Start with the archetype
Boutique consultancy, agency, SaaS vendor, freelancer, and staff-augmentation shops carry different risk profiles. Pricing patterns, IP defaults, and reference-call expectations all shift by archetype. The first move in any vendor evaluation is to name the archetype and adapt your due-diligence checklist accordingly.
Always demand a working example
Slides are not proof. The single fastest way to surface a risk is to ask for a live demo of an existing client deployment - not a generic sandbox. If the vendor cannot show the product running for someone else, the engagement is research-and-development funded by you.
Pin down the underlying model
Vague language about "our AI" is a red flag. A credible vendor will name the specific foundation model (GPT-4o, Claude Sonnet, Gemini) or declare a multi-frontier strategy with a switching policy. Anything less leaves you with an unauditable cost and an unauditable failure mode.
Itemise ongoing costs
Per-token pricing without monthly caps and quarterly reviews is the most expensive trap procurement teams walk into in 2026. The buyer has no leverage once usage scales. Negotiate the cap, the review cadence, and the 30-day notice clause before signing.
Reference call template
Three or more named reference customers with introductions is the gold standard. Two named is acceptable for sub-$50K engagements. Anonymised case studies and LinkedIn-only profiles are not references. The 12-question reference-call template ships in your scorecard PDF.
When to walk away
Three or more red flags AND vendor refuses to amend the contract. Cannot name a single client willing to take a 30-min reference call. IP terms remain unclear after written follow-up. Token-cost pass-through with no monthly cap and no quarterly review.