CTO Guide to AI Vendor Selection 2026

§ 01 — Overview01 / 03

The 5-dimension vendor scorecard

Dimension	What you're measuring	What to ask for
Technical bar	What % of contacted candidates does the vendor accept?	Sourcing funnel data + sample vetting rubric
Engagement model	Embedded vs staff aug vs platform-brokered	Sample engagement letter + day-1 access list
Security posture	SOC 2 status, IP assignment, NDA flow	Latest SOC 2 report (or progress letter) + IP clause
Commercial terms	Pricing model, replacement SLA, minimums	MSA + SOW templates + replacement clause
Founder credibility	Track record, references, exit history	Founder bios + 3 client references at your stage

The scorecard is multiplicative — a vendor that scores 9/10 on technical bar but 3/10 on commercial terms is a 3, not a 6. Optimize for the floor, not the ceiling.

Procurement timeline — what to expect

Day 0: Initial intro call (30 min). Vendor sends sample profiles + engagement model overview.

Day 1–3: NDA exchange. Security questionnaire issued (SIG-Lite, CAIQ, or custom).

Day 4–7: Vendor returns questionnaire. Schedule technical reference call with a current client at your stage.

Day 7–10: MSA + SOW redline. IP assignment, replacement SLA, termination terms reviewed by legal.

Day 10–14: Contract execution. Engineer onboarding begins.

Day 14–21: First PR lands.

Vendors that compress this timeline by skipping steps (e.g., signing without security review) are flagging that they don't have the maturity for enterprise procurement. Slow down.

Red flags — vendors to drop

Claims SOC 2 Type II but can't produce the report or progress letter.
IP clause uses 'work for hire' without explicit assignment language. Audit by your IP attorney.
No replacement SLA, or one that requires you to pay through the replacement onboarding period.
Minimum engagement >6 months. Lock-in protects the vendor, not you.
Vetting funnel data they 'can't share for confidentiality reasons.' This is non-confidential information.
Founders who won't take a reference call directly with your CTO.

Negotiation levers

Senior AI engineering vendors price on engagement length, not headcount discounts. Don't waste leverage asking for a 5% multi-seat discount.

What to push instead:

Replacement SLA tightening: ask for 5 business days instead of 7 if you're staffing a critical milestone.
Tooling sponsorship: Claude Code Max seat sponsorship at day 1, written into the SOW.
First-PR guarantee: SLA on time-to-first-PR (e.g., 14 days from contract signature) with a pro-rated refund if missed.
Direct founder access: contractual right to escalate to the vendor's founders for engagement issues.
IP belt-and-braces: explicit no-training-data-rights clause covering anything the engineer touches.

How FutureProofing scores on the rubric

Technical bar: 12 of 2,000 contacted monthly accepted (0.6%). 5-stage funnel with Jess Mah (UC Berkeley CS at 19, inDinero founder, Executive Chair of Mahway $1.5B portfolio) as final filter.

Engagement model: Embedded. Engineers join your repo, Linear, Slack. No platform intermediary.

Security posture: NDA day 1, IP assignment day 1, SOC 2 Type II in progress (target Q4 2026 — we'll tell you upfront if that's a hard gate). Security questionnaires returned in 3–5 business days.

Commercial terms: $13.5K/mo flat all-in. 7-business-day replacement SLA. Cancel anytime, no minimums.

Founder credibility: Jess Mah, Andrea Barrica, Gabe Murillo — public track records, available for direct reference calls.

See /sla and /enterprise for the full clauses.

Collection · Enterprise AI Talent Strategy (landing)

FAQ

How long should AI engineering vendor diligence take for a Series B–D company?

10–14 days from intro call to contract execution is standard. Faster than that suggests the vendor is skipping security review or contract redlining; slower suggests internal procurement bottlenecks rather than vendor issues. The diligence timeline section breaks down each phase. Vendors that resist this timeline rarely have the maturity to support enterprise engagements at scale.

Should I require SOC 2 Type II before signing an AI engineering vendor?

It depends on your data sensitivity. If your engineers will touch PII, regulated data, or customer-facing prod systems, yes — make it a hard gate. If they're working on internal tooling, eval harnesses, or experimental builds, an in-progress SOC 2 (with a credible target date) plus engineers operating under your security controls is often acceptable. Ask for the auditor name and progress letter to verify.

What IP clauses should my legal team flag in an AI vendor MSA?

Three to red-line: (1) explicit IP assignment on commit (not 'on payment'), (2) no retained rights for the vendor including no training-data rights on anything the engineer touches, (3) no derivative-rights clause for prompts, fine-tunes, or eval harnesses. Generic 'work for hire' language is insufficient — most AI engineering work product wouldn't qualify as 'work for hire' under US copyright law without explicit assignment.

What's a fair replacement SLA for embedded AI engineers?

7 business days is the market standard for embedded engagements at the $13.5K–18K/mo all-in tier. Staff augmentation platforms often don't offer a replacement SLA at all (you absorb the gap). Anything tighter than 7 days is a negotiation lever to push on. Anything looser than 10 business days, or requiring you to pay through the replacement onboarding, is a red flag.

The CTO's AI Vendor Selection Guide: Procurement-Grade Diligence in 2026