The vendor problem: governing the AI you buy, not build

Most government AI is bought, not built.

Which means your accountability is only as strong as your contract. If the proof lives inside a vendor's platform you cannot query, you have inherited a black box you remain publicly responsible for.

Vendor opacity does not transfer the risk. It just hides it until someone asks.

Five things to require before you buy

1. Transparency into what the system does and how.
2. Audit access you can exercise on your own schedule — not a report the vendor generates when it suits them.
3. Explainability for any decision that affects a person.
4. Ownership of your data and your records.
5. Portability, so the proof, the rules, and the receipts come with you if you leave.

A great audit log inside a vendor you cannot leave is still a walled garden. The question is never just "is it logged" — it is "whose proof is it, and can you take it with you."

When the same workflow can answer the four questions on your terms, you have governed the buy. Until then, you have rented exposure.