Resources · Ten Questions
The Due-Diligence Checklist
Ask these before
you adopt.
Ten questions that surface every major risk of AI adoption — data, privilege, verification, governance — before any of them becomes yours.
Scroll
01
The data questions.
1
Where is our data processed — and is that in the contract?
Marketing pages promise; contracts bind. UK GDPR turns on where processing actually happens.
2
How long is it retained?
“Deleted after 30 days” is a policy; “zero data retention” is a term. Know which you have.
3
Is it used to train models — and is that excluded in writing?
The single most consequential sentence in any AI agreement.
4
Who are the subprocessors?
Your data’s journey doesn’t end at the vendor. Every additional party is an additional risk you’ve accepted.
5
Does the tool’s tier match the material?
Consumer tools for public material; contracted enterprise routes for client work; the mismatch is where privilege goes to die.
02
The practice questions.
6
Who may use it, for what — and what is banned?
An AI policy that names permitted tools and prohibited uses beats a policy that gestures at “appropriate care”.
7
How do we verify outputs before they leave the building?
Citations checked against official sources, quotations searched in the source text, facts traced to documents. A workflow, not a hope.
8
What happens when it goes wrong?
Incident route, insurer notification, regulator engagement — decided now, calmly, not later, urgently.
9
Who owns AI competence?
Tools change monthly. Someone must own training, refreshers and keeping the policy current — by name, not by committee.
10
How will we know it’s working?
Time saved, quality maintained, incidents avoided. If you’re not measuring, you’re guessing — in both directions.
Take the checklist with you.
The printable one-page checklist plus the expanded guide — what good answers look like for each of the ten questions — straight to your inbox.
Good questions are half the work.
The other half is honest answers. If some of yours were uncomfortable, that’s exactly what we help with.
AI Governance for firms →