When Enterprise Procurement Asks About AI, “We’ll Get Back to You” Kills Deals
Enterprise procurement has changed. A few years ago, vendor security reviews were mostly about SOC 2 Type II, pen test results, and data handling policies. Now those same reviews arrive with a dedicated addendum — sometimes five to fifteen pages — asking questions that most mid-market IT teams have never had to answer in writing: Which AI tools does your team use? Does any client data enter those models? Who approved each tool? What controls prevent data from being used for training?

If you don’t have documented answers, the deal doesn’t close on schedule. In some cases, it doesn’t close at all.
This post walks through how one mid-market technology services company navigated exactly that situation — and what IT managers at similarly sized companies can take from it.
The AI Governance Gap That Shows Up at the Worst Possible Moment
The company in this case study sits comfortably in the mid-market: a few hundred employees, a healthy book of B2B clients, and a sales pipeline that depends on landing enterprise logos. They use AI tools across their organization — a mix of approved tools their leadership selected and a longer tail of tools employees had adopted on their own. Normal picture for a company their size.
When a prospective enterprise client sent over their vendor security addendum, the AI governance section stopped the deal cold. The procurement team’s questions weren’t unreasonable. They wanted to know whether client data was being processed by third-party AI systems, what the company’s AI acceptable-use policy looked like, who was accountable for AI-related risk decisions, and how they would demonstrate that accountability if asked.
The IT director’s honest answer at that moment was: some of this we know, some of this we haven’t formally documented, and none of it is in a format we can hand to a procurement team with confidence.
That gap — between “we’re actually pretty careful about this” and “here’s the documented evidence” — is where deals stall. The problem wasn’t recklessness. It was that their AI governance existed mostly in people’s heads and inboxes rather than in a system of record.
How a Structured AI Risk Assessment Turned a Questionnaire Into a Checklist
Rather than trying to answer the procurement addendum one question at a time, the IT director used the questionnaire itself as a scope document. Every question the enterprise buyer was asking corresponded to something that needed to exist in writing: a list of AI tools in use, a documented rationale for each, a policy governing acceptable use, and an owner for each control.
The first step was building what we’d call an AI tool register — a structured inventory of every AI tool the organization was actively using, approved or not. This sounds simple, but for most mid-market companies it requires actually asking department heads what their teams are running. Shadow AI is real at this scale. Tools that marketing, sales, or engineering adopted without IT review show up in this process, and they show up precisely when you can’t afford surprises.
Once the inventory existed, each tool needed a basic risk profile: what data does it process, what are the vendor’s data retention and training policies, does it touch anything a client sent us, and is there a business justification on file. That’s the core of an AI vendor risk assessment — not an elaborate scoring model, but a documented answer to the questions a procurement team will actually ask.
With the tool register and risk profiles in hand, the IT director could map each procurement question to a specific piece of documentation. That mapping matters. It’s the difference between responding to an addendum with a narrative explanation and responding with “our AI acceptable-use policy is attached; the tool register with vendor data-handling classifications is exhibit B.” Procurement teams are reviewing dozens of vendors. Clear, organized documentation moves you through that queue faster.
What the Company Was Able to Document — and How It Changed the Review
Within a few weeks of starting this process, the company had produced the documentation set the procurement addendum required: a complete AI tool inventory with risk classifications, a documented acceptable-use policy with named ownership, a control summary showing how they governed new tool adoption, and a brief written statement on client data handling across their AI toolset.
None of it required a dedicated compliance team or a lengthy external audit. What it required was a structured process and a place to put the outputs so they were retrievable on short notice.
When the revised security questionnaire response went back to the enterprise buyer, the AI governance section was no longer a point of friction. The deal advanced. The procurement team had the documented assurance they needed; the company had a governance artifact they could reuse for the next questionnaire that landed in their inbox.
There’s a secondary outcome worth naming: the process surfaced two tools that had genuine client-data exposure the IT director hadn’t been fully aware of. Neither was a catastrophic finding, but both required either a policy update or a vendor conversation before the company could represent their data-handling practices accurately. Finding that before the questionnaire response went out was considerably better than finding it after.
What IT Managers Can Apply to Their Own Enterprise Review Process
The pattern here is repeatable. If your company is in any B2B market where enterprise procurement is part of your sales motion, AI governance questionnaires are already coming or will be soon. The EU AI Act is accelerating this — large European organizations are building AI governance requirements into their vendor assessments as part of their own compliance obligations, and US companies that sell into those supply chains are feeling it.
Here’s what actually moves the needle when you’re facing one of these reviews:
Start with your tool inventory before the questionnaire arrives. The AI tool register is the foundation everything else rests on. If you don’t have one, you can’t answer the basic procurement question — “what AI tools do you use?” — with confidence. Build the inventory once, keep it current, and the next questionnaire is a documentation exercise rather than a discovery exercise.
Use the vendor’s own data-use policies as your evidence. When a procurement team asks whether client data is used to train third-party models, the answer comes from your AI vendor’s terms of service and data processing agreements, not from your own assertion. Pull those documents. Summarize the relevant clauses per tool. That summary becomes an exhibit in your questionnaire response and removes the burden of proof from your word alone.
Name an owner for AI governance decisions, even if it’s you. Enterprise procurement teams aren’t just checking whether you have a policy — they’re checking whether there’s accountability behind it. A policy with a named owner and a defined review cadence reads differently than a policy document with no context. It signals that governance is operational, not theoretical.
Treat the first questionnaire you receive as a template for the next one. The documentation you build to answer one enterprise buyer’s AI security addendum is almost entirely reusable for the next. The questions are converging across industries — data handling, acceptable use, incident response, vendor oversight. Build it once to a standard that holds up, and each subsequent review gets faster.
Don’t wait for a deal to be at risk. The company in this case study got lucky in one respect: they had enough time to build the documentation before the response was due. That’s not always the case. Procurement timelines don’t always give you weeks to get organized. IT managers who have the governance artifacts already in place don’t get caught flat-footed when a high-stakes questionnaire arrives on a short deadline.
The broader point is this: AI governance documentation isn’t just a compliance function. For mid-market B2B companies competing for enterprise accounts, it’s a sales asset. A clean, organized response to an AI security addendum signals operational maturity. It shortens review cycles. And it removes one of the most common reasons a deal slows down in procurement.
If your team is using AI tools — approved or not — and you haven’t yet built a structured register and policy set, the time to do that is before the next enterprise buyer asks. The process isn’t as heavy as it sounds, but it does require a system of record that holds up when someone outside your organization is reviewing it.
InfoDefenders’ AI Governance Manager is built for exactly this use case: a mid-market IT team that needs to produce defensible governance documentation without a dedicated compliance staff. If you’re preparing for an enterprise security review or want to get ahead of the next one, see AI governance pricing and start a free trial to see what it takes to get your AI tool inventory and policy documentation into a format that clears procurement.