How to Choose an AI Vendor: Criteria That Actually Matter

Choosing an AI vendor for your SMB has become a strategic decision in its own right. The market is crowded with providers who are fluent in slide decks and ChatGPT demos but rarely ship to production. This guide gives you 12 concrete criteria to evaluate an AI agency before you sign, along with the red flags to spot and the exact questions to ask in your first meeting.

Why vendor selection cannot be improvised

A poorly started AI project does not recover easily. You have invested time, exposed internal data, and mobilized your teams. If the vendor delivers a prototype that never reaches production, the real cost far exceeds the invoice.

The market now includes hundreds of actors presenting themselves as "AI agencies." Most are legitimate. Some only master the API assembly layer, with no real deployment capability and no domain expertise. The difficulty is distinguishing them before you sign.

The criteria below come from what we observe in practice, across SMB projects ranging from roughly 8,000 to 80,000 EUR. They do not replace a prior AI scoping audit, but they let you qualify a vendor quickly during your first exchanges.

The 12 criteria for evaluating an AI vendor

Criterion 1: Vertical experience in your sector

A competent AI vendor talks about your business constraints before mentioning technologies. If they know your sector, they will spontaneously raise the recurring problems: data quality in manufacturing, confidentiality in legal, real-time constraints in logistics.

Ask for two projects completed in your sector or a closely related one, with measured outcomes at delivery. If the answer stays vague, they do not have them.

Criterion 2: Verifiable references, not just logos

A client logo on a website proves nothing. What matters: a contact name at the client, a published case study with specific numbers, or an accessible write-up. Offer to speak directly with a reference client. A vendor confident in their work will agree.

Also review their public technical presence: GitHub, portfolio, published articles. A complete absence of any public trace of their technical work is a warning sign.

Criterion 3: Transparency about AI limitations

A good vendor tells you what AI cannot do in your context. They discuss hallucinations, data quality dependencies, and integration constraints. A vendor who mentions no limitations is selling a pitch, not expertise.

This transparency is a marker of technical maturity. It also protects your teams, who need to understand what they are supervising once the solution is live.

Criterion 4: POC before production

Any serious AI project goes through a validation phase on your real data before committing a production budget. This proof of concept typically runs 2 to 6 weeks and costs between 3,000 and 10,000 EUR depending on complexity.

A vendor who jumps straight to a 50,000 EUR deployment contract without a pilot phase is taking risks with your budget. A paid, scoped POC is a mark of seriousness, not an obstacle. For how this scoping phase connects to an audit, see our article on how to launch an AI project realistically.

Criterion 5: Data sovereignty and GDPR compliance

Where is your data hosted during the project? Is your data used to improve the vendor's models or those of their third-party providers? These questions are not secondary: they determine your regulatory compliance.

Require a Data Processing Agreement (DPA) before any data sharing. Verify that servers are located in the European Union. In 2026, the EU AI Act imposes additional obligations on high-risk systems. Your vendor should be able to guide you on this. Our article on AI Act compliance for SMBs covers the concrete checkpoints.

Criterion 6: Real production deployments vs. slideware

The difference between a demo and a solution in production is substantial. Ask to see deployed solutions at client sites, not local prototypes or demos on synthetic data.

Ask directly: "How many projects did you take to production at client sites in 2025?" A vendor prolific in audits but thin on production deployments needs to explain that clearly.

Criterion 7: Training and knowledge transfer to your teams

An AI solution deployed without training your teams quickly becomes a black box that nobody knows how to operate. Ask whether a training phase is included, in what form (documentation, hands-on sessions, post-deployment support), and who delivers it.

AI projects that last are those where the internal team understands what it uses and can handle standard operating scenarios without depending on the vendor for every issue. Our guide on AI adoption in organizations covers the formats that work in practice for SMBs.

Criterion 8: Contract structure (fixed-price vs. time-and-materials)

For a defined scope (POC, development of a specific feature), require a fixed-price contract. It locks in the price, timeline, and deliverables. Time-and-materials billing (by the day or hour) can work for continuous post-production evolution, but it exposes you to budget overruns if scope is not controlled.

Be wary of proposals that put everything on a time-and-materials basis for work that could be scoped as fixed-price. This is often a signal that the vendor is uncertain of their own ability to commit.

Criterion 9: Actual team size and composition

The proposal is often presented by senior profiles, but who will actually be on your project? Ask for the CVs of the people who will do the work, not those of the founding team.

A 3-person agency can deliver a quality SMB project. A 50-person agency can assign an unsupervised junior to your engagement. What matters is the actual project team composition, their availability, and the accessibility of the technical lead.

Criterion 10: Documented and mastered tech stack

Ask which technologies the vendor uses and why. A solid answer explains the tradeoffs: why this LLM over another, why this hosting infrastructure, how they handle model versioning. A vendor who uses the same tools for every project without justifying them is applying a recipe, not expertise.

Also verify that the chosen stack is sustainable and maintainable by your teams or by another vendor if you switch.

Criterion 11: Reversibility terms

If the relationship ends, what do you get back exactly? The source code, models trained on your data, technical documentation? In what format and within what timeframe?

Reversibility must be written into the contract. It protects your operational continuity and prevents proprietary lock-in. A vendor who resists including this clause should be questioned about their motivations.

