Skip to content
Home » Blog » Your AI Vendor Is Hoping You Don’t Ask About Security

Your AI Vendor Is Hoping You Don’t Ask About Security

I’ve sat in a lot of vendor demos. The slides are beautiful. The demo runs flawlessly. The pricing is aggressive. In 45 minutes of polished presentation, nobody says a single word about where your data goes, who can see it, or what happens when the model gets something wrong in a way that costs you.

That silence is not an accident. It’s the strategy.

I’m going to say something that will annoy a chunk of the AI industry: most AI vendors are betting you won’t ask the security questions. They’re counting on your excitement to buy AI outrunning your discipline to vet it. For a lot of small and mid-sized businesses, that bet pays off.

The demo is designed to skip the hard part

Here’s how the pitch usually goes. The vendor shows you the shiny outcome like faster support tickets, automated reports, a chatbot that sounds human. You imagine it working in your business. Your brain starts spending the ROI before you’ve signed anything.

What the demo never shows you is the plumbing. Where your prompts and documents get sent. Whether your data is used to train their model. Who at the vendor can read what your employees type. What their breach history looks like. What happens to your data if they get acquired or shut down.

None of that fits neatly on a slide with a green checkmark. So it doesn’t get a slide at all.

I don’t think most of these vendors are malicious. I think they’re moving fast, they’re under pressure to close, and the security conversation slows the deal down. So they let you not bring it up. Your silence is convenient for them.

I watched this play out at enterprise scale

During my years at Kyndryl, I ran security and operations for major enterprise accounts. On one account, my team improved incident detection by 38% and drove more than $2M in documented cost savings. We didn’t get those numbers by trusting vendor slides. We got them by assuming every system was a potential exposure until proven otherwise.

That mindset is expensive to build inside a Fortune 500 company. The principle scales all the way down to a ten-person company buying its first AI tool. You are handing a third party access to your data. Access is risk. The only question is whether you priced that risk before you signed, or whether you’ll discover it later.

Enterprises have entire teams to catch what vendors leave out. Most small businesses have one owner, a busy IT contractor, and a lot of trust. That gap is exactly where problems live.

The questions vendors hope you skip

You don’t need a security team to protect yourself. You need to ask five questions and refuse to accept hand-waving.

Where does my data physically go, and is it used to train your models? If your customer records or internal documents become training data, they can surface in outputs to other customers. Some vendors bury an opt-out three settings deep. Some don’t offer one at all. Make them answer in writing.

Who at your company can access what my team submits? “It’s encrypted” is not an answer to “who can read it.” Encryption at rest doesn’t matter if a support engineer can pull your prompts in plain text. Ask specifically who has access and under what controls.

What’s your breach history and your notification commitment? Every serious vendor has thought about breaches. If they act offended by the question, that’s your answer. Ask how fast they’ll notify you and what they’ll do.

What happens to my data if I leave, or if you get acquired? AI startups get bought and shut down constantly. Your data shouldn’t be a mystery asset in someone else’s acquisition. Get the deletion and export terms in the contract.

Does this tool touch anything regulated? If AI comes near health data, payment data, or anything covered by contracts with your own customers, the compliance surface is real. A vendor who shrugs at HIPAA or PCI is telling you they’ve never had to care.

Notice that none of these are technical. They’re business questions. You already ask them of every other vendor you trust with something valuable. AI shouldn’t get a pass because the demo was impressive.

What a good answer actually sounds like

I want to be fair here, because plenty of vendors do this right, and you should know what “right” sounds like so you can tell the difference.

When I ask a solid vendor where the data goes, they don’t get defensive. They tell me the cloud region, they name the sub-processors, and they point me to the exact contract clause and the setting that controls training opt-out. They’ve had the conversation a hundred times and it shows.

When I ask who can access what my team submits, a good vendor describes a real access-control model. Role-based permissions. Audit logs. A named process for internal access requests. They can tell me how they’d answer if I demanded to see who touched my data last Tuesday.

The tell is confidence versus discomfort. A vendor who has built security in answers plainly and moves on. A vendor who bolted AI onto a weak foundation stalls, redirects to the marketing team, or tries to make you feel like the difficult one for asking. You learn more from how they react to the question than from the answer itself.

I’ve watched buyers talk themselves out of asking because they didn’t want to seem like they were slowing things down. That instinct costs companies more than any price negotiation ever could. The deal isn’t the prize. The working, safe system is the prize.

Why this matters more for you, not less

There’s a myth that security is an enterprise problem and that small businesses are too small to be worth attacking. It’s backwards. Attackers love small businesses precisely because the defenses are thin and the AI adoption is happening without anyone checking the plumbing.

When a large enterprise gets burned by a careless AI vendor, they have lawyers, insurance, and a communications team. When a 15-person firm has customer data leaked through an AI tool nobody vetted, that can be the whole company. The stakes are inverted from what people assume.

This is the part of the work I care about most. Not the model but the foundation under it. AI projects fail before AI is ever introduced, and the fastest way to fail is to bolt a powerful tool onto a data and security posture you never examined.

Discipline beats excitement

I’m not telling you to be afraid of AI. I’m telling you to be a real buyer. The vendors worth working with will welcome these questions. The good ones are relieved when a client finally takes security seriously. The ones who dodge, deflect, or make you feel paranoid for asking are showing you exactly who they are.

So here’s the honest either/or. You can be the buyer who asked the five questions and knew what you were signing or you can be the one who found out the answers the hard way, after the data was already gone. There’s no third option where you skip the questions and it works out fine. There’s only the version where you got lucky.

Which buyer do you want to be?


Ready to know what you’re actually signing? Start with an AI Infrastructure Assessment — it includes a security posture evaluation, so you go into vendor conversations knowing your own exposure before anyone shows you a demo.

Want to see how we sequence AI the right way? Our services are built infrastructure-first, security included, no shortcuts.

Want more like this? More plain-spoken takes on AI adoption are on the blog.


Russell Love is the Founder & CEO of Summit AI Business Solutions, based in Browns Summit, NC. With 20+ years of enterprise transformation experience at IBM and Kyndryl, Russell helps businesses build the foundations that make AI actually work.

Leave a Reply

Your email address will not be published. Required fields are marked *