advanta

HomeModule LibraryVendor

Module VEN-02 sigil: Vendor pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module VEN-02. The Pillar geometry encodes Vendor (Pillar 6); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SVEN-02
P6· L-G· Bands FoundationalOperational

· VEN-02

Vendor RFP Methodology

RFPs for legal AI vendors that read like generic SaaS RFPs leave the firm exposed — the evaluation criteria that protect against client-data exfiltration, opaque training, and hidden agentic capabilities don't appear in the questions that procurement teams typically ask. The Legal AI RFP Template provides a structured request grounded in Risk Taxonomy 2026 and the Agentic Tier governance frame, so vendor responses can be evaluated on legal-specific criteria, not vendor-supplied marketing. Methodology v2026.1.

Foundational

·

Per-engagement

·

2–4 weeks to draft and issue; 4–8 weeks for full RFP cycle depending on complexity.

Methodology v2026.1·Verified 23 May 2026·Reviewed 23 May 2026

Executive Summary

The Legal AI RFP Template is the canonical instrument for running structured, defensible procurements of AI solutions in legal functions. It translates the evaluation dimensions and weights from VEN-01 into vendor-facing requirements, ensuring that responses can be scored consistently and audited against the Risk Taxonomy 2026. The Module provides a complete RFP structure: executive summary and scope, governance and non‑negotiable requirements, technical specifications, AI Bill of Materials (AI BoM) disclosures, evaluation criteria, commercial terms, and a standardised response format. It embeds mandatory conditions such as DAT-03–aligned DPAs, prohibition on training on client data, SOC 2 baselines, and AI BoM registration as a condition precedent to implementation. Used per engagement, it connects to USE-01, USE-04, USE-05, STR-07 and GOV-02 to align procurement with approved use cases and ROAI tracking. Outputs from this Module form a core part of the Defensibility Posture Statement (DPS) evidence bundle for AI procurement decisions.

Defensibility Evidence Produced

Structured RFP with mandatory Risk Taxonomy 2026 class responses and AI BoM registration as a contract condition constitutes the procurement DPS evidence bundle for the Defensibility lens; combined with VEN-01 scoring records the full procurement package evidences that vendor selection followed documented, risk-mapped methodology

Elements:

Methodology transparencyEvidence framework

The operational problem

When a legal function issues an RFP for an AI vendor that reads like a generic SaaS RFP, the responses come back as generic SaaS responses. Vendor marketing fills the gaps that the questions did not close. The evaluation criteria that distinguish a defensible AI vendor from a hopeful AI vendor — client-data exfiltration controls, model-training disclosure, agentic capability boundary, Risk Taxonomy class-by-class mitigation — never appear in the questions and therefore cannot appear in the comparable answers.

The institutional standard for Defensible AI procurement requires RFP discipline that converts vendor talking points into structured, comparable, risk-mapped responses. Without it, vendor evaluation begins on slideware and the function cannot demonstrate to the regulator or the AI Task Force that procurement followed a documented, methodology-grounded evaluation.

The Vendor RFP Methodology defines the canonical structure. Without it, the function’s AI vendor selection is indistinguishable from its general SaaS procurement — and the institutional standard requires distinction.

Legal AI OS Relevance

The Vendor RFP Methodology sits at the intersection of Pillar P6 (Vendor, Procurement & Technology) and the Governance Layer (Layer G). It produces evidence for two Defensibility Elements:

  • DE-2 Methodology transparency — the RFP structure is itself documented methodology
  • DE-3 Evidence framework — vendor responses scored against the methodology form the procurement evidence record

Anchoring to Bands 1 and 2 (Foundational → Operational), the Module is the procurement instrument at Band 1 and the standing procurement methodology at Band 2+. Methodology v2026.1.

Pillar Alignment

Pillar 6 (Vendor, Procurement & Technology) is the institutional capability that converts vendor markets into defensible firm capability. The Vendor RFP Methodology is the Pillar-6 instrument that issues the structured request and scores the comparable responses.

The Pillar 6 posture this Module advances: from vendor selection on demos and marketing to RFP responses scored against Risk Taxonomy 2026 with AI BoM disclosure as condition precedent to shortlisting.

Operating Layer Impact

The Governance Layer (Layer G) is the institutional substrate that constrains how vendors are evaluated. The RFP is the Layer-G artefact that scopes the evaluation against the function’s risk posture; the POC (VEN-03) operates against the shortlist; the Security and Compliance Checklist (VEN-04) operates the final gate.

Without the RFP Methodology, vendor evaluation begins with vendor-supplied talking points and the comparable scoring discipline collapses.

Maturity Band Relevance

The Module strengthens the Sophistication and Adoption lenses of the Maturity Stack.