Criterion 12: Ownership of data and code

By default in many jurisdictions, a vendor may retain rights over the code they develop. Only an explicit intellectual property assignment clause guarantees that you own what was produced for you.

Also verify who owns the training data used, and whether the models produced can be reused, modified, or shared without restriction on your end.

Red flags: signals that should make you walk away

Warning signals

01 Quantified promises with no prior audit. "We will save you 40% on your data processing" before they have analyzed your context. A number without a prior audit is a marketing claim, not a commitment.
02 Demos built entirely on public consumer tools. If every demonstration runs through ChatGPT.com or Copilot, ask them how it holds up in production on your internal data, behind your information systems.
03 No published case studies and no reference contacts available. Two years of activity with no published case study and no client willing to testify is abnormal.
04 No public technical presence at all. No GitHub, no technical publication, no portfolio. In a sector where credibility is built through demonstration, this opacity warrants scrutiny.
05 Refusal of a paid, scoped POC. A vendor who refuses to validate feasibility on your data before deploying wants to lock you in without a safety net. That benefits them, not you.
06 No mention of limitations or risks. A 100% positive discourse on AI is always a sales pitch. AI has real limitations: data quality, infrastructure cost, maintenance, governance. A vendor who ignores them is setting you up for an unpleasant surprise.
07 Contract with no reversibility clause and no IP assignment. If these clauses are absent from the standard contract, ask for them in writing. If the vendor refuses, do not sign.

Questions to ask at the first meeting

These questions are written to be asked directly, copy-pasted if needed, during a first exchange with an AI vendor. The answers will tell you what you need to know in under an hour.

On field experience

"Can you name two projects in my sector with the results measured at delivery?"
"What share of your projects have you taken all the way to production, versus POCs and audits that did not proceed?"
"What is the most difficult project you delivered in the last 18 months, and what went wrong?"

On method and technology

"What is your standard tech stack for a project like this, and why that choice?"
"How do you handle model versioning and maintenance after go-live?"
"Who will actually be working on my project? Can you share their CVs?"

On data and compliance

"Where will my data be hosted during the project?"
"Will my data be used to train or improve your models or those of your third-party providers?"
"Do you have a standard DPA you can share before we start?"

On the contract and exit terms

"Does your standard contract include an intellectual property assignment clause in my favor?"
"What happens if we decide to stop the collaboration mid-project? What do I get back, in what format, and by when?"
"How does reversibility work if I want to transfer maintenance to another vendor in 18 months?"

On limitations and risks

"Under what conditions does this type of project fail? What depends on me?"
"What are the limitations of the approach you are proposing for my use case?"
"What data quality is required for this to work, and how do you assess that upfront?"

If a vendor answers these questions easily and precisely, that is a good sign. If they deflect, reframe without answering, or appeal to trust rather than facts, take note.

To go further on budgeting your project, see our article on the true cost of an AI project, which gives realistic ranges by type of engagement.

Talk to an engineer

Evaluating vendors and not sure who to trust? We will give you an honest second opinion in one call.

Book a call

Frequently asked questions

Ask them to name two or three projects in your sector with measurable outcomes (time saved, error rate reduced, volume processed). A credible vendor describes the business constraints they encountered, not just the technology they used. If the answer is vague or tool-centric, that is a warning sign.

Yes, and it is actually a good sign. A serious vendor proposes a scoped POC (2 to 6 weeks, roughly 3,000 to 10,000 EUR) to validate feasibility on your real data before committing a production budget. A vendor who skips the POC and goes straight to a 50,000+ EUR deployment contract is taking a risk at your expense.

You should. Ownership of the source code and any models trained on your data must be explicitly stated in the contract. Require an intellectual property assignment clause in your favor. Without it, the vendor can legally retain rights over what they built for you, creating a problematic dependency.

Ask to see their standard Data Processing Agreement (DPA), confirm where servers are hosted (EU or non-EU), and ask whether your data will be used to train OpenAI or other third-party models. A rigorous vendor has these documents ready and shares them without needing to be asked twice.

A fixed-price contract locks in scope, price, and delivery date: you know what you are paying. Time-and-materials bills by the day or hour: you pay for time spent, with the risk of cost overruns if scope is not tightly controlled. For a well-defined POC, fixed-price is preferable. For ongoing post-production evolution, time-and-materials can work. Be wary of entire projects proposed on a pure time-and-materials basis with no budget ceiling.

Reversibility guarantees that you can recover your data, code, and model if you switch vendors or end the relationship. It should specify: the format of recoverable deliverables (source code, models, structured data), the handover timeline (typically 30 to 60 days), and knowledge transfer conditions. Without a reversibility clause, you risk a proprietary lock-in that is expensive and disruptive to unwind.

For an SMB, a specialized AI agency of moderate size (5 to 30 people) typically offers a better expertise-to-responsiveness ratio. Large firms tend to delegate SMB projects to junior profiles, while specialized agencies put their best people on every engagement. What matters is who will be on your project, not who signs the proposal.

Next step

Tensoria helps SMBs and mid-market companies select and deploy AI solutions suited to their business context. We practice the criteria listed in this article: paid and scoped POC, code ownership transferred to the client, contractual reversibility, dedicated team on every engagement.

See our AI audit offering to start with a structured scoping, or book a 30-minute call to discuss your project with no obligation.