How to Conduct AI Vendor Evaluation¶
Ready to Use
Quick Reference
- Four pillars: Technical capability, business value, compliance/security, vendor viability
- Use for: AI software, platforms, SaaS, consulting partners, build vs buy
- Key outputs: Requirements matrix, evaluation scorecard, due diligence report
- Related tools: TCO Calculator, ROI Calculator
Purpose¶
This guide provides a structured approach to evaluating AI vendors and solutions for government procurement, ensuring compliance, value for money, and fit for purpose.
When to Use This Guide¶
Use this evaluation process when: - Procuring AI/ML software or platforms - Engaging AI solution providers - Evaluating AI-as-a-Service offerings - Assessing AI consulting partners - Comparing build vs buy options
Evaluation Framework Overview¶
flowchart TB
EVAL["<strong>AI VENDOR EVALUATION</strong>"] --> TECH & BIZ & COMP & VIAB
subgraph TECH["<strong>TECHNICAL<br/>CAPABILITY</strong>"]
T1[Accuracy]
T2[Scalability]
T3[Integration]
T4[MLOps]
end
subgraph BIZ["<strong>BUSINESS<br/>VALUE</strong>"]
B1[ROI]
B2[TCO]
B3[Flexibility]
B4[Time value]
end
subgraph COMP["<strong>COMPLIANCE<br/>& SECURITY</strong>"]
C1[Privacy]
C2[Security]
C3[Ethics]
C4[Compliance]
end
subgraph VIAB["<strong>VENDOR<br/>VIABILITY</strong>"]
V1[Stability]
V2[References]
V3[Support]
V4[Roadmap]
end
style EVAL fill:#e3f2fd,stroke:#1976d2,stroke-width:2px
style TECH fill:#e8f5e9,stroke:#388e3c,stroke-width:2px
style BIZ fill:#fff3e0,stroke:#f57c00,stroke-width:2px
style COMP fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
style VIAB fill:#e0f2f1,stroke:#00796b,stroke-width:2pxStep 1: Define Requirements¶
Requirements Gathering Template¶
## AI Solution Requirements
### Business Requirements
| # | Requirement | Priority | Acceptance Criteria |
|---|-------------|----------|---------------------|
| B1 | | Must/Should/Could | |
| B2 | | | |
### Functional Requirements
| # | Requirement | Priority | Acceptance Criteria |
|---|-------------|----------|---------------------|
| F1 | | Must/Should/Could | |
| F2 | | | |
### Non-Functional Requirements
| # | Requirement | Target | Minimum |
|---|-------------|--------|---------|
| Performance | Response time | <500ms | <2s |
| Availability | Uptime | 99.9% | 99.5% |
| Scalability | Concurrent users | 1000 | 500 |
| Accuracy | Model accuracy | 95% | 90% |
### Compliance Requirements
| # | Requirement | Mandatory |
|---|-------------|-----------|
| Privacy Act compliance | Yes |
| PSPF alignment | Yes |
| Data sovereignty (Australian) | Yes |
| Accessibility (WCAG 2.1) | Yes |
### Integration Requirements
| System | Integration Type | Criticality |
|--------|-----------------|-------------|
| | API/File/Event | High/Med/Low |
Step 2: Vendor Shortlisting¶
Initial Screening Criteria¶
| Criterion | Requirement | Knockout |
|---|---|---|
| Australian presence | Support availability | Yes |
| Government experience | Previous contracts | No |
| Data sovereignty | AU data centers | Yes |
| Security certification | ISO 27001 or equivalent | Yes |
| Financial stability | 3+ years operating | No |
| References | 3+ verifiable | No |
Market Scan Approach¶
- Request for Information (RFI): Broad market scan
- Industry research: Analyst reports, peer reviews
- Existing panel suppliers: Check whole-of-government panels
- Peer agencies: What solutions are other agencies using?
