How to Vet an AI Firm in 2026: The Honest Guide

on

How to Vet an AI Firm in 2026: The Honest Guide

By Mzee Boto

Let's start with the question nobody asks out loud in the sales meeting: when your vendor says "AI-powered," what do they actually mean?

Every fintech pitch deck in 2026 claims to be AI-native, agentic, or autonomous. Most of them are not. They're legacy software with a chat window stapled on top, sold by a team that knows "agentic" closes more deals than "automated" ever did.

That gap matters more in financial services than almost anywhere else. A bad CRM purchase wastes a budget line. A bad AI purchase at a regulated bank can mean a compliance failure, a data breach disclosure, or a model nobody on staff can explain when an examiner asks.

This guide isn't theory. It's the questions you ask before you sign, the checklist you run before you commit budget, and the four lines you do not cross in the contract — no matter how good the demo looked.

Let's get into it.

AI-Native vs. AI-Powered: The Distinction That Actually Matters

Forget the marketing copy for a second. Here's the test that cuts through it: if you removed the AI from the product, would it still function?

If yes — that's AI-powered. The core workflow existed before AI arrived. AI was added as a feature: a summarizer bolted onto an old case-management system, a chatbot sitting in front of a legacy core banking platform. Useful, often cheap, easy to deploy. But the ceiling is low — you get incremental productivity, not structural change.

If no — if the product genuinely collapses without it — that's AI-native. Decision logic, data flow, and orchestration were built around AI from day one. A fraud-detection engine that routes, prioritizes, and explains decisions dynamically based on continuous model feedback is AI-native. So is an underwriting workflow where the model isn't bolted on top of a rules engine — it is the engine.

  AI-Powered AI-Native
Architecture AI layered onto an existing system AI is the system
Decision-making Rules-based, AI assists AI drives or directly shapes outcomes
Data flow Siloed, often one-directional Continuous feedback loop
Best for Quick wins, low-risk pilots Structural transformation
Buyer risk Lower change cost, lower ceiling Higher change cost, higher payoff if it works

Neither is automatically the wrong answer. AI-powered tools have their place for fast, low-risk wins. The real problem isn't AI-powered software — it's AI-powered software marketed as AI-native, priced like AI-native, and sold on promises only AI-native systems can keep.

Which brings us to how vendors blur that line on purpose.

Watch for "Agent Washing" — It's Not Just Marketing Spin Anymore

"AI washing" used to mean slapping the word "AI" onto a basic rules engine. The 2026 version is worse: agent washing — calling a chatbot an "autonomous agent" when it can't execute a single task without a human clicking through every step.

This isn't just annoying. It's becoming a legal exposure issue. Harvard Law School's Forum on Corporate Governance flagged in April 2026 that agent washing now carries real securities disclosure risk: claims about autonomy, functionality, and business impact are specific enough to be tested, and regulators, investors, and plaintiffs have started testing them. If a vendor is overselling what their agent does to you, there's a real chance they're overselling it to their own investors too.

In every demo, ask for one thing: a live, unscripted run where the system completes a real task end to end, using your data, with your edge cases. If it can only describe what it would do, it's a chatbot wearing a costume.

The 10-Point Vendor Evaluation Checklist

This is the part you actually use. Print it. Bring it to the procurement meeting.

1. Run the "remove the AI" test. If the product still works without its AI layer, you're buying AI-powered software. Fine — just don't pay AI-native pricing for it.

2. Demand a live, unscripted demo of actual execution. Not a script. Watch it complete one real task, start to finish, in front of you.

3. Ask where it sits under your model risk framework. If you're a US bank above roughly $30 billion in assets, the April 2026 OCC/Fed/FDIC guidance (SR 26-2) replaced 15-year-old model risk rules — but it explicitly excludes generative and agentic AI, calling them "novel and rapidly evolving." That means the exact tool you're buying sits in a regulatory gray zone, even as examiners are already asking about it in routine exams. Ask the vendor directly: how do we govern this in the absence of a formal rule?

4. Check EU AI Act readiness if you touch EU clients. High-risk AI in financial services — credit scoring, insurance pricing, AML profiling — must meet documentation, risk management, and human oversight requirements by 2 August 2026. (A proposed delay for some categories is under discussion in Brussels, but nothing has passed into law — treat the August deadline as real.) Ask for their Annex III mapping. "We're aware of the AI Act" is not an answer.

5. For UK operations, ask how the tool supports Consumer Duty and SM&CR — not whether the vendor has heard of the FCA. The FCA isn't writing AI-specific rules; it's holding firms accountable under frameworks that already exist. Your vendor needs to help you evidence that, not just nod along.

6. For Canada, don't ask about AIDA — it's dead. Bill C-27 never became law. What governs you now is PIPEDA federally, Quebec's Law 25 if you operate there (real teeth: penalties up to C$25 million), and OSFI's expectations for federally regulated institutions. A vendor still pitching "AIDA compliance" hasn't done their homework.

