Lilly Tech Systems
AI Procurement & Vendor Risk
Master AI procurement and vendor-risk management end-to-end. 50 deep dives across 300 lessons covering procurement foundations (buy-vs-build, lifecycle, RACI, policy, maturity), vendor risk management (TPRM, risk tiering, residual risk, concentration risk, governance), vendor due diligence (technical, security, privacy, financial, ethical AI, supply-chain, AIBOM, questionnaires), RFx and vendor selection (AI RFP design, evaluation criteria, demos and POVs, references, award memo), AI contracts and SLAs (master agreements, data rights, IP, SLA design, liability allocation, exit and portability, AI Act-required vendor clauses), ongoing vendor management (performance monitoring, attestation consumption, recertification, change management), vendor incident and exit (incident response, breach notification, termination, data return, exit runbook, vendor substitution), and supply chain and AIBOM (AI bill of materials, model and data supply chains, fourth-party risk).
AI Procurement & Vendor Risk is the track for the people on the buy-side of AI — the procurement leads, third-party risk managers, vendor management offices, contract counsel, security and privacy reviewers, and product owners deciding which AI vendors to hire. Most enterprise AI today is built on third-party components: foundation models from a handful of providers, vector databases, embedding APIs, fine-tuning platforms, agent frameworks, evaluation services, RAG infrastructure, voice and vision APIs, and a long tail of vertical AI SaaS. Every one of those vendors carries risk that the buyer ultimately answers for — performance risk, data risk, IP risk, security risk, regulatory risk, concentration risk, and reputational risk. Procurement and vendor risk is where those risks are surfaced, allocated, and managed.
The lessons here are written for the practitioners who actually run procurement and vendor management for AI. Every topic explains the underlying procurement and risk-management discipline, the AI-specific twist (because AI vendors do not behave like traditional SaaS vendors), the contractual or operational lever that gives the buyer control, and the failure modes (what gets a vendor onboarded that should not have been, what makes a contract un-enforceable when an incident occurs, what blows up an exit). The aim is that a reader of the track can run a defensible AI vendor selection, negotiate a fit-for-purpose contract, manage the vendor through the relationship, respond to incidents without losing leverage, and exit cleanly when the time comes — whether the buyer is a startup buying its first model API or an enterprise running a portfolio of dozens of AI vendors.
All Topics
50 AI procurement and vendor-risk topics organized into 8 categories. Each has 6 detailed lessons with frameworks, contractual levers, and operational templates.
Procurement Foundations
AI Procurement Overview
Master the foundations of AI procurement. Learn the AI procurement lifecycle, the unique challenges versus traditional IT procurement, the stakeholder map, and the governance model that turns ad-hoc buying into a programme.
6 LessonsBuy vs Build vs Open Source
Make the buy/build/open-source decision for AI. Learn the decision framework, total-cost-of-ownership, risk-adjusted comparison, and when each option wins.
6 LessonsAI Procurement Lifecycle
Walk through the AI procurement lifecycle. Learn each stage (intake, DD, RFx, contract, onboard, manage, renew, exit), the gates between stages, the deliverables, and the responsible owners.
6 LessonsStakeholder Roles & RACI
Define stakeholder roles and a working RACI for AI procurement. Learn the standard nine roles, common decision points, escalation paths, and how to keep the matrix from becoming theatre.
6 LessonsAI Procurement Policy
Draft an AI procurement policy. Learn the mandatory sections (scope, prohibited vendors, mandatory clauses, approval thresholds, exception process), the cross-references to AI use policy, and the review cadence.
6 LessonsProcurement Maturity Model
Assess your AI procurement maturity. Learn the five-stage maturity model, the diagnostic, the gap report, and the roadmap to the next stage.
6 LessonsVendor Risk Management
Third-Party Risk Management Overview
Master third-party risk management for AI. Learn the TPRM framework, risk taxonomy for AI vendors, lifecycle integration with procurement, and the second-line role.
6 LessonsVendor Risk Tiering
Tier AI vendors by risk. Learn the tiering criteria (criticality, data sensitivity, regulatory scope, AI risk class), the tiering decision tree, and how tier drives DD depth and ongoing management.
