Contents

Responsible AI Procurement

Procurement approaches will vary significantly depending on the challenges your business faces and the type of AI solution being considered. Different business needs (whether automating routine tasks, enhancing decision-making, or generating creative content) will necessitate distinct procurement needs.

This guide provides a step-by-step framework to help Scottish SMEs make informed, ethical, and practical decisions when procuring AI tools or services. Whether you're just exploring AI or already in early implementation, you from the initial assessment stage to responsible deployment.

Responsible procurement ensures your AI systems are aligned with your business goals, regulatory obligations, and ethical responsibilities. That means not just choosing the right tool, but making sure it’s the right fit for your business, your team, and your customers.

Who Is This Hub For?

This guide is especially relevant for:

SMEs exploring or adopting AI tools for internal operations
SMEs aiming to supply AI products or services to the public sector
Organisations seeking clarity on the difference between public and private AI procurement requirements (see Section 6)
Business leaders and managers looking for practical steps to ensure responsible, compliant implementation

Used alongside the Scottish AI Playbook, this hub equips you to approach AI procurement with confidence and care.

1. Understanding AI's Role

Before selecting or buying an AI solution, the first and most critical question is: what is the business problem you’re solving? Your answer will shape every decision that follows - from technical specifications to vendor evaluation.

Here are the key considerations to address before committing to an AI purchase:

Is AI truly necessary?

AI isn’t always the right fit. Ask whether the challenge really requires AI capabilities such as pattern recognition, large-scale data processing, prediction, or automation, or whether simpler digital tools might suffice.

What are the potential impacts?

Think beyond functionality. Consider the ethical, legal, reputational, and societal implications of implementing AI. How might this system affect your customers, brand, workforce, and community?

Do you have access to the right data?

AI systems rely on high-quality, diverse, and relevant data. Assess whether you currently have the volume and variety of data needed for meaningful results, and whether it's clean, representative, and collected legally.

Is it financially viable?

Factor in both the upfront and ongoing costs: system purchase, training, integration, maintenance, updates, and support. Make sure the business benefits clearly outweigh the total costs.

Does your team have the technical capabilities and knowledge?

AI systems require internal skills to manage, interpret, and oversee them. If your team lacks this capacity, consider investing in training or budgeting for external expertise.

Do you have enough time?

AI implementation can take longer than expected, especially due to data preparation, system integration, and staff upskilling. Set realistic timelines that account for iteration and refinement.

2. Procurement Planning

A thoughtful procurement process reduces risk, supports ethical goals, and increases your chances of long-term success. It also aligns your business with Scotland’s wider commitment to ethical, inclusive, and trustworthy AI.

The Scottish Government's Procurement Journey offers a detailed outline of the processes involved. For SMEs, the following steps should be taken:

Define your business objectives

Set measurable goals that the AI solution will support, such as efficiency gains, accuracy improvements, or cost savings. These goals should be aligned with your wider business strategy and guide your vendor selection.

Build Internal Awareness

To be able to discuss, plan and implement AI effectively, your team needs foundational knowledge in:

AI fundamentals (types of AI, what it can and can’t do)
Regulatory requirements (e.g. UK GDPR, emerging AI laws)
Ethical frameworks (such as the OECD AI Principles or UNICEF’s guidance on AI for children)
Public procurement standards, including the EU AI Act and model clauses for AI

Engage stakeholders early, including end-users, legal advisors, IT specialists, and department leads. This ensures broader understanding, early feedback, and smoother implementation.

Recommended resources:

Living With AI course — a strong introduction to AI ethics and applications
UK Government’s AI Toolkit — practical support for responsible development and deployment

Be sure your workplace culture and training structure are also AI-ready. For more support, see our Culture and People and Training and Skills guides.

3. Develop Clear AI Specifications

Your AI specifications act as both a technical blueprint and an ethical framework that guides vendors in developing solutions that meet your specific needs. They serve as a foundation for vendor evaluation, governance, and system lifecycle management.

Technical requirements

Your AI system needs to be:

Understandable: The AI should be able to explain its decisions in clear terms
Compatible: It should work well with your existing systems
Secure: It needs proper safeguards to protect data and prevent misuse

Ask vendors to demonstrate how their AI works in your specific business context. Different use cases require different levels of explainability; for example, a high-impact system like AI used in hiring or finance should offer more transparency than a product recommendation engine.

Ethical and legal specifications

Understand and document how the system will uphold the following principles:

Fairness — No bias or discrimination across user groups
Accountability — Clear human responsibility for outcomes
Human oversight — Defined moments for intervention and review
Privacy protection — GDPR-compliant data handling and retention policies
Transparency — Clarity on how decisions are made and communicated

Refer to the UK’s Algorithmic Transparency Recording Standard and the EU’s model clauses to help structure these requirements responsibly. You can also find more information in our Governance and Regulation guide.

Operational requirements

This includes specific plans of maintenance schedules, software updates, disaster recovery steps, support and troubleshooting. Be very specific about service level agreements, response times and escalation procedures to ensure business continuity.

Consider incorporating environmental impact assessments, which examine energy consumption and carbon footprint, to reflect Scotland's broader climate commitments.

