Artificial Intelligence

Future-Proof Your IT: The CIO’s Guide to Generative AI Vendor Selection

12 Essential Questions for Selecting the Right AI Provider

Picking the Wrong AI Provider Could Land You In Front of This Judge — Photo by Author David E. Sweenor


Did you know that by 2028, approximately 70 percent of businesses will integrate generative AI into their core operations?[1] So, given the prognostication, how prepared is your organization to adapt over the next four years?

Businesses are keenly aware that to compete effectively, they need to modernize their IT infrastructure and digitally transform their business. Trusted data, automation, and AI–both traditional and generative–are core elements of a winning strategy. Technology’s potential to automate and redefine business processes is surely tantalizing, and as a result, CIOs, CTOs, CISOs, CDOs, and other technology leaders are under increased pressure to accelerate transformation initiatives.

These days, CIOs have a lot on their plate. They need to balance rising technology costs, talent wars, increasing costs of capital, technical debt, neverending security threats, and mountains of technical debt. Many CIOs must split their time between driving transformation initiatives and maintaining legacy systems. Unfortunately, for many businesses, the lion’s share of the budget is used to keep the business running rather than on transformation projects. The newness of generative AI brings several additional challenges for CIOs, with a critical one being: how to select the right AI vendor.

With the growing number of AI regulations, understanding what happens to data in the context of the AI application is a risk that every CIO needs to understand. Key questions include:

  • Will the LLM learn from data and prompts? If so, will that information be made available to others who ask similar questions?
  • What happens if the data (e.g., prompts or queries) that the generative AI service stores are hacked, leaked, or more likely, accidentally becomes publicly accessible?
  • Will competitors get access to data and prompts? Will this compromise market position?
  • What security certifications do providers have? Do they support regulations like GDPR and HIPPA? How will they support the EU AI Act or the U.S. Executive Order on AI?
  • Do competitors support data residency requirements that will ensure that data is only processed in locations that are in accordance with your companies’ policies?

There was a great headline from the UK’s National Cyber Security Center (NCSC) that stated, “Do loose prompts sink ships?”[2] Given the newness and importance of generative AI systems, there are some unique considerations that go above and beyond “traditional” IT requirements.

This article explores the essential questions every CIO should ask when evaluating generative AI providers, drawing insights from my report, The CIO’s Guide to Adopting Generative AI, co-authored by Kalyan Ramanathan and me. I aim to equip you with the knowledge to make decisions that align with your company’s current needs and pave the way for future innovation and growth–putting CIOs at the helm of digital transformation.

The CIO’s Checklist for Generative AI Providers

Data Ownership and Control

Without data, there is no AI. When generative AI creates new content, images, audio, or videos from scratch, the question of who owns the generated content is a thorny one. With the growing number of court cases involving copyright violations and intellectual property rights, organizations need to pay special attention to data ownership as well as liability. When evaluating vendors, make sure you have a solid understanding of data rights, model ownership, and output control. Here’s how this breakdown can inform your vendor selection:

Data Rights

First, ensure that the data you feed into a vendor’s AI models remains your property. With the establishment of clear data rights within the contract, you can avoid the possibility that the data used to train their AI will be claimed or used by the vendor for other purposes.

Recommended actions: Work directly with your organization’s legal team to carefully examine contracts and clarify data ownership.

Model Ownership

Training and fine-tuning generative AI models is incredibly expensive. The LLMs you help train or those fine-tuned to understand your business are your assets. Maintaining control of this intellectual property (IP) is critical for business continuity if you want to change providers.

Recommended actions: Discuss and clarify the issue of model ownership with vendors before finalizing partnerships, working to secure rights that avoid the creation of loosely controlled AI assets. This may require customization or shared development models.

Output Control

Finally, address how your organization’s interests will be protected regarding AI-generated content. The right to review, modify, or remove any generated content should be yours, with clear mechanisms in place to exercise these rights.

Recommended actions: Set up workflows and procedures that allow your teams to review AI-generated content effectively and ensure that the vendor’s platform supports this functionality.

Data Privacy and Compliance

Data privacy and compliance are not merely legal checkboxes—especially with legislation like the GDPR and the CCPA—they’re ethical imperatives. Be sure that any generative AI vendor you work with takes this seriously.

Regulatory Compliance

Your chosen vendor must operate within the legal frameworks that govern data use, especially concerning sensitive information.

Recommended actions: Verify that the vendor’s AI models respect key directives such as GDPR. Additionally, find out how they manage other global compliance regulations and request a detailed compliance report.

Data Privacy Concerns

Beyond the legal requirements, it’s a prudent move to consider your customers’ and employees’ privacy. Transparency in data usage, model training, and a commitment to stringent security measures will create a foundation of trust.

Recommended actions: Conduct thorough due diligence on vendors’ privacy policies, security measures, and any third-party audits they’ve undergone. Look for track records of responsibility and transparency in data handling.

Integration and Application Management

The actual value of AI can only be realized when it seamlessly integrates with your existing systems and processes. Integration and manageability are often overlooked aspects that can lead to costly mistakes.

System Integration

Your AI strategy should complement or enhance your existing systems. A generative AI vendor must be able to integrate their AI seamlessly into your environment.

Recommended actions: Evaluate vendors based on their experience with integrations, particularly with your existing tech stack. Their ability to understand your architecture and customizable APIs will be critical for successful integration.

