Who this questionnaire is for
Procurement, security, legal/compliance, risk, IT, and product leaders evaluating AI vendors, tools, model providers, or platforms.

What it assesses
Whether a vendor can meet real operational and governance requirements: evidence/log exportability, auditability, access controls, data handling, incident support, evaluation discipline, failure-path behaviour, and contractual clarity on risks.

How it helps
Stops “demo-driven buying.” Results translate requirements into concrete proof points (what the vendor must show, log, export, and support) so you don’t discover gaps after rollout — when failures are expensive and public.

Best used when

Selecting a vendor/model/provider
Renewing or expanding contracts
Introducing AI into regulated/high-stakes workflows
Comparing vendors beyond feature checklists

Oyez Tools

Practical tools and field guides used together to decide what to build, how to ship it, and how to govern AI systems in real organisations.

Field Guides

AI Strategy Field Guide

Executive framing, ownership models, and adoption paths.
Engineering Field Guide

Production systems, reliability, and failure modes.
Governance Field Guide

Controls, accountability, auditability, and compliance.

Strategy & Direction

Strategy & Adoption Readiness (Executive)

Used by executives to set direction, ownership, and ship gates.

Intake & Decision Gates

AI Adoption Readiness

Baseline check for mixed teams starting or scaling AI.
Use-Case Intake & Risk Tiering

Approve, condition, or block AI use cases.

Build & Reliability

Engineering Maturity (Systems)

Assess production readiness and drift risk.
RAG & Grounding Readiness

Shipping retrieval-grounded AI safely.

Governance & Procurement

Governance & Compliance Readiness

Controls, evidence, and regulatory posture.
Vendor Procurement & Due Diligence

Evaluate AI vendors before purchase or renewal.

Operate & Review

Change, Drift & Incident Review

Post-incident and post-release review.

Field guides explain the concepts. Questionnaires test whether they exist in practice.

AI Vendor & Procurement Readiness

This assessment helps teams avoid demo-driven purchasing. It focuses on evidence exportability, controllability, evaluation discipline, and audit/incident readiness.

Status: Not scored Coverage: 0% Score: — Decision: —

Your role (optional)

Company or project identifier (optional)

Your score

out of 45

Answered 0/15

Posture

—

Answer the questions to see your posture.

Section A — Evidence & Exportability

1) Can the tool export raw logs (inputs, retrieval context, tool calls, outputs) in a structured format?

No — no export

Partial — limited/export on request

Mostly — exportable logs exist

Enforced — exportable + documented schema

2) Can you reproduce results later (versioned model/prompt/data + timestamps)?

Partial — some versions tracked

Mostly — reproducible in most cases

Enforced — reliably reproducible

3) Are costs and rate limits predictable at scale (quotas, per-seat/per-token clarity, alerts)?

Unknown / unpredictable

Rough estimates only

Predictable with monitoring

Enforced — predictable + enforceable controls

4) Can you migrate away without losing critical data (configs, evals, embeddings, logs)?

No — hard lock-in

Painful / partial

Mostly possible

Enforced — designed for portability

5) Can the vendor support audits (retention, access logs, incident disclosures, evidence trail)?

Informal / unclear

Documented support exists

Enforced — contracted + demonstrated

Section B — Security & Control Surface

6) Are permissions least-privilege with roles, audit logs, and periodic reviews?

No controls

Basic roles

Roles + audit logs

Enforced — RBAC + reviews + exportable audits

7) Can you enforce groundedness (allowlists, citations, refusal gates) inside the product?

Partial configuration

Strong configuration

Enforced — testable + logged gates

8) Is security posture clear (data handling, training use, retention, encryption) and kept current?

No clarity

Basic statements

Detailed documentation

Enforced — contracted + verified

9) Can you define “high-stakes” workflows with human review and escalation paths?

Informal handling

Supported workflows

Enforced — audited workflows

10) Can you tune behaviour (policies/configs) with versioning and rollback?

Black box

Limited tuning

Most knobs exist

Enforced — full control + rollback

Section C — Evaluation & Contract Discipline

11) Do you require failure-path demos (empty retrieval, contradictions, injection, tool errors) before purchase?

Occasionally

Usually

Enforced — acceptance criteria + sign-off

12) Can you run structured evaluations (not demos) and compare runs over time?

Informal

Structured evaluations exist

Enforced — regression tracking

13) Do contracts include incident expectations (SLAs, breach notification, support, postmortems)?

Minimal

Defined

Enforced — strong + tested in practice

14) Do contracts include evidence expectations (export logs, retention, audit support) rather than “trust us”?

Partial

Mostly — documented clauses

Enforced — contractual + measurable

15) Do you have an exit plan before signing (data export, replacement timeline, contingency)?

Rough idea

Documented plan

Enforced — contracted + rehearsed

Tip: If you can’t export evidence, you can’t govern or defend decisions later — and you can’t learn from incidents.

Posture

—

Decision

—

Recommended next steps

Top risks

Built for procurement discipline: exportable evidence, controllable configurations, failure-path demos, and contractual auditability.

Oyez Tools

Practical tools used together to decide what to build, how to ship it, and how to govern AI systems in real organisations.

Strategy & Direction

Strategy & Adoption Readiness (Executive)

Used by executives to set direction, ownership, and ship gates.

Intake & Decision Gates

AI Adoption Readiness

Baseline check for mixed teams starting or scaling AI.
Use-Case Intake & Risk Tiering

Used by product and governance to approve or block AI use cases.

Build & Reliability

Engineering Maturity (Systems)

Used by builders to assess production readiness and drift risk.
RAG & Grounding Readiness

Used by teams shipping retrieval-grounded AI systems.

Governance & Procurement

Governance & Compliance Readiness

Used by risk, legal, and policy teams to assess controls.
Vendor Procurement & Due Diligence

Used before buying or renewing AI tools or models.

Operate & Review

Change, Drift & Incident Review

Used after releases, incidents, or drift events.

Field guides explain the concepts. Questionnaires test whether they exist in practice.

AI Vendor Procurement Readiness Questionnaire

AI Vendor & Procurement Readiness

Section A — Evidence & Exportability

1) Can the tool export raw logs (inputs, retrieval context, tool calls, outputs) in a structured format?

2) Can you reproduce results later (versioned model/prompt/data + timestamps)?

3) Are costs and rate limits predictable at scale (quotas, per-seat/per-token clarity, alerts)?

4) Can you migrate away without losing critical data (configs, evals, embeddings, logs)?

5) Can the vendor support audits (retention, access logs, incident disclosures, evidence trail)?

Section B — Security & Control Surface

6) Are permissions least-privilege with roles, audit logs, and periodic reviews?

7) Can you enforce groundedness (allowlists, citations, refusal gates) inside the product?

8) Is security posture clear (data handling, training use, retention, encryption) and kept current?

9) Can you define “high-stakes” workflows with human review and escalation paths?

10) Can you tune behaviour (policies/configs) with versioning and rollback?

Section C — Evaluation & Contract Discipline

11) Do you require failure-path demos (empty retrieval, contradictions, injection, tool errors) before purchase?

12) Can you run structured evaluations (not demos) and compare runs over time?

13) Do contracts include incident expectations (SLAs, breach notification, support, postmortems)?

14) Do contracts include evidence expectations (export logs, retention, audit support) rather than “trust us”?

15) Do you have an exit plan before signing (data export, replacement timeline, contingency)?

Posture

Decision

Recommended next steps

Top risks