📦 Procurement Pack (HTML)

AI Procurement Pack: clauses, SLAs, RACI, audit

A pack you can paste into an AI RFP (public sector / large enterprises). It turns “we want AI” into verifiable requirements and auditable evidence.

✅ Requirements ⏱️ SLAs/SLOs 📜 Sample clauses 🧭 RACI 🔎 Audit

🏛️ Read AI Governance 🧩 Geniuspace® (algorithm) ✅ Proof / Case Studies ✉️ Contact

1) Baseline requirements (copy/paste)

Purpose: prevent non-auditable “shadow AI” and secure sovereignty, compliance and reversibility.

Domain	Requirement	Expected evidence
Architecture	Support on‑prem / VPC / air‑gapped / edge (as applicable). Avoid blocked dependencies (e.g., China).	Architecture dossier + diagrams + dependency list + SBOM.
Data	Classification, minimization, encryption, retention, DLP, residency (if required).	Data policy + classification matrix + encryption proof + access logs.
Access	RBAC/MFA/least privilege, environment separation, secrets management.	IAM config + logs + periodic access review procedure.
Evaluation	Reproducible tests (quality, security, bias, hallucinations) + go/no‑go thresholds.	Test suite + reports + signed acceptance criteria.
Auditability	Timestamped audit trail (prompts, versions, datasets, deployments, incidents).	Log exports + version traceability + change tickets.
Incidents	Runbooks, response timelines, notification, post‑mortems, kill switch.	Procedures + exercises + post‑incident reports.
Exit	Reversibility plan: data/artifact portability + timelines + assistance.	Exit plan + export formats + exit test report.

Operational template: validate with Legal, Security and Privacy teams. Tailor to scope (sensitive data, regulated sector, critical operator, etc.).

2) SLAs / SLOs (example)

Examples to adjust to criticality. Include a change management process (model/prompt/dataset versioning).

Metric	Target (SLO)	Measurement / evidence	Remediation
Availability	99.5% monthly (or per tier)	Monitoring + monthly reports	Service credits / action plan
Latency	P95 ≤ X ms (per endpoint)	APM/Tracing	Optimization + capacity plan
P1 incidents	Ack ≤ 15 min · Containment ≤ 60 min	Tickets + post‑mortem	RCA + corrective actions
Security fixes	Critical patch ≤ 72h	Vulnerability reports	Patch plan + deployment proof
Quality	Thresholds on test sets (accuracy, hallucinations)	Evaluation reports	Rollback / retrain / guardrails

3) Sample clauses (excerpts)

Non-legal excerpts meant to accelerate drafting. Must be adapted and approved by your Legal team.

3.1 Audit & transparency

Supplier maintains a timestamped, exportable audit trail (access, prompts, versions, datasets, deployments, incidents). Customer may audit or appoint a third-party auditor to verify security controls, evaluation evidence and compliance with requirements, with reasonable notice and without exposing Supplier secrets.

3.2 Data & residency

Customer data shall be processed solely for delivering the service. Any subcontracting or transfer (including cross-border) requires written approval. Supplier applies minimization, encryption, retention and deletion per the agreed policy.

3.3 Security & exfiltration

Supplier implements RBAC/MFA, segmentation, secrets management, encryption in transit/at rest, and anti-exfiltration controls (DLP, allowlists). A controlled “kill switch” and incident response plan are provided, with periodic tabletop exercises.

3.4 Exit / reversibility

Upon termination, Supplier provides (i) data and artifacts exports in open formats, (ii) operations documentation, and (iii) migration assistance for X weeks. Timelines and fees are pre-defined. Customer may require an exit test prior to production rollout.

4) RACI (model)

Procurement-oriented: clear, actionable, auditable.

Role	Key responsibilities	Artifacts
Sponsor	Budget, priorities, final acceptance	Acceptance sign-off
Program Owner	Delivery, risks, governance	RACI, reviews, risk backlog
CISO/Security	Security baseline, red-team, incidents	Security policy, reports, runbooks
Privacy/DPO	Data compliance, legal basis, DPIA if needed	Data policy, assessments
IT/MLOps	Deployment, observability, operations	Architecture, monitoring, change mgmt
Business Owners	Quality expectations, test sets, validation	Test sets, success criteria
Procurement/Legal	Contract, SLAs, exit plan, subcontractors	Clauses, SLAs, exit plan

5) Audit checklist (example)

A simple checklist focused on evidence.

Control	Evidence	Frequency
Model/dependency inventory	Version list + licenses + SBOM	Monthly
Access review	IAM report + logs + approvals	Quarterly
Quality/security evaluations	Reproducible reports + go/no‑go criteria	Each release
Red-team / abuse testing	Reports + fixes + retests	Quarterly / semiannual
Incidents	Runbooks + tickets + post‑mortems	Per incident
Exit/reversibility	Export test + documentation + timelines	Annual

Need a critical-operator version (regulated sector, air-gapped)? Contact and we tailor the pack to your constraints.