6 LessonsInherent vs Residual Risk
Distinguish inherent and residual risk for AI vendors. Learn how to score inherent risk, how vendor controls reduce it to residual, the residual-risk acceptance protocol, and how to track over time.
6 LessonsVendor Risk Register
Maintain a vendor risk register. Learn the register structure, risk entry quality standards, ownership, review cadence, and the relationship to enterprise risk register.
6 LessonsConcentration & Substitutability Risk
Manage concentration and substitutability risk. Learn how to detect concentration on a model provider or cloud, the systemic-risk view, substitutability assessment, and mitigation patterns.
6 LessonsTPRM Governance & Reporting
Govern and report on TPRM. Learn the TPRM committee, board reporting, KRIs, regulator reporting expectations, and the link between TPRM and AI governance.
6 LessonsVendor Due Diligence
Vendor Due Diligence Overview
Master vendor due diligence for AI. Learn the DD scope, depth by tier, evidence types, the assessment workflow, and the DD report.
6 LessonsTechnical Due Diligence
Run technical DD on an AI vendor. Learn architecture review, model evaluation, performance benchmarking, scalability, integration footprint, and code/repo review where licensed.
6 LessonsSecurity Due Diligence
Run security DD on an AI vendor. Learn the security questionnaire (SIG, CAIQ, AI-specific), attestation review (SOC 2, ISO 27001, ISO 42001), penetration testing review, and red-team posture.
6 LessonsPrivacy Due Diligence
Run privacy DD on an AI vendor. Learn DPIA review, training-data privacy posture, data-residency, processor/sub-processor map, model output PII risk, and DSAR support.
6 LessonsFinancial & Stability DD
Run financial and stability DD on an AI vendor. Learn financial-statement review, runway analysis, customer concentration, key-personnel risk, and the going-concern assessment.
6 LessonsEthical AI Due Diligence
Run ethical AI DD on a vendor. Learn the responsible-AI questionnaire, fairness and bias testing review, transparency and explainability review, AI ethics policy review, and the dual-use risk assessment.
6 LessonsAI Supply Chain DD (AIBOM)
Run supply-chain DD on an AI vendor. Learn AI bill of materials (AIBOM) collection, model provenance verification, training-data provenance, sub-processor chain mapping, and fourth-party risk.
6 LessonsDD Questionnaire Design
Design DD questionnaires that surface real risk. Learn question taxonomy, evidence-anchored questions, scoring rubrics, conditional branches, and when to retire a question.
6 LessonsRFx & Vendor Selection
AI RFP Design
Design an AI-specific RFP. Learn the unique sections (model requirements, evaluation criteria, demo / POV expectations, AI ethics, supply chain), the response template, and the timeline.
6 LessonsEvaluation Criteria & Scoring
Define evaluation criteria and a scoring model. Learn the weighted scorecard, the must-have / should-have split, blind versus open scoring, and how to keep scoring defensible.
6 LessonsVendor Demos & POVs
Run vendor demos and proofs of value. Learn the demo script, POV success criteria, time-boxing, data-provisioning for the POV, and the POV report.
6 LessonsReference Checks
Run defensible reference checks. Learn how to source references beyond the vendor's curated list, the reference call script, evidence triangulation, and the reference report.
6 LessonsVendor Shortlisting
Shortlist vendors defensibly. Learn the longlist-to-shortlist funnel, knockout criteria, the shortlist memo, and the shortlist debrief with non-shortlisted vendors.
6 LessonsAward Decision Memo
Write the award decision memo. Learn the memo structure, the audit trail, board / committee approval where required, contract negotiation kickoff, and the loser-debrief discipline.
6 LessonsContracts & SLAs
AI Contract Overview
Master the AI contract. Learn the contract stack (MSA, SOW, DPA, AI addendum), the AI-specific clauses, common vendor pushback, and the negotiation playbook.
6 LessonsAI Master Services Agreement
Negotiate the AI MSA. Learn the standard clauses (parties, services, fees, term, warranties, IP, indemnification, limitation of liability, termination, survival), and the AI-specific overlays.
6 LessonsData Rights & Usage Clauses
Negotiate data rights. Learn the buyer-data-stays-buyer-data principle, the no-train clause, output ownership, retention and deletion, residuals, and customer-content carve-outs.
