Buying AI

Five questions every SME should ask before buying AI in 2026

A practical buyer's checklist for small and mid-sized businesses navigating the AI vendor landscape — pricing, data, ownership, and the things vendors won't volunteer.

Jack Clinton
8 May 2026 5 min read

Enterprises have AI procurement teams. SMEs have a busy founder and an inbox full of pitches. That asymmetry is the single biggest reason small businesses end up signing the wrong AI contracts in 2026 — paying enterprise prices for a copilot rolled out to every desk, or worse, paying any price at all for a vendor that quietly trains on the data they handed over.

This piece is a buyer's checklist that closes the gap. Five questions, in plain English, that separate vendors who will grow with you from vendors who will disappear, raise prices, or use your data to train models you'll never see. Print it. Take it to your next call.

TL;DR. Before you sign anything: (1) ask where your data lives and who can read it, (2) demand a transparent platform-vs-capacity split inside the seat price, (3) confirm you can leave and take your data with you, (4) check the human-in-the-loop story is real, not theatre, and (5) get the unflattering case study, not just the testimonial reel.

01 — Where does my data live, and who can read it?

The single biggest gap between enterprise and SME AI buyers in 2026 is data hygiene. Enterprises send their lawyers in first. SMEs sign the click-through and find out in eighteen months that prompts, attachments, and uploaded documents have been used to train a foundation model in another jurisdiction.

Ask the vendor, in writing:

  • Which cloud region hosts my tenant?
  • Are my prompts, completions, and uploaded files used to train any model — yours or a third party's?
  • Who, internally, can read my data, and under what process?
  • If you go bust, what happens to my data?

Get specific answers. "We take data security seriously" is not an answer. A reputable vendor will give you a region, a retention policy, a sub-processor list, and a named DPO.

"We take data security seriously" is not an answer. A region, a retention policy, and a sub-processor list — those are answers.

02 — What's inside the seat?

Most AI vendors in 2026 will sell you per-seat pricing. The seat is fine — your finance team already buys software that way. The problem is when the seat is a bundle you cannot read: some platform, some AI compute, some vendor margin, all hidden inside one number.

Ask the vendor to split it for you. What's the platform fee per seat? What's the AI capacity allowance per seat? What unit is the capacity in, and how does that unit improve as provider costs fall? If they cannot give you those numbers in writing, you are bidding into a bundle whose internals only the vendor sees.

03 — Can I leave, and take my data with you?

Lock-in is the oldest trick in software, and 2026 has given it a fresh coat of paint. It is dressed up these days as "tenanted knowledge graphs", "fine-tuned models", and "proprietary embeddings". The substance is the same: when you want to leave, the vendor wants the door to be sticky.

Three concrete tests:

  1. Is there a documented data export? Not "contact support" — a self-service export of your conversations, documents, and structured data.
  2. Are the outputs portable? Generated content, summaries, and decisions should be yours, in open formats.
  3. Are the connectors yours? If the vendor has integrated to your Xero, Slack, or HubSpot using their OAuth app, you should be able to disconnect cleanly without orphaned permissions.

04 — Is the human-in-the-loop story real, or theatre?

Every vendor talks about human-in-the-loop. Most of them mean a confirmation dialogue and a tickbox marked I understand. That is theatre, not oversight — and the audience is the auditor, not the customer.

Real human-in-the-loop looks like:

  • A reviewable log of every decision the agent made and why.
  • The ability to roll back actions, not just approve them in advance.
  • Configurable thresholds — agents act autonomously below a certain risk level, surface to a human above it.
  • Clear audit trails when something goes wrong.

If the vendor cannot show you the audit log in their own demo, you will not have one when it matters.

05 — Show me the case study where it didn't work

Every vendor has a glossy customer logo wall. Few will tell you about the customer who churned, the rollout that stalled, or the team that revolted against the new tool. That is the case study you actually need.

Ask: "Tell me about a customer who didn't get value. What happened, and what did you change?"

A vendor who can answer this candidly is one who has learned. A vendor who cannot will repeat the same failure on you.

What to do with this list

Print the five questions. Take them to your next vendor call. If the vendor cannot answer four of the five clearly, in plain language, in under fifteen minutes — they are not ready to be your AI partner.

The good news: in 2026, there are vendors who can. The bar is rising, and SMEs are no longer obliged to settle for enterprise leftovers or hobbyist tooling. Large enterprises have their dedicated AI teams and seven-figure budgets. SMEs have something they don't: the right to ask hard questions on a fifteen-minute call and walk away if the answers are vague. Use it.

Sources & further reading

More from David

Adoption

Practical first steps for adopting AI in your business

The first move in AI adoption costs almost nothing and isn't a purchase; it's a person. How to pick an internal champion, give them permission, and start with free tools before you commit to anything large.

29 May 2026 7 min

Adoption

Does AI actually work? An honest look for SMEs

Past the hype and the doom: what AI genuinely works for today, where it fails and why, how to protect your business against those failure modes, and the real value you can expect from an agentic platform.

29 May 2026 5 min