7. Check the certification stack: SOC 2, ISO 27001, ISO 42001. SOC 2 is an independent audit of security and privacy controls. ISO 27001 is a security management system. ISO 42001 — the newest, published in 2023 — is built specifically for AI governance, and it's fast becoming the standard the serious players hold: OpenAI, AWS, Anthropic, and Salesforce have all pursued it. Missing certifications don't automatically disqualify a vendor. They do shift the entire burden of proof onto them.

8. Ask explicitly: what happens when it's wrong? Not in theory — in practice. Documented kill switch? Rollback procedure? A 2026 survey of 230 US banking professionals found 72% couldn't confidently say they had either a kill switch or a failure-reporting process for their AI systems. Don't be one more reason that number doesn't improve. And ask how the vendor prevents the kind of shadow-AI incident that hit a Pennsylvania community bank in May 2026, when an employee fed customer names, birthdates, and Social Security numbers into an unauthorized AI tool — triggering a material SEC disclosure over a single bad click.

9. Demand real telemetry, not a case-study slide. Vendor ROI pitches are consistently rosier than year-one reality — some estimates put the gap at two to four times. RAND found over 80% of AI projects fail to deliver their intended business value. MIT's NANDA initiative found 95% of generative AI pilots show zero measurable profit-and-loss return. Gartner puts agent-specific failure rates near 70%. Ask for actual usage data, output quality scoring, and ideally a control-group comparison against a team not using the tool. Gartner's newer Agent Value Multiple and Context Memory Optimization Score metrics are useful diagnostics — they supplement hard financial outcomes, they don't replace them.

10. Read the contract before you read the roadmap. A great product with a bad contract is still a bad deal — which is exactly the part procurement teams skip too often.

Before we get to the contract, one more thing vendors never put in a slide deck. Ford spent the past few years leaning hard on AI to drive vehicle engineering decisions, cutting senior engineers to help fund the shift. The result: software bugs and a wave of recalls. A Ford VP later admitted plainly that an AI system is only ever as good as what it's been trained on — and Ford had to rehire roughly 350 veteran engineers, internally nicknamed the "gray beards," to catch what the AI alone couldn't. It worked: Ford topped J.D. Power's 2026 quality rankings for the first time since 2010. The lesson isn't "don't use AI." It's that AI without retained human judgment is a risk dressed up as efficiency. Your contract should protect that judgment, explicitly — not leave it to goodwill.

The 4 Contract Red Lines You Do Not Negotiate Away

Everything above gets you to the table. These four terms decide whether you survive what happens after you sign.

1. IP indemnity. The vendor commits, in writing, to defend you if their model or its outputs are found to infringe someone else's intellectual property. If they won't indemnify you for what their own model produces, ask why they're not confident enough in their own training data to stand behind it.

2. Training data exclusion. Your data does not train their model by default, and never by "implied consent" buried in clause 47. If you're feeding the system customer financial data, that data improves your outcomes — not their next product release — unless you explicitly agree otherwise.

3. Model swap rights. You need the contractual right to require a model change if performance degrades, a new risk emerges, or the underlying model gets deprecated by its own provider. Without this clause, you're not a customer — you're locked to whatever decision the vendor makes next, on their timeline.

4. Clear AI Act and regulatory liability mapping. If you operate in or serve the EU, the contract must state explicitly who owns which compliance obligation: documentation, conformity assessment, incident reporting, penalties. "We'll figure it out together" is not a liability clause. It's a liability gap with your name on it.

Beyond these four, watch for the smaller traps that compound over time: liability caps set artificially low relative to the real cost of an AI failure, pricing models that charge you for outputs regardless of whether those outputs were correct, and audit logs the vendor controls but you can't independently access. None of these sink a deal alone. Together, they're how a promising pilot quietly becomes a bad five-year contract.

The Bottom Line

Most AI vendor pitches in 2026 are good enough to win a meeting and not good enough to survive real due diligence. That's not cynicism — it's the job. The institutions that come out ahead this year won't be the fastest adopters. They'll be the ones disciplined enough to walk away from a beautiful demo that can't answer ten straightforward questions.

AI FOMO has sunk more procurement budgets than bad AI ever has. Run the checklist. Hold the four lines. Make the vendor prove it — not just pitch it.

Have you ever been burned by an AI vendor? Or are you evaluating one right now? Drop your experience in the comments. I read every one.

I'm Mzee Boto — a finance enthusiast using AI to simplify money management. I share real tests, honest reviews, and practical tips so you can take control of your finances without the fluff.

Disclaimer: This article is for general informational purposes only and does not constitute legal, regulatory, or compliance advice. Regulatory frameworks referenced — including SR 26-2, the EU AI Act, FCA guidance, and Canadian privacy law — are subject to change, and some provisions, including EU AI Act high-risk timelines, remain under active legislative discussion. Consult qualified legal counsel and compliance professionals before making vendor selection or contractual decisions.

Comments

Post a Comment