Step 3: Evaluation Criteria¶
Scoring Matrix¶
| Category | Weight | Subcriteria |
|---|---|---|
| Technical Capability | 35% | |
| Model Performance | 15% | Accuracy, precision, recall |
| Scalability | 8% | Growth capacity, performance under load |
| Integration | 7% | API quality, existing connectors |
| MLOps Maturity | 5% | Monitoring, retraining, versioning |
| Business Value | 25% | |
| Total Cost of Ownership | 12% | Implementation + 5-year operations |
| Time to Value | 8% | Implementation timeline |
| Flexibility | 5% | Customization, configuration |
| Compliance & Security | 25% | |
| Data Privacy | 10% | PII handling, consent, retention |
| Security | 10% | Access controls, encryption, audit |
| Ethics & Fairness | 5% | Bias testing, explainability |
| Vendor Viability | 15% | |
| Financial Stability | 5% | Revenue, funding, growth |
| References | 5% | Government experience |
| Support & Roadmap | 5% | SLAs, future direction |
Scoring Scale¶
| Score | Description |
|---|---|
| 5 | Exceeds requirements significantly |
| 4 | Exceeds requirements |
| 3 | Meets requirements |
| 2 | Partially meets requirements |
| 1 | Does not meet requirements |
| 0 | Non-compliant / knockout |
Step 4: Technical Evaluation¶
Capability Assessment¶
## Technical Capability Assessment
### Model Performance
| Test | Vendor A | Vendor B | Vendor C |
|------|----------|----------|----------|
| Accuracy on test set | | | |
| Precision | | | |
| Recall | | | |
| F1 Score | | | |
| Performance on edge cases | | | |
### Scalability Testing
| Test | Target | Vendor A | Vendor B | Vendor C |
|------|--------|----------|----------|----------|
| Max concurrent requests | 500 | | | |
| Response time under load | <1s | | | |
| Auto-scaling capability | Yes | | | |
| Peak capacity | 2x normal | | | |
### Integration Assessment
| Aspect | Vendor A | Vendor B | Vendor C |
|--------|----------|----------|----------|
| API documentation quality | | | |
| Authentication options | | | |
| Existing connectors | | | |
| Webhook/event support | | | |
| Data format flexibility | | | |
Proof of Concept (PoC)¶
When to conduct a PoC: - High-value procurement (>$500k) - Novel technology - Critical system integration - Top 2-3 shortlisted vendors
PoC Evaluation Checklist: - [ ] Use realistic data (anonymized if needed) - [ ] Test actual use cases - [ ] Evaluate with real users - [ ] Measure against defined metrics - [ ] Document implementation effort - [ ] Assess vendor support quality
Step 5: Commercial Evaluation¶
Total Cost of Ownership¶
## 5-Year TCO Comparison
### One-Time Costs
| Cost Item | Vendor A | Vendor B | Vendor C |
|-----------|----------|----------|----------|
| Licensing (initial) | | | |
| Implementation services | | | |
| Integration development | | | |
| Training | | | |
| Data migration | | | |
| **Subtotal** | | | |
### Annual Recurring Costs
| Cost Item | Vendor A | Vendor B | Vendor C |
|-----------|----------|----------|----------|
| Subscription/license | | | |
| Support & maintenance | | | |
| Infrastructure | | | |
| Internal operations | | | |
| **Subtotal (Annual)** | | | |
### 5-Year TCO Summary
| | Vendor A | Vendor B | Vendor C |
|---|----------|----------|----------|
| One-time costs | | | |
| Year 1 recurring | | | |
| Year 2-5 recurring | | | |
| **Total 5-Year TCO** | | | |
Commercial Terms Checklist¶
- Pricing model clear and predictable
- Volume discounts available
- Exit terms reasonable (data export, transition)
- Price protection clauses
- Renewal terms defined
- Liability and indemnity acceptable
- IP ownership clear
Step 6: Compliance & Security Evaluation¶
Privacy Assessment¶
| Requirement | Vendor A | Vendor B | Vendor C |
|---|---|---|---|
| Data processed in Australia | Yes/No | ||
| Subprocessors documented | Yes/No | ||
| Privacy policy adequate | Yes/No | ||
| Data minimization practiced | Yes/No | ||
| Retention policies clear | Yes/No | ||
