, evaluation, security, and ethics.

Defence suppliers must implement the DoD Responsible AI Toolkit’s acquisition worksheets, covering mission alignment, data management, testing, human factors, and sustainment.^{DoD RAI Toolkit} Contracts should cite the toolkit explicitly, and programme teams must document compliance for milestone reviews.

In the UK, public buyers expect suppliers to engage with the Crown Commercial Service frameworks, which emphasise transparency, contestability, and environmental considerations. Suppliers should familiarise themselves with the AI Framework Agreement specifications and align their proposals accordingly.

Across jurisdictions, track upcoming regulations such as the EU AI Act implementing acts, Data Act codes of conduct, and U.S. FAR updates on AI. Update procurement playbooks when new rules emerge so proposals remain compliant.

Metrics and reporting

Procurement governance requires metrics that demonstrate control effectiveness. Recommended metrics include:

Risk-adjusted spend. Percentage of AI spend across risk tiers, highlighting high-risk concentration.
Diligence completion rate. Share of suppliers with complete documentation sets (Annex IV, Appendix C, evaluation reports, workforce impact analyses).
Remediation timeliness. Average days to close procurement-related findings, segmented by severity.
Incident responsiveness. Time from vendor notification to internal escalation and regulator reporting.
Exit readiness. Number of suppliers with validated switching runbooks in the last twelve months, aligned with EU Data Act obligations.
Worker protection coverage. Percentage of workforce-impacting vendors contractually bound to Department of Labor principles and subject to regular audits.

Present metrics to executive committees and boards quarterly. Integrate dashboards with enterprise risk management systems so procurement risks feed into overall risk appetite assessments.

Ninety-day implementation roadmap

The following roadmap helps organisations build or remediate AI procurement governance within one quarter.

Days 1–30: Foundation

Inventory supplier landscape. Catalogue all AI-related contracts, pilots, and shadow engagements. Identify missing documentation and regulatory exposure.
Publish procurement policy. Issue an AI procurement policy referencing EU AI Act, OMB M-24-10, Crown Commercial Service guidance, Data Act switching, and Department of Labor principles.
Stand up intake portal. Configure request forms, risk scoring, and workflow routing. Train business stakeholders on submission expectations.
Assign governance roles. Form an AI procurement council with procurement, legal, CAIO, security, privacy, and workforce leaders.

Days 31–60: Diligence and contracting

Deploy diligence questionnaires. Launch harmonised questionnaires and begin collecting artefacts for existing suppliers.
Standardise contracts. Update master service agreements, statements of work, and purchase order templates with the clause library.
Implement monitoring dashboards. Build scorecards that pull data from contract repositories, evaluation systems, and incident management tools.
Conduct supplier workshops. Brief high-value suppliers on new expectations, remediation timelines, and reporting cadence.

Days 61–90: Assurance and optimisation

Run compliance rehearsals. Simulate regulator requests for Annex IV documentation, Appendix C evidence, and Article 5 withdrawal proof. Measure response times.
Validate exit plans. Execute Data Act-aligned switching drills for at least two critical suppliers, documenting lessons learned.
Integrate with risk management. Feed procurement metrics into enterprise risk dashboards and board reports.
Plan continuous improvement. Schedule quarterly policy reviews, supplier summits, and benchmarking against industry consortia.

Maturity model

Dimension	Foundational	Managed	Leading
Policy alignment	Ad-hoc supplier vetting with limited reference to AI regulations.	Documented policy mapping EU AI Act, OMB M-24-10, and Crown Commercial Service guidance.	Policy integrated with sector-specific mandates, refreshed quarterly based on regulator updates.
Diligence execution	Manual questionnaires, inconsistent evidence collection.	Standardised questionnaires, centralised repository, remediation tracking.	Automated data ingestion, continuous monitoring, third-party assurance integration.
Contract governance	Generic terms lacking AI-specific controls.	Clause library deployed, coverage tracked across contracts.	Dynamic clause management tied to risk tier, outcomes-based incentives, and real-time compliance monitoring.
Supplier monitoring	Reactive performance reviews.	Quarterly scorecards with incident tracking.	Predictive analytics, integrated telemetry, and joint innovation programmes with suppliers.
Exit readiness	Limited awareness of switching obligations.	Documented switching plans for critical suppliers.	Regular rehearsal programme with metrics reported to executives and regulators.

Use the maturity model to set quarterly objectives and communicate progress to leadership. Integrate findings with the AI governance and incident response guides to maintain a coherent control environment.

Appendix: Artefact checklist

AI procurement policy referencing EU AI Act, OMB M-24-10, Crown Commercial Service, Data Act, and labor guidance.
Central intake portal with risk classification logic and audit logs.
Diligence questionnaire library and evidence repository with version control.
Contract clause matrix showing coverage across suppliers.
Supplier scorecards with performance, compliance, workforce, and exit metrics.
Incident escalation runbooks aligned with vendor notification obligations.
Switching and termination playbooks validated through rehearsal.
Board and regulator reporting templates documenting procurement controls.

Maintaining these artefacts demonstrates that procurement decisions are grounded in statutory requirements, verifiable evidence, and continuous monitoring. Coupled with Zeph Tech’s ongoing research feed, the programme keeps AI adoption accountable.