What Managing Partners Should Ask Before Signing an AI Vendor Contract
Professional services firms are adopting AI-native tools at speed, but many managing partners are asking the wrong questions before signing contracts. According to Kumar Ravi, Chief Security & Resilience Officer at TMF Group, the risks that matter most aren't the ones that make headlines.
Over-privileged access and weak workflow controls pose greater danger than ransomware attacks, Ravi said, precisely because they accumulate quietly. A user with more permissions than their role requires. A shared service account in a document system. These small oversights don't trigger alarms - but they compound across teams, systems, and applications until they create openings for lateral movement by insiders or external attackers.
The problem worsens when no single person owns data governance. Responsibility diffuses. Risk accumulates invisibly.
The questions to ask before onboarding AI
Treating a new AI tool like a new hire with access to sensitive data is the right mental model, Ravi said. That means asking specific questions before signing anything:
- What data does the tool ingest, where is it stored, and which jurisdictions' laws apply?
- Is the information used to train models that benefit other customers, or is it kept strictly within your environment?
- What are the data retention rules, and what processes exist to request deletion?
- What audit logs are maintained?
Answers matter. If a vendor cannot clearly separate your data from other customers' data, that's a dealbreaker. If retention policies are vague or deletion processes don't exist, walk away.
Audit reports, certifications, penetration test summaries, and incident records should back up vendor claims. Independent assurance isn't optional - it's how you verify that controls actually work.
What the contract must cover
Contracts need to be explicit about accountability. Specify what security controls the vendor commits to. Set breach notification timelines in days, not weeks. Define liability if a failure causes financial, regulatory, or reputational damage.
You also need the right to know who accesses your data and under what terms. Vendors should disclose their sub-processors - the vendors' vendors. A live inventory of all partners handling sensitive data, updated regularly, is non-negotiable.
Due diligence cannot be a one-time questionnaire. Assess vendor compliance periodically. Enforce minimum standards consistently.
The fourth-party problem
Small and mid-sized firms outsource enormous amounts of sensitive work: document review, financial modeling, cloud infrastructure. The risk cascades. Your vendor's vendor also touches client data.
Stop treating vendors as external third parties, Ravi said. Integrate them into your supply chain as partners with clear duties and responsibilities. You can outsource work, but you cannot outsource accountability to protect your clients' data.
The privilege problem
Legal privilege and confidentiality protections are essential. But under pressure, firms increasingly treat all data points as privileged. This slows threat intelligence sharing with regulators and peers - exactly when speed matters most.
Companies need a strategy to balance legal protections with timely, actionable information-sharing. Done well, this improves ecosystem resilience without compromising legal culture.
Making security a board-level control
Ravi's broader argument: security should be treated as a core business control, owned at the board level, measured consistently, and backed by independent assurance. This means fewer points of failure, faster containment when incidents occur, and more transparency.
That structural change would face resistance from firms accustomed to treating security as a compliance checkbox rather than a strategic function. But the cost of not making it is accumulating risk that no one owns.
For managing partners evaluating AI vendors, the principle is simple: ask hard questions, verify answers independently, and write contracts that hold vendors accountable. The firms that do this will sleep better than those that don't.
Your membership also unlocks:
