The procurement question that is about to cost you deals

A few months ago a friend who runs sales for a mid-sized technology business called me about a deal that had gone sideways. They were the incumbent supplier, the renewal was supposed to be procedural, and at the last minute the client’s procurement team had sent across a revised vendor due diligence questionnaire. There were thirty-eight questions on AI governance. His team had answers to about eight of them.

The client didn’t pull the contract. They didn’t have to. They attached a remediation plan to the renewal with a six-month deadline and a clause that let them terminate without penalty if the answers weren’t satisfactory. His team is now spending the kind of money on consultants that, twelve months ago, would have been spent on a sales kick-off.

The leading edge of a procurement shift

This is the leading edge of a change moving through enterprise procurement, and it is moving faster than most boards have noticed. Large buyers - banks, insurers, government departments, pharmaceutical companies, increasingly anyone in a regulated sector - are rewriting their supplier assurance frameworks to include AI. The questions are getting longer and more specific.

“Do you use AI in the services you provide to us?” has become:

Provide your AI risk register, your most recent AI impact assessments for in-scope systems, your AI incident history, your sub-processor list including AI vendors, and your roadmap for AI management system certification.

The vendors who can answer those questions will keep their contracts. The ones who can’t are going to spend the next two years explaining themselves at every renewal.

Why procurement teams reach for ISO 42001

ISO 42001 sits in the middle of this picture because it is the standard procurement teams are starting to reference. Not because any regulator has yet required it - they haven’t - but because procurement teams are pattern-matchers, and they know how to evaluate an ISO 27001 certified supplier. They do not yet know how to evaluate AI claims made on a website.

When ISO 42001 certification is on the table, the procurement conversation gets dramatically shorter, because it lets the buyer move from interrogation to verification.

I want to be careful not to overstate this. Certification is not a magic key. A serious enterprise buyer will look behind the certificate and ask real questions about real systems, and a thin implementation will be visible in about twenty minutes of conversation with whoever your AI lead happens to be. But certification is becoming the price of entry to the conversation. Without it, you increasingly don’t get to the part where you can demonstrate competence.

A commercial question, not a compliance one

If you sell into regulated industries, into government, or into any enterprise that takes third-party risk seriously, ISO 42001 is a commercial question more than a compliance one. The companies investing in it now are not doing it to avoid a fine. They are doing it because they have worked out, ahead of their competitors, that in eighteen months’ time the absence of an AI management system will cost them deals they would otherwise have won.

That cost is rarely visible in the moment. The customer who quietly takes you off the shortlist doesn’t usually write to tell you why.

The companies that wait will get the same lesson, but they will pay tuition for it.