← Findings 🕐 9 min read
Findings

What Your Customers Are About to Ask You About AI — And What Happens If You Don't Have Answers

Brandon Sneider · March 2026

Twelve months ago, the AI question in a vendor assessment was simple: "Do you use AI?" A yes or no sufficed. That era is over.

Executive Summary

  • Procurement teams, auditors, and legal departments at your customers and partners are adding AI governance questions to vendor assessments, RFIs, and due diligence questionnaires. AI due diligence is becoming a standard annex in enterprise RFPs as the EU AI Act and ISO 42001 reshape buyer expectations. The company that has answers looks mature. The company caught flat-footed looks careless — or worse, looks like it has something to hide.
  • Only 21% of organizations have fully mapped and documented their AI use cases (McKinsey State of AI, March 2025). At mid-market scale, the number is almost certainly lower. The gap between “using AI” and “being able to describe how” is where deals stall and relationships fracture.
  • 84% of customers will abandon or restrict engagement with companies that cannot demonstrate AI transparency, and 76% will switch to a competitor that can — even at a higher price (Relyance AI Trust Survey, n=1,000+ U.S. consumers, December 2025). This is not a compliance abstraction. It is a revenue risk.
  • Three questions are arriving now, not next year: What AI do you use? What data does it touch? What governance is in place? A 200-person company with prepared answers to these three questions controls the conversation. One without them loses it.

The Shift: From “Do You Use AI?” to “Prove You Govern It”

Twelve months ago, the AI question in a vendor assessment was simple: “Do you use AI?” A yes or no sufficed. That era is over.

Modern procurement teams ask about AI inventories, risk classification methodologies, and human oversight controls. The questions have moved from curiosity to verification. Buyers are not asking whether you use AI — they assume you do. They want evidence of responsible governance.

The driver is regulatory pressure cascading through supply chains. California’s AI Transparency Act (SB 942) requires disclosure of AI-generated content as of January 2026. The Colorado AI Act imposes documentation and oversight obligations for high-risk AI systems. The EU AI Act creates compliance obligations for any company serving EU customers. State legislators introduced over 1,100 AI-related bills in 2025 alone, with roughly 100 becoming law.

But the more immediate driver is procurement behavior. Gartner reports that 83% of Fortune 500 procurement teams plan to require ISO 42001 alignment from technology vendors by 2027. Enterprise buyers are not waiting for regulation to mandate disclosure — they are writing it into contracts now. FINRA’s 2025 regulatory oversight report explicitly evaluates vendor oversight practices including visibility into vendors’ use of artificial intelligence. The SEC’s Division of Examinations is assessing AI governance as part of Regulation S-P and S-ID vendor oversight.

For a mid-market company selling to larger enterprises, this is not theoretical. The next RFI will include an AI governance section. The question is whether the sales team has answers ready.

The Three Questions and What Customers Actually Want to Hear

Question 1: What AI Do You Use?

This sounds simple. It is not. The IBM 2025 Cost of a Data Breach Report finds that 63% of breached organizations either lack an AI governance policy or are still developing one. If leadership cannot produce an AI inventory — a list of every AI tool, feature, and embedded capability in use across the organization — the answer to this question defaults to “we don’t know.”

The answer customers want is specific: “Here is what we use, where we use it, and why.” Not a paragraph of reassurance. A list.

What to document:

  • Every AI tool employees use directly (ChatGPT, Copilot, Gemini, Claude)
  • Every AI feature embedded in existing software (Salesforce Einstein, Microsoft Copilot in M365, Zoom AI Companion)
  • Every AI-adjacent automation (chatbots, automated email systems, predictive analytics)
  • Which of these tools process customer data versus internal data only

Question 2: What Data Does It Touch?

This is the question that creates liability. CIO magazine reports that 88% of AI technology providers cap their liability at a single month’s subscription fee. If a vendor’s AI tool mishandles customer data, the contractual protection is negligible. Your customer knows this — which is why they are asking you the same question.

The Relyance survey finds 81% of consumers believe companies are training AI on their data without disclosure. Four in five of your customers’ customers already suspect this is happening. When your customer asks what data your AI touches, they are managing their own downstream risk.

What to document:

  • Whether customer PII, financial data, or proprietary information enters any AI system
  • Whether any AI tool uses customer data for model training (and whether you have opted out)
  • Data residency: where customer data is processed and stored when AI tools handle it
  • Third-party AI sub-processors: if you use Salesforce and Salesforce uses OpenAI, your customer has a three-party data chain they need to understand

Question 3: What Governance Is in Place?

This is where the 200-person company either looks credible or looks exposed. Deloitte’s State of AI in the Enterprise survey (n=3,235 leaders, August-September 2025) finds that only 21% of companies have a mature governance model for AI systems. The AI risks companies worry about most are governance risks: data privacy and security (73%), legal and regulatory compliance (50%), and governance capabilities and oversight (46%).

Your customer is not asking for perfection. They are asking for evidence that someone is paying attention. An acceptable use policy, a named person responsible for AI oversight, a documented process for evaluating new AI tools — these are table stakes, not aspirational goals.

What to document:

  • Your AI acceptable use policy (if it does not exist, create it before the next customer meeting)
  • Who owns AI governance — a named role, not “IT handles it”
  • How you evaluate and approve new AI tools before deployment
  • Your incident response process for AI-related data exposure

The Revenue Impact of Being Unprepared

The data on customer switching behavior is striking. The Relyance survey finds:

Customer Response to AI Opacity Percentage
Stop using vendor’s products entirely 57%
Continue but limit data sharing 27%
Continue with no changes 16%

That is 84% of customers who will take action — and more than half who will leave entirely. The first company in an industry to demonstrate AI transparency captures 76% of the addressable market willing to switch. This is not a compliance cost. It is a competitive advantage with a first-mover premium.