6 LessonsIP Ownership & Indemnification
Negotiate IP ownership and indemnities. Learn input/output IP, training-data IP indemnity, third-party-IP indemnity, the cap and exclusions, and the rapidly evolving litigation backdrop.
6 LessonsSLA Design for AI
Design SLAs that work for AI. Learn availability SLAs, latency SLAs (p50/p95/p99), accuracy and quality SLAs, support SLAs, the credit structure, and proof-of-breach.
6 LessonsLiability Allocation
Allocate liability for AI harm. Learn the standard cap, super-cap carve-outs, exclusions, the AI-specific carve-outs (data breach, IP, regulatory fine), and the insurance interplay.
6 LessonsExit & Data Portability
Negotiate exit and data-portability terms. Learn the exit assistance clause, data return formats, transition support window, fine-tune weights / embeddings portability, and post-termination obligations.
6 LessonsAI Act-Required Vendor Clauses
Add AI Act-required vendor clauses. Learn provider/deployer classification, Article 25 component supply, Article 26 deployer obligations flow-down, GPAI provider obligations, and downstream deployer terms.
6 LessonsOngoing Vendor Management
Ongoing Vendor Management Overview
Master ongoing vendor management. Learn the operating rhythm, performance reviews, business reviews, attestation refresh cycles, and the role of the vendor manager.
6 LessonsPerformance Monitoring
Monitor AI vendor performance continuously. Learn the metric set (uptime, latency, quality, error rate, drift), instrumentation, dashboards, anomaly detection, and the escalation playbook.
6 LessonsRelationship Management
Manage the vendor relationship. Learn the QBR structure, escalation paths, executive sponsorship, joint roadmap reviews, and the early-warning signals that the relationship is degrading.
6 LessonsAttestation Consumption
Consume vendor attestations effectively. Learn the SOC 2 read, ISO certificate verification, ISO 42001 certificate read, complementary user entity controls, and the attestation gap response.
6 LessonsAnnual Recertification
Recertify vendors annually. Learn the recertification scope, the refresh of DD elements, attestation refresh, contract review trigger, and the renewal-or-exit decision.
6 LessonsVendor Change Management
Manage vendor-driven change. Learn the change-notification clause, impact assessment, model-update handling (especially for foundation-model vendors deprecating models), and the change log.
6 LessonsVendor Incident & Exit
Vendor Incident Response
Respond to vendor incidents. Learn the joint incident-response runbook, the role of vendor support, evidence preservation, the customer-communication decision, and the post-incident review.
6 LessonsBreach Notification Workflow
Run a vendor-breach notification workflow. Learn the contractual notification windows, the assessment of the breach scope, the upstream regulator notifications, and the customer notifications.
6 LessonsTermination Rights
Use termination rights effectively. Learn the for-cause grounds, the for-convenience right, the cure period, the wind-down, and the link between SLA breach and termination.
6 LessonsData Return & Destruction
Manage data return and destruction at exit. Learn the data inventory, the return format negotiation, the destruction certificate, sub-processor data destruction, and verification.
6 LessonsExit Runbook
Build the exit runbook before you need it. Learn the runbook sections, the trigger conditions, the parallel-running plan, the data-migration plan, and the post-exit review.
6 LessonsVendor Substitution
Substitute one AI vendor for another. Learn the substitution playbook, the abstraction-layer pattern that makes substitution cheap, evaluation parity, traffic ramp, and rollback.
6 LessonsSupply Chain & AIBOM
AI Bill of Materials (AIBOM)
Build and consume AIBOMs. Learn the SPDX and OWASP work, the components an AIBOM tracks (models, datasets, code, services), the buyer-side and vendor-side use cases, and the maturity model.
6 LessonsModel Supply Chain
Map the model supply chain. Learn the foundation-model provenance, fine-tuning lineage, model-derivative chain, model-card cross-checks, and weight-integrity verification.
6 LessonsData Supply Chain
Map the data supply chain. Learn dataset lineage, license posture, opt-out compliance, training-data provenance, and the data-rights diligence for buyer data sent to AI vendors.
6 LessonsFourth-Party Risk
Manage fourth-party risk. Learn the sub-processor map, the right-to-audit flow-down, sub-processor change notification, fourth-party concentration, and the practical limits.
6 Lessons