The demo was polished. They’re always polished. The account executive knew your industry, dropped your competitor’s name like a casual threat, and used the word “sovereign” exactly enough times to sound informed without having to prove anything. The slides had that specific shade of corporate blue that means “we spent real money on a design agency.” Forty-five minutes of pure, frictionless confidence. You almost forgot someone was selling you something.
Then Gary asked where inference runs.
Half a beat. Just half. Then a sentence that was technically accurate in the way a weather forecast for “partly cloudy” is technically accurate during Calgary hail storms. Two qualifying clauses. A reference to a partner arrangement that hadn’t been in the deck. A pivot to a roadmap slide that answered a question nobody asked. The seller in a suit recovered beautifully. They always do. Gary noticed anyway. Gary’s been having a rough year and he’s done trusting slide decks.
Most vendors are selling dream kitchens in buildings with plywood foundations. The questions below find out which is which. Seven of them. Print them out. Bring them to the meeting. Pay attention to what happens in the first three seconds after you ask. A straight answer arrives immediately. A carefully worded topic change arrives with a compliment about how great the question is. Seriously, what an insightful question, thanks for asking!
Use them on every vendor. Including us. Especially us. We’d prefer that.
The seven questions
1. Where does inference run, and under whose jurisdiction?
You want a clear answer naming where the compute lives, who operates it, and what law governs access requests. Not “Canadian region” with a pin on a map. The actual jurisdiction. The actual operator. If the answer requires a footnote, your customers will eventually hear about the foreign intrusion before you’re ready to explain it.
2. Who holds the encryption keys, and can anyone compel you to hand them over?
“We encrypt your data” and “you control the encryption” are different sentences with very different legal implications. If the vendor holds the keys, they control the data, regardless of where it’s stored. The answer you want is four words: “You hold the keys.”
3. Which AI models in your platform touch my data, and is my data opted into future deals I haven’t consented to?
You want a list. Specific model names, what data they ingest, whether outputs are used for training, and a straight answer about what happens when the vendor signs a new partnership next quarter. If the response is “our platform uses AI to enhance the experience” without specifics, they’re asking you to trust a black box with your customers’ data. HiddenLayer’s 2026 report found 76% of organizations have shadow AI. Some of it arrived in the invoice.
4. Describe the audit trail for an AI-driven decision in your platform. Is it baked in or assembled after the fact?
Architecture-level auditability means every agent action is logged automatically, every decision traceable to the policy that permitted it. Timestamped, immutable, available without anyone having to compile anything. If the vendor’s audit story starts with “we can generate a report,” the trail is reconstructed, not recorded. There’s a canyon between those two things and your auditor will find it.
5. What’s your incident response SLA for an AI-specific failure?
A phishing attack that compromised Gary’s credentials and a sleeper agent that’s been corrupting downstream decisions for three months are not the same problem. If the response is “our standard SLA covers all incidents,” it doesn’t. Different threat, different response, different expertise. Galileo AI showed one compromised agent can poison 87% of downstream decisions in four hours. Your network SLA wasn’t designed for that.
6. What happens to my data and my operations if your company (or vendor) gets acquired?
The company that was incorporated in Canada last Tuesday could be incorporated in Virginia next Tuesday if the acquiring entity decides to restructure. Contracts transfer. Jurisdictions change. You want a contractual provision that addresses this, not “we don’t anticipate any changes.” The best answer is a clause that lets you exit without penalty if the acquisition changes your compliance picture. The worst answer is a long pause, or "oh don't worry".
7. If a tariff, an acquisition, or a trade dispute makes my current stack untenable, how quickly can I pivot?
This is the Canadian question. Your data is on a US platform. The trade relationship shifts with a threat. Your customers are already posting about it. Now what? You’re not asking whether leaving is free. You’re asking whether the vendor buried you so deep in proprietary integrations that changing direction requires a multi-year migration and a prayer. If the answer sounds like a Leafs rebuild plan, all hope and no timeline, you already know how it ends.
Gary asked question seven
Gary sat in the meeting. Heard the polished demo. Watched the room start nodding. Right before someone suggested moving to pricing, Gary leaned forward and asked: if the trade situation changes next year and we need to move our AI workloads off your platform, what does that look like in practice?
The room changed temperature. Not because the question was hostile. Because it was specific, and specific questions are the ones that separate vendors who built for flexibility from vendors who built for lock-in. The ones worth keeping don’t flinch. They built for it. They want you to ask because the answer is their best material. The ones who aren’t worth keeping will compliment your question, consult their colleague, promise to follow up, and hope you forget by the time the contract lands.
A vendor that locks you into their ecosystem so deeply that a tariff announcement becomes an operational crisis isn’t a partner. It’s a dependency. And in AI security, where the threat moves at machine speed and the regulatory landscape shifts every quarter, a dependency you can’t unwind is a vulnerability with a subscription fee.
ISM exists as that operational layer between your organization and the technology stack underneath it. One contract. Flexibility to shift vendors, platforms, and cloud providers as the landscape moves. Canadian-cleared people who answer the phone in Regina because that’s where they live. Audit trails by design, not by request. When Azure needs to become AWS, or a vendor partnership changes the compliance picture, the architecture flexes because it was built to flex. Not because someone filed a change request and waited eight months.
The gates are always rattling. The AI on the other side of the wall doesn’t attend vendor meetings and couldn’t care less about anyone’s quarterly targets. What meets it when it tries the handle depends entirely on whether the vendor you picked could answer seven questions without reaching for a slide deck.
Read next
The final article in the series is about what it looks like when all of this works. Not the dramatic save. Not the near miss. A Tuesday morning where nothing happened. Where the AI processed what it was supposed to, the compliance report generated itself, and the CISO’s phone stayed quiet. That silence is the most valuable outcome in security. What it looks like when AI security works.
Cites
HiddenLayer 2026 AI Threat Landscape Report: 76% shadow AI adoption, 1 in 8 breached via agentic AI
Galileo AI: Single compromised agent poisoning 87% of downstream decisions in four hours
Microsoft France testimony to French Senate, June 2025: inability to guarantee data sovereignty regardless of storage location