Application Management

One of the complexities of AI adoption is the scale at which applications may need to be deployed. Your vendor should demonstrate a robust system for managing applications, handling updates, and tracking performance.

Recommended actions: Inquire about the vendor’s application management tools, methodologies, and support services. A vendor that offers comprehensive management platforms and clear service-level agreements (SLAs) will simplify your AI deployment lifecycle.

By addressing these key points, you’re not only choosing a generative AI vendor but also a strategic partner in your organization’s digital journey.

Twelve Questions to Ask Your Generative AI Service Provider

Here are the key questions and recommendations:

  1. Who ultimately owns the data? This includes fine-tuned models, prompts, and response output.
    1. Make sure your organization maintains complete control and ownership of the data.
  2. Does the provider allow opt-in/opt-out, including data for training their model?
    1. Be sure to opt-out if dealing with proprietary or sensitive data. Or, at the least, only allow training data to be used to tweak your model and not be used to train or develop any of the provider’s other models.
  3. What policies do they have on content filtering and logging? Can you opt-out?
    1. When handling confidential or regulated data, consult the solution provider about bypassing content screening and logging. Once approved, make sure they don’t archive any related data like prompts or response output.
  4. Can fine-tuned models be deleted? How about the training and validation data?
    1. The ability to delete sensitive data and models is a critical requirement, especially with regulatory standards such as Europe’s GDPR, which includes “the right to be forgotten.” From an intellectual property (IP) standpoint, if an organization has crafted a proprietary model or employed unique datasets, ensuring that these assets can be deleted protects your IP.
  5. How long are prompts and response outputs data stored?
    1. Ensure data is stored securely in your operational region and isolated using your subscription and API credentials. Only retain data for a maximum of “N” days, in line with company guidelines. Ideally, it should be encrypted with the provider’s managed keys.
  6. Does the provider share data with partners? What partners do they share it with? Do you want your data shared with partners?
    1. Most providers share data with partners after anonymization. Make sure this aligns with your specific use case. Ask for a list of specific partners that the data is shared with. Determine if sharing can be restricted.
  7. Who can access data from the service provider?
    1. Most service providers have a clause stating that “only authorized employees” can access the data. Who is authorized? Who determines who is authorized? What functional groups may access data?
  8. What security certifications does the provider have?
    1. Have a comprehensive understanding of their compliance landscape. Specifically, verify if they align with critical external privacy standards and regulations, including but not limited to the GDPR, ISO/IEC 27701, ISO/IEC 27018, EU Standard Contractual Clauses, HIPAA, HITRUST, FERPA, and regulations pertinent to specific regions such as Japan’s My Number Act, Canada’s PIPEDA, Spain’s LOPD, and Argentina’s PDPA.
  9. How is data secured—both at rest and in transit?
    1. Make sure the solution uses advanced encryption, including methods like double encryption. For stored data, make sure it’s protected using 256-bit AES and meets FIPS 140-2 standards. Using managed keys by default is essential, but also consider integrating a key vault for enhanced security. For data in transit, adhere to best practices by leveraging encrypted transport protocols and ensuring compliance with benchmarks such as the IEEE 802.1AE MAC Security Standards.
  10. In the event of a data breach, how promptly will the provider notify you? What is their protocol for such events?
    1. Ensure the provider has a clear and timely communication plan for any security incidents.
  11. Does the provider support data residency requirements that ensure that data is stored only in specific geographic regions (if mandated by local laws)?
    1. Understand where data will reside and ensure it aligns with any legal or regulatory requirements.
  12. What SLAs does the provider commit to regarding uptime, availability, and performance?
    1. Ensure SLAs align with your organizational needs and that penalties are in place for any breaches.


Choosing a generative AI vendor requires thoroughly understanding your organization’s current IT infrastructure and future digital goals. As a CIO, your focus should be ensuring data ownership, maintaining privacy and compliance, and achieving seamless integration that augments your IT infrastructure. Remember, the right AI provider will not only offer a technological solution but also a strategic partnership that aligns with your IT vision and future-proofs your organization.

Given the rapid pace of innovation, there’s no one-size-fits-all approach to vendor selection. However, staying vigilant about data and model rights, privacy and compliance, and integration capabilities will lay the groundwork for a clever, future-oriented move. The markers of success for AI’s next era will be defined by those who understand its complexities and commit to ethical, responsible, and integrated AI deployments.

As you move forward with your generative AI planning, consider your vendor selection akin to choosing a co-pilot for a ground-breaking journey. By using the checklist we’ve created, you can future-proof your IT.

If you enjoyed this article, please like it, highlight interesting sections, and share comments. Consider following me on Medium and LinkedIn.

If you’re interested in this topic, consider TinyTechGuides’ latest books, including The CIO’s Guide to Adopting Generative AI: Five Keys to Success, Mastering the Modern Data Stack, or Artificial Intelligence: An Executive Guide to Make AI Work for Your Business.

[1] Emanuel, Julian, Michael Chu, and Barak Hurvitz. 2023. “Equity and Derivatives Strategy Macro Note Generative AI Productivity’s Potential, from Macro to Micro.”

[2] C., David, and Paul J. 2023. “ChatGPT and Large Language Models: What’s the Risk?” National Cyber Security Centre. March 14, 2023.