As AI becomes a standard part of customer experience, the buying conversation is changing. For customer experience leaders, the question is how to select AI-enabled vendors in a way that can withstand security reviews, privacy obligations and regulatory scrutiny long after the contract is signed.
In this CX Today roundtable, Nicole Willing speaks with Kristina Holt, Managing Associate at Foot Anstey, Mary Ann Miller, Fraud & Cybercrime Executive Advisor and VP of Client Experience at Prove, and Michael Machado, CISO at RingCentral, about what responsible vendor due diligence now requires.
The panel agrees that traditional procurement checklists are no longer enough. AI introduces new questions around data handling, shared responsibility, auditability and operational oversight. It also creates risk in places businesses may not expect, especially when AI is embedded inside a broader CX platform or adopted informally by teams looking for faster ways to work. Kristina Holt, Managing Associate at Foot Anstey, said:
“There’s sometimes an assumption that somehow the vendor is going to be responsible for everything in terms of compliance. And that shared responsibility piece is just not thought through at all.”
That shared responsibility model matters because CX environments often process highly sensitive information, from call recordings and transcripts to customer records, payment details, and confidential business data. Machado argued that organizations should begin with a conservative view of data sensitivity, then build governance around how AI tools are deployed, monitored, and scaled.
“By default, everything is sensitive until proven otherwise.”
The discussion also highlights the operational risks that can emerge when AI systems rely on multiple data feeds. Miller warned that if one source degrades or fails, AI outputs can quickly become unreliable unless the right monitoring and escalation processes are in place.
“Every one of my data feeds going into this AI environment need to be monitored.”
The advice for buyers is practical: understand the use case first, identify the real risks, involve legal, privacy, security and operational teams early, and ask vendors for evidence that supports their claims. That may include audit certifications, risk assessments, data processing details, transparency around sub-processors, and features that allow teams to verify how systems are working.
Watch the full roundtable discussion to learn how CX leaders can assess AI vendors, reduce security and privacy risk and build stronger governance before deployment.
