Enterprise AIOps Procurement Checklist
SOC 2 Type II. GDPR. FedRAMP. ITAR. Single-tenant deployment. Bring-your-own-key. Most enterprise AIOps deals die on five or six redlines that the buyer never put on the RFP. Here's how to clear them before the kickoff call.
Why most AIOps deals stall
Procurement isn't where deals start; it's where they die. The technical evaluation goes great. The pilot is a hit. Then security shows up six weeks before contract signature with a 200-question SIG questionnaire and a 14-page DPA, and the deal slips a quarter. Most of these slips are avoidable, the buyer's redlines aren't unique, they're a small, well-known set.
The honest truth is that 80% of enterprise procurement friction comes from six categories: certifications, tenancy, encryption keys, access controls, audit trails, and contractual clauses. If your AIOps vendor can't speak fluently to all six in the first call, the pilot is a waste of time.
This is the checklist I wish every buyer ran before the kickoff. It's also the checklist I wish every vendor put on their public site so the legal cycle doesn't take a quarter.
Certifications that matter
SOC 2 Type II. Non-negotiable for any enterprise deal. Type I is a snapshot; Type II proves the controls held over a 6-12 month observation window. Ask for the latest report under NDA, not a one-page summary. If the vendor only has Type I, that's a year of waiting before you can ship to prod.
ISO 27001. The international counterpart. EU, APAC, and a lot of regulated US verticals require it. Useful complement to SOC 2; the controls overlap significantly but the audit lens is different.
GDPR readiness. Not a certification, it's a regulatory regime. What you actually want is a published DPA, a clear sub-processor list, and a mechanism for data subject requests. EU customers will block any vendor that can't produce these three artifacts within a day.
HIPAA, PCI-DSS, FedRAMP, ITAR. Industry-specific. Don't ask if you don't need it, these add cost. But if you're in healthcare, payments, federal, or defence, no SOC 2 in the world substitutes. FedRAMP Moderate is the realistic floor for federal; FedRAMP High is rare and expensive.
Tenancy and data residency
Multi-tenant SaaS is the default, your data sits in shared infrastructure with logical isolation. Cheaper, faster to onboard, and good enough for the vast majority of enterprises. But finance, healthcare, defence, and a growing number of EU customers require single-tenant.
Single-tenant means a dedicated VPC, dedicated database, dedicated compute. The control plane might still be shared (that's how the vendor ships features), but the data plane is yours alone. Expect a 2-3x price premium and 3-6 weeks of provisioning. Worth it for the right workloads.
Data residency is the harder question. Where does the data live, where is it processed, where do logs flow? "EU-only" sounds simple but the vendor's CI runs in us-east-1, the LLM inference cluster is in us-west-2, and the support team in Manila reads tickets that contain customer data. Get the data flow diagram in writing.
BYOK and encryption
Bring-your-own-key (BYOK) means the vendor encrypts your data with a KMS key you control. You can rotate it. You can revoke it. If you revoke, the vendor's infrastructure stops being able to read your data. It's the strongest practical guarantee that a rogue vendor employee can't quietly exfiltrate.
The implementation matters. AWS KMS with a customer-managed key in the customer's account is the gold standard, the vendor's IAM role assumes into your account to use the key. HSM-backed keys are even stronger and required for some regulated workloads. Avoid vendors that say "we encrypt at rest" without specifying who controls the key, that's not BYOK, that's marketing.
Field-level encryption is the next layer. Some PII fields (names, emails, customer identifiers) should be encrypted with a different key than the bulk-data key. The vendor decrypts only when the application needs to display them, with the operation logged. This is what separates serious enterprise platforms from "we have a TLS cert, we're good."
Access, audit, and SSO
SSO via SAML or OIDC. Required. Without it, your IT team can't enforce password policy, MFA, or off-boarding. Vendors that gate SSO behind an "enterprise tier" upcharge are doing the SSO tax thing, push back; SSO is a security control, not a feature.
SCIM provisioning is the next ask. SSO logs people in; SCIM creates and de-provisions accounts automatically. When an employee leaves, you want their AIOps access revoked the moment HR closes the ticket, not the next time someone remembers to clean up the vendor.
RBAC granularity matters. The vendor should support roles like read-only viewer, on-call responder, runbook author, admin. Not every engineer should be able to trigger remediation actions; not every viewer should see customer data. Ask for a screenshot of the permissions matrix; if there are only two roles, that's a flag.
Audit logs must be tamper-evident, exportable, and retained at least one year. Every administrative action, user added, role changed, runbook executed, data exported, needs a log entry with who, what, when, from where. SOC 2 Type II auditors will ask to see this; so will your own compliance team.
Legal and contractual redlines
Data Processing Addendum (DPA). Pre-signed, public, GDPR-compliant. If the vendor needs three weeks to draft one, that's three weeks of slip. The DPA should name sub-processors, specify the SCCs (Standard Contractual Clauses) version, and define breach notification within 72 hours.
Liability cap. The default vendor MSA caps liability at 12 months of fees. Enterprise security teams want at least 2x annual fees, sometimes uncapped for data breaches. This is negotiable but it's where the legal cycles burn, push for 2x cap with a separate uncapped breach indemnity for security incidents.
Indemnification for IP infringement. Standard. Make sure it covers the model outputs, not just the software. AIOps vendors that use third-party LLMs need to indemnify you against IP claims arising from generated content.
Termination and data return. 30 days to export all data in a usable format after termination. After that, data is deleted within 60 days with a written attestation. Vendors that retain "anonymised" data for "model improvement" need to disclose it explicitly, and you should opt out.
A realistic timeline
For a fully prepared buyer with a fully prepared vendor: 4-6 weeks from kickoff to signature. For the typical case: 10-14 weeks. The gap is almost entirely the redlines above. Run the checklist before the demo and you can buy back a quarter.
The buyer's pre-flight: collect SOC 2 Type II report, DPA draft, sub-processor list, security whitepaper, BYOK design doc, and SSO setup guide before the kickoff. If the vendor can't produce all six within a week, they're not enterprise-ready, and neither is the deal.
The vendor's pre-flight: publish the security page. Make the SOC 2 report available under standard NDA. Pre-redline the MSA with the common enterprise clauses. The vendors that win enterprise AIOps deals in 2026 are the ones that closed the procurement gap before the buyer asked.