| Consent management | Yes/No | ||
| Right to deletion supported | Yes/No | ||
| Breach notification process | Yes/No |
Security Assessment¶
| Control | Vendor A | Vendor B | Vendor C |
|---|---|---|---|
| ISO 27001 certified | Yes/No | ||
| SOC 2 Type II report | Yes/No | ||
| Penetration testing (annual) | Yes/No | ||
| Encryption at rest | Yes/No | ||
| Encryption in transit | Yes/No | ||
| MFA supported | Yes/No | ||
| Role-based access control | Yes/No | ||
| Audit logging | Yes/No | ||
| Incident response plan | Yes/No |
AI Ethics Assessment¶
| Criterion | Vendor A | Vendor B | Vendor C |
|---|---|---|---|
| Bias testing conducted | Yes/No | ||
| Fairness metrics provided | Yes/No | ||
| Explainability features | Yes/No | ||
| Model cards available | Yes/No | ||
| Human oversight supported | Yes/No | ||
| Ethics review process | Yes/No |
Step 7: Vendor Due Diligence¶
Financial Assessment¶
| Factor | Vendor A | Vendor B | Vendor C |
|---|---|---|---|
| Years in business | |||
| Annual revenue | |||
| Profitability | |||
| Funding status | |||
| Employee count | |||
| Customer count |
Reference Checks¶
Questions for references: 1. How long have you used this solution? 2. What problem did it solve? 3. How was the implementation experience? 4. How responsive is vendor support? 5. Have you experienced any issues? 6. Would you recommend them? Why/why not? 7. What would you do differently?
Reference Check Template:
## Reference Check: [Vendor]
Reference: [Organization]
Contact: [Name, Role]
Date: [Date]
### Implementation
- Duration: [X months]
- On time/budget: [Yes/No]
- Challenges: [Description]
### Operations
- Uptime experience: [%]
- Support quality: [1-5]
- Issue resolution: [Fast/Slow]
### Overall
- Satisfaction: [1-5]
- Recommendation: [Yes/No]
- Key advice: [Quote]
Step 8: Final Evaluation¶
Evaluation Summary Template¶
## Vendor Evaluation Summary
### Scores
| Category (Weight) | Vendor A | Vendor B | Vendor C |
|-------------------|----------|----------|----------|
| Technical (35%) | | | |
| Business Value (25%) | | | |
| Compliance (25%) | | | |
| Vendor Viability (15%) | | | |
| **Weighted Total** | | | |
| **Rank** | | | |
### Strengths & Weaknesses
#### Vendor A
Strengths:
-
Weaknesses:
-
#### Vendor B
Strengths:
-
Weaknesses:
-
#### Vendor C
Strengths:
-
Weaknesses:
-
### Recommendation
[Clear recommendation with justification]
### Risks and Mitigations
| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| | | | |
### Negotiation Points
1. [Key point to negotiate]
2. [Key point to negotiate]
Quick Reference: Evaluation Checklist¶
Pre-Evaluation¶
- Requirements documented and approved
- Evaluation criteria weighted and agreed
- Evaluation panel assembled
- Conflict of interest declarations signed
- Probity plan in place
During Evaluation¶
- All vendors assessed against same criteria
- Scores independently assigned then consolidated
- Technical testing completed
- Reference checks completed
- Commercial terms reviewed
Post-Evaluation¶
- Evaluation report drafted
- Recommendation documented
- Value for money assessment completed
- Risk assessment completed
- Approval obtained
Common Pitfalls to Avoid¶
| Pitfall | Why It's a Problem | How to Avoid |
|---|---|---|
| Feature fixation | Choosing based on features not needs | Evaluate against requirements |
| Demo dazzle | Being swayed by polished demos | Conduct hands-on PoC |
| Lowest price wins | Ignoring TCO and hidden costs | Calculate full 5-year TCO |
| Ignoring references | Missing real-world issues | Always check references |
| Underestimating integration | Integration costs exceed license | Deep integration assessment |
| Overlooking vendor stability | Risk of vendor failure | Financial due diligence |
| Skipping ethics review | Bias and fairness issues | Mandatory ethics assessment |
Resources¶
Government Procurement Guidance¶
- Digital Sourcing Framework
- Commonwealth Procurement Rules
- ICT Procurement Framework