For a mid-market company competing against larger rivals, this dynamic is actually favorable. A 300-person company can produce a one-page AI governance summary faster than a 30,000-person company can navigate internal approvals. Speed is the advantage — but only if someone starts.

The Workday case illustrates the downside. Workday faces an unresolved EEOC lawsuit alleging its AI-powered recruiting software discriminated against applicants. Whether the lawsuit succeeds or not, every company using Workday’s AI features now faces a downstream question from its own employees and regulators: “Did you know your vendor was using AI to make hiring decisions? What oversight did you have?”

That question is coming for every vendor relationship, not just HR technology.

Key Data Points

Metric Finding Source
Companies with fully mapped AI use cases 21% McKinsey State of AI, March 2025
Customers who would abandon opaque AI vendors 84% Relyance AI Trust Survey, n=1,000+, December 2025
Customers willing to switch for transparency (even at higher price) 76% Relyance AI Trust Survey, n=1,000+, December 2025
Organizations with mature AI governance models 21% Deloitte State of AI in the Enterprise, n=3,235, 2025
Organizations lacking AI governance policies among those breached 63% IBM 2025 Cost of a Data Breach Report
AI technology providers that cap liability at one month’s fee 88% CIO magazine analysis, 2025
Fortune 500 procurement teams planning to require ISO 42001 alignment 83% Gartner 2025 survey
Mid-market firms needing outside help for AI implementation 70% RSM Middle Market AI Survey, n=966, February-March 2025
Companies citing data privacy/security as top AI risk 73% Deloitte State of AI in the Enterprise, n=3,235, 2025

What This Means for Your Organization

The three questions — what AI do you use, what data does it touch, what governance is in place — are not hypothetical. They are appearing in vendor assessments, renewal conversations, and partnership evaluations right now. The regulatory cascade from California, Colorado, and the EU AI Act is accelerating the timeline, but procurement behavior is moving faster than legislation.

The practical next step is a one-page AI governance summary that the sales team can attach to any customer questionnaire. It does not need to be comprehensive. It needs to be honest, specific, and current. A document that says “here are the four AI tools in use across the organization, here is what data they access, here is the policy governing them, and here is who is responsible” answers 90% of what a customer will ask in 2026.

Most mid-market companies can produce this document in a working afternoon — if someone who understands both the technology and the business context leads the effort. The gap is not knowledge or time. It is knowing what to put in the document and what to leave out. If that framing raised questions specific to your organization, I’d welcome the conversation — brandon@brandonsneider.com

Sources

  1. McKinsey State of AI 2025 — “The State of AI: How Organizations Are Rewiring to Capture Value” (March 2025). Independent consulting survey. 78% of organizations report using AI in at least one function; only 21% have fully mapped use cases. Credibility: High — large-scale independent survey, annual methodology. https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai

  2. Relyance AI Consumer Trust Survey — n=1,000+ U.S. consumers, December 2025, conducted with Truedot.ai. Nationally representative sample, ±3.2% margin of error. 84% would abandon or restrict vendors over AI opacity; 76% would switch for transparency at higher cost. Credibility: Moderate-high — vendor-commissioned but rigorous methodology and nationally representative sample. https://www.relyance.ai/consumer-ai-trust-survey-2025

  3. Deloitte State of AI in the Enterprise 2026 — n=3,235 leaders surveyed August-September 2025. 21% report mature AI governance; 73% cite data privacy as top AI risk. Credibility: High — large sample, Big Four methodology, eighth annual edition. https://www.deloitte.com/us/en/what-we-do/capabilities/applied-artificial-intelligence/content/state-of-ai-in-the-enterprise.html

  4. IBM 2025 Cost of a Data Breach Report — Annual report. 63% of breached organizations lack AI governance policies; 97% lacked proper AI access controls among those with AI-related breaches. Credibility: High — independent research with Ponemon Institute, long-running methodology. https://www.atlassystems.com/blog/ai-vendor-risk-questionnaire

  5. RSM Middle Market AI Survey 2025 — n=966 respondents, February-March 2025, U.S. and Canada mid-market decision-makers. 70% need outside help; 92% encounter implementation challenges. Credibility: High — targeted mid-market sample, conducted with Big Village. https://rsmus.com/insights/services/digital-transformation/rsm-middle-market-ai-survey-2025.html

  6. CIO Magazine — “Your Vendor’s AI Is Your Risk: 4 Clauses That Could Save You from Hidden Liability” (2025). 88% of AI vendors cap liability at one month’s fee. Credibility: Moderate-high — trade publication, cites primary data. https://www.cio.com/article/4081326/your-vendors-ai-is-your-risk-4-clauses-that-could-save-you-from-hidden-liability.html

  7. Gartner — Multiple 2025 reports. 83% of Fortune 500 procurement teams planning ISO 42001 vendor requirements by 2027; 40% of AI data breaches by 2027 from cross-border GenAI use. Credibility: High — premier analyst firm. https://www.gartner.com/en/cybersecurity/products/third-party-cybersecurity-insights

  8. California AI Transparency Act (SB 942) — Effective January 1, 2026. Requires disclosure of AI-generated content. Primary source: state legislation.

  9. FINRA 2025 Annual Regulatory Oversight Report — Third-party risk landscape section evaluates vendor AI use oversight. Credibility: High — regulatory body, primary source. https://www.finra.org/rules-guidance/guidance/reports/2025-finra-annual-regulatory-oversight-report/third-party-risk

Brandon Sneider | brandon@brandonsneider.com March 2026