Semitora.

8 July 2026

How to choose an AI vendor in 2026: 12 questions before you sign

You choose an AI vendor in 2026 not by price and not by a list of ready-made packages, but by proof they can deliver a working system: they ask about your data and process, measure quality with evaluations, classify risk under the AI Act, hand you ownership of the code, and maintain the system after go-live. Below are 12 questions that separate a production builder from a demo seller — plus a simple matrix of strong and weak signals.

Why “cheap and fast” is often the most expensive

The market is now full of “AI agent off the shelf” offers, fixed packages and “deployed in 7 days” timelines. The catch: a slide-deck demo and a system that works on your data under AI Act supervision are two different things. The most expensive scenario is a project that looks great in the pitch and, three months later, hallucinates, has no logs, and nobody knows who maintains it. So before you compare prices, compare the answers to the questions below. If you are torn between a ready-made tool and building your own, start with the build-vs-buy criteria — choosing a vendor only makes sense once you know you are building.

12 questions before you sign

Strategy and process

  1. Do you start from my process and data, or from a tool? A good builder first asks which process should produce a measurable result — they don’t propose an agent before they know the data.
  2. Will you show a working production system, or only a demo? Ask for a deployment with numbers (cost, quality, scale), not a chatbot screenshot.
  3. What does an honest “no-go” look like? A vendor who never advises against deployment is selling, not advising. A safe PoC has rejection criteria written down up front.

Data and security

  1. Where will my data live? Safest: in your own cloud account, under your jurisdiction — not in the vendor’s account.
  2. How will you mirror permissions? The system must not show a user anything they cannot access at the source.
  3. What about shadow AI and sensitive data? Ask about an inventory of AI tools and about filtering sensitive data before anything reaches the model.

Quality and compliance

  1. How do you measure quality? “It works” is not enough — you need a golden set and evaluations: retrieval relevance, groundedness in sources, citation correctness, hallucination control.
  2. Who classifies risk under the AI Act, and who documents it? Most AI Act obligations apply from 2 August 2026 — the risk class and documentation are part of the project, not an add-on.
  3. What do human oversight and guardrails look like in production? Topic boundaries, a correct “I don’t know” refusal, a log of every answer with its source — that is a technical layer, not a line in a policy.

Ownership, integrations and maintenance

  1. Who owns the code, prompts and configuration afterwards? If you end up locked to the vendor, that is not a deployment, it is a lease.
  2. How do you connect to my systems (ERP, CRM, helpdesk), and with what limits? Especially for agents that act, ask about per-role permissions and human approval of operations.
  3. Who maintains the system after go-live? Models, data and costs change — without monitoring, logs and an owner the system goes quiet after a quarter.

Scoring matrix: weak signal vs strong signal

Use it as a checklist — the more of the right column, the safer the choice.

CriterionWeak signalStrong signal
Strategy”We’ll deploy AI” with no questions about the processStarts from the process and a measurable result
DataData on the vendor’s accountYour cloud account, your jurisdiction
Integrations”We’ll connect everything”Clear limits, per-role permissions
SecurityNo mention of shadow AIInventory + filtering of sensitive data
AI Act”It doesn’t apply to you”Risk classification and documentation in scope
Evaluations”It works, see for yourself”Golden set + quality metrics
Code ownershipLock-in to the vendorCode, prompts and config with you
MaintenanceEnds at go-liveRetainer, logs, monitoring, an owner

Signals that mean nothing

Where Semitora fits

Semitora is consulting led by a practitioner-builder: our own GenAI product mojApteczka in production (USD 0.0006 per scan at 100% accuracy on a validation set of n=200, a 302,516-record knowledge base), systems built in your own AWS account, evaluations and guardrails as standard, AI Act risk classification during the audit, and three levels of engagement — audit, implementation, retainer. We price by scope, not from a list — and we say an honest “no-go” when the PoC doesn’t hold up.

FAQ

Where should I start when choosing an AI vendor?

With one process that has a measurable result, and with a question about data. A vendor who proposes a tool before they know your data and risk is selling a product, not solving a problem. The cheapest test is a PoC on a real slice.

Is a fixed price a good signal?

Not on its own. A fixed price can be convenient, but AI cost depends on the state of your data and integrations; more important than the number in the offer is whether the vendor can compute the unit cost on your data and show what drives it.

How do I check an AI vendor’s references?

Ask for a production deployment with numbers: which process, what quality (evaluations), what unit cost, who maintains the system. Client logos without a case study are not a reference.

Does the vendor need to know the AI Act?

Yes. Most AI Act obligations apply from 2 August 2026, so risk classification and documentation should be part of the project. A vendor who says “it doesn’t apply to you” is shifting the risk onto you.

What next

Have a process to test? Start with an AI readiness audit or get in touch — we reply within one business day.