Vendor-Specific Requirements

Request vendors to disclose:

System limitations and known risks
How training data was sourced and validated
Governance practices around accuracy, robustness, security, and auditability

This due diligence will help you avoid opaque “black box” systems and ensure your procurement is aligned with best practices. Consider using the guidance from the EU AI Act model clauses to structure requirements around data governance, human oversight, accuracy, robustness, cybersecurity, and transparency.

4. Vendor Evaluation

Choosing the right partner is about more than technical ability. Ethical standards, transparency, and collaboration should be key decision criteria.

What to assess

Technical credibility — Relevant certifications, proven AI deployments, especially in your industry
Ethical alignment — How the vendor supports fairness, transparency, and accountability
System testing — Approaches to validation, risk mitigation, and performance measurement
Data practices — Data sourcing, licensing, and bias mitigation
Real-world performance — Can they demonstrate success beyond a controlled test environment?

Be cautious of vendors unwilling to disclose model design, assumptions, or decision logic. Lack of transparency is a red flag and may create downstream risks for your business.

Contract essentials

Make sure your vendor contract includes:

AI usage disclosure requirements
Clear ownership terms for data and models (e.g., Crown Copyright for public data)
Provisions for adapting to future regulatory changes
Liability clauses for AI errors or failures
Exit options that allow you to terminate safely if the system no longer meets your needs

5. Example: A Phased Approach to AI Implementation

AI implementation will look different for every business. Your timelines, resources, and specific activities will depend on your organisation’s size, sector, and the complexity of the AI solution being deployed. That said, the following example outlines a structured, phased approach that many SMEs may find useful as a reference.

Phase 1: Pilot Testing (Months 1–3)

Start with a small, controlled deployment, typically in one department or for a single use case. This helps limit potential risks while allowing you to collect early data on performance and usability. Focus on testing functionality, gathering feedback, and identifying any immediate concerns.

Phase 2: Performance Evaluation (Months 4–6)

Assess how well the AI system is meeting your defined goals. Track both technical performance (accuracy, reliability) and business impact (efficiency gains, user experience). Develop reporting tools or dashboards to support continuous monitoring and refinement.

Phase 3: Gradual Expansion (Months 7–9)

Begin scaling the solution more broadly, guided by insights from the pilot and evaluation phases. You might expand by department, user group, or functionality, whichever makes sense for your business. Each step should include clear success criteria and room for iteration.

Phase 4: Full Integration (Months 10–12+)

Once the system has proven effective and reliable, integrate it into your core operations. Establish long-term maintenance plans, user training schedules, and performance monitoring routines. Embed feedback loops between end users, technical teams, and leadership to keep the system aligned with evolving business needs.

While this timeline offers a general structure, it's important to adapt it to your context. Some SMEs may move through these phases more quickly or slowly depending on the scope of the project and the level of in-house expertise.

6. Public vs Private Sector Considerations

While the above framework applies broadly to SMEs, there are important distinctions when procuring AI in public versus private sector contexts.

Understanding these differences is crucial, especially for those who may be either supplying AI solutions to the public sector or adopting practices from public sector frameworks to strengthen their own procurement processes.

Regulatory obligations

Public sector organisations face additional scrutiny requirements regarding legitimacy, trust, fairness, and equality. Public AI implementations must keep Scotland's National Outcomes in greater consideration. They must also adhere to specific guidance, which outlines permitted AI use following public body policies.

Private sector organisations have more flexibility, but should still consider impacts on their reputation and support of industry standards. SMEs selling AI solutions to the public sector should be aware that public bodies are increasingly required to evaluate the ethical implications of AI tools they procure.

Vendor evaluation

Public sector organisations may require vendors to demonstrate compliance with specific regulations, show transparency in AI systems and prove their expertise with public sector implementations. There's often an imbalance of expertise between private companies and under-resourced local authorities, making clear evaluation criteria an important step.

Private sector buyers may prioritise commercial factors like cost efficiency and competitive advantage. SMEs selling to the public sector should highlight their understanding of public sector challenges and demonstrate how their AI solutions operate transparently to avoid black box occurrences.

Emerging Procurement Models

Both public and private sector organisations should track new opportunities in evolving procurement models. The UK Government's AI Opportunities Action Plan outlines several initiatives that may impact the AI procurement process, including new frameworks for sourcing AI, rapid prototyping capabilities and national AI tenders.

SMEs should monitor these developments, as they represent potential opportunities to engage with public sector AI procurement through more agile and innovative pathways. As support strengthens for SMEs using AI, staying up-to-date offers great advantages.

Stakeholder engagement

Public sector implementations often require formal public consultations and broader stakeholder engagement. For high-impact AI implementations, Scotland's Public Engagement Framework provides guidance on capturing diverse perspectives.

Private sector typically focuses on engaging customers, employees, and shareholders directly affected by the AI system. SMEs working with the public sector should be prepared for more extensive stakeholder consultation requirements.

Final thoughts

Responsible procurement is more than a transaction - it’s a long-term commitment to using AI in a way that supports your business, your people, and your values.

By following this structured approach, you’ll be better equipped to: