No governance, no deal: the new AI buying rule

AI is moving into production, and procurement teams are raising the bar on risk and accountability.

Article link: https://open.substack.com/pub/johanosteyn/p/no-governance-no-deal-the-new-ai?r=73gqa&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true

Audio summary: https://youtu.be/9J_5Vp4s4fg

Follow me on LinkedIn: https://www.linkedin.com/in/johanosteyn/

For years, AI sales have been driven by excitement. A compelling demo, a few bold claims about productivity, and a promise that “everyone else is doing it” often carried deals over the line. That era is ending. AI is becoming operational, embedded into workflows that touch customers, money, personal data, and reputations. As that happens, procurement is changing its posture. 

Buyers are asking harder questions, and the smartest ones are applying a simple rule: if you cannot demonstrate governance, you do not get the contract. In many organisations, AI is no longer being bought by innovation teams alone. It is being bought by risk-aware committees, and that changes what wins.

CONTEXT AND BACKGROUND

Procurement has always been about risk, but software buying over the last decade created a strange gap. Cloud subscriptions made it easy to trial tools quickly, and “shadow IT” became normal. AI accelerated that pattern. Staff could sign up, experiment, and quietly integrate tools into daily work long before governance caught up.

Now the cost of casual adoption is clearer. AI systems can leak sensitive data, generate incorrect outputs with confidence, embed bias into decisions, and create new security vulnerabilities. They can also change quickly, because vendors update models, tweak features, and introduce new capabilities without the customer fully understanding what changed.

At the same time, regulators and customers are raising expectations. Even when a specific law is not directly enforced in your market yet, global norms are forming around transparency, auditability, and accountability. Procurement is where those norms become real, because contracts turn expectations into obligations.

INSIGHT AND ANALYSIS

The biggest shift is that procurement is moving from “does it work?” to “can we control it?” AI is not being evaluated like a normal SaaS tool. It is being evaluated as a system that can influence decisions and actions.

This is why governance is becoming a competitive differentiator. Buyers want to see who owns the system, what data it touches, what the boundaries are, and what happens when it fails. They want proof that you can manage model changes, prevent sensitive data from being used inappropriately, and investigate incidents when something goes wrong.

In practice, this translates into a new procurement checklist. Buyers ask for an AI inventory of features, a clear description of the intended use, data flows, retention policies, and security controls. They ask for human oversight mechanisms, especially where AI can influence high-impact outcomes. They ask for logging and audit trails, because “trust us” does not survive an incident review. They ask for incident response commitments because mistakes are no longer theoretical.

There is also a subtle power shift happening. Procurement is learning that AI vendors can be sticky. Once a model is embedded into workflows, switching is painful. That creates lock-in risk. So procurement teams are pushing harder on portability, model change notifications, and contractual safeguards that limit unexpected surprises.

IMPLICATIONS

If you are a buyer, treat AI governance as a precondition, not a “phase two”. Start with a simple question: where will this AI be used, and what could go wrong? Then require evidence: policy is not enough. Ask for controls you can actually verify. Insist on clarity around data, model updates, monitoring, and escalation. Build internal alignment so business units cannot bypass the rules and create untracked exposure.

If you are a vendor, the message is blunt: you need a compliance pack as much as a product deck. Have a clear explanation of how your system works, what you log, how you prevent data misuse, how you handle model changes, and how customers can audit and troubleshoot outcomes. Make your governance easy to understand and easy to prove. Your best competitors will.

If you are an internal AI champion, stop overselling speed and start designing trust. When procurement is sceptical, it is not trying to block innovation. It is trying to avoid becoming the person who approved the next headline.

CLOSING TAKEAWAY

AI buying is growing up. As AI moves from experimentation into core operations, procurement is becoming the gatekeeper of what gets deployed, and the gate is closing on hype. The new rule is simple: no governance, no deal. That is not bad news for AI. It is good news for everyone who wants AI to be sustainable, safe, and worth the investment. The organisations that win will be those who can demonstrate control, not just capability, and who understand that trust is now part of the product.

Author Bio: Johan Steyn is a prominent AI thought leader, speaker, and author with a deep understanding of artificial intelligence’s impact on business and society. He is passionate about ethical AI development and its role in shaping a better future. Find out more about Johan’s work at https://www.aiforbusiness.net