For most firms, the first time a client’s use of AI becomes a formal question is not in a conversation. It is in a procurement questionnaire. Somewhere between the security section and the data section, a new set of questions has started appearing: Do you use AI in producing our deliverables? How is it reviewed? Can you show records? These are not hypothetical future questions. They are landing in vendor due-diligence packs now.
That changes who at the firm needs an answer. AI review used to be an internal quality matter. Once it is in a procurement questionnaire, it is a sales blocker, because a deal can stall on an unanswered or unconvincing response in a section the client’s legal and security teams treat as pass or fail. The firms that can answer cleanly move forward. The ones that cannot get stuck in follow-up.
Early AI questions in vendor reviews were vague: do you use it at all? The current generation is more pointed, because the people writing the questionnaires have gotten more informed. They ask which steps of the work involve AI, whether outputs are reviewed by a person before delivery, whether there is a record of that review, how source material is handled, and what happens when something goes wrong. These map closely to the obligations the EU AI Act places on organizations, which is not a coincidence.
A firm that answers these with generalities (we use AI responsibly, a human always checks the work) is increasingly going to get a follow-up asking to see how. Without something concrete to point to, the conversation stalls in exactly the place a firm least wants it to: the gate between shortlisted and selected.
A strong answer is specific and backed by something the client can verify. It names where AI is used and where human review happens. It can describe the review step in concrete terms: sources are checked, claims are flagged, a named person signs off before delivery. And it can offer evidence rather than assurance: a record of what was reviewed and by whom, available if the client wants to see it.
The difference between assurance and evidence is what procurement teams are increasingly probing for. Anyone can assert that they review their work. The firm that can show the review, with a record that holds up, is answering a different and more convincing question. That is the answer that moves a deal forward instead of sending it back for clarification.
The worst time to build an AI review process is in the two weeks between receiving a questionnaire and the response deadline. The process cannot be retrofitted convincingly at that speed, and a record assembled after the fact reads like exactly what it is. The firms that answer well are the ones that built the capability before the question arrived, for their own quality reasons, and now simply describe what they already do.
Qonera is built to be that answer. It gives teams a structured review and approval workflow with source checks, claim-level flagging, named sign-off, and a tamper evident audit trail that can be exported for client assurance. When the questionnaire asks how AI-assisted work is reviewed, the answer is a process and a record, not a paragraph of reassurance. Most of the EU AI Act’s obligations apply from August 2026, and the same evidence that satisfies a procurement team is the evidence the regulation points toward. The question is arriving through clients first, well ahead of any enforcement date, and the firms ready for it are the ones that treated it as a capability to build rather than a form to fill in.
This article is for general information only and does not provide legal advice. Organisations should consult qualified legal counsel about how the EU AI Act applies to their specific systems, workflows, and obligations.
Multi-model stress testing, Conflict Heatmap, tamper-evident audit trail, and structured sign-off, built for teams who need defensible AI output.