From Band

To Band

Sophistication-lens shift

Adoption-lens shift

1 — Foundational

2 — Operational

Vendor selection on demos → vendor selection on RFP-comparable scoring

Procurement happens ad hoc → procurement happens through the AI Task Force gate

Functions at Band 1 typically issue the first RFP using this Module. Band 2+ functions operate the Methodology as the standing procurement instrument for AI capability.

Operational Outcomes

Operating the Methodology produces five institutional artefacts:

Artefact

Purpose

DPS evidence stream

Structured vendor responses scored against VEN-01 dimensions

The comparable evaluation substrate

DE-3 (primary)

Risk Taxonomy 2026 class evidence record per vendor

The risk-mapped vendor posture

DE-2 + DE-3

AI BoM vendor inventory per vendor

The disclosure-disciplined inventory

DE-3

Vendor ROAI projections against USE-05 baseline

The vendor’s projected value substrate

DE-3

Vendor selection recommendation for AI Task Force approval

The procurement decision-record substrate

DE-2

Records retain for the regulator’s limitation period plus the lifecycle of the selected vendor.

Defensibility and Governance Considerations

The Module produces evidence for DE-2 (Methodology transparency) and DE-3 (Evidence framework). All nine Risk Taxonomy 2026 classes appear as mandatory RFP response sections; incomplete responses are a governance red flag.

For Agentic Tier (Tier 4) vendor solutions, the RFP requires four additional contract provisions:

Provision

What the vendor must commit to

Autonomous-action audit trail

Per-action immutable record accessible to the firm

Configurable intervention thresholds

Materiality thresholds that route to Full HITL per GOV-16

Permanent human override

At any point, designated human may halt or reverse autonomous action

Scope limitation controls

Capability cannot expand decision-class scope without firm authorisation

For all vendors, mandatory contract conditions:

  • DAT-03-aligned Data Protection Agreement as Schedule 1
  • Prohibition on training on client data (or explicit opt-in language with clear scope)
  • SOC 2 Type II as a baseline (Type I may be permitted with remediation timeline)
  • AI BoM registration as condition precedent to implementation commencement

The editorial-independence attestation applies — the Module makes no vendor-specific recommendations.

Institutional Use Cases

Use case 1 — A 14-partner firm issuing first AI RFP. Use case (USE-01) is contract review. Eight vendors invited to respond. Methodology v2026.1 issued. Two vendors fail Risk Taxonomy 2026 Class 2 (Data leakage) response — disqualified at shortlisting. Three vendors fail Class 6 (Shadow AI controls) — disqualified. Three remaining vendors invited to POC (VEN-03). Comparable scoring at shortlist: 28 of 30 Risk Taxonomy responses verified per vendor.

Use case 2 — A 200-lawyer in-house function issuing RFP for second-generation eDiscovery. RFP includes mandatory AI BoM disclosure — each vendor lists all model components (foundation models, fine-tuning, prompt-engineering, post-processing). Two vendors decline to disclose; disqualified. One vendor’s AI BoM includes a foundation model the function’s Risk Register flags as Class 7-vulnerable (client confidentiality through retraining); disqualified after evaluation. Three vendors advanced to POC under tightened Class 7 mitigation criteria.

Use case 3 — A global energy GC office issuing RFP for Tier-4 autonomous renewal-triage. Agentic Tier provisions activated. Four vendors invited; two satisfy all four agentic provisions. Both advance to POC under the enhanced Agentic Tier evaluation gate.

Recommended Stakeholders

The Module’s stakeholders field is not currently populated; the canonical RACI for the Methodology is:

RACI role

Stakeholders

Owner

Legal Operations Lead

Approvers

AI Task Force Chair · Procurement Lead

Contributors

Risk and Compliance · CIO / CISO

Informed

General Counsel · Audit Committee

The AI Task Force (per STR-07) authorises RFP issuance and approves the shortlist. Procurement operates the RFP cycle day-to-day; Risk contributes the Risk Taxonomy 2026 response criteria.

Implementation Complexity

Dimension

Specification

RFP drafting and issuance

2–4 weeks

Full RFP cycle (issue → shortlist → recommendation)

4–8 weeks depending on complexity

Cross-team dependencies

Procurement · Risk · IT · Practice Group sponsor

Self-serve viability

Yes — template-driven

Advisory recommendation

Programme Design for first RFP of an unfamiliar capability category; Strategic Retainer for functions running ≥4 RFPs per year

The Module is methodology-versioned (v2026.1); the master template, response workbook, and AI BoM disclosure checklist are versioned alongside.

Inputs

Input

Source

USE-01 ranked use case

Use Case Prioritisation Methodology

AI Task Force RFP issuance approval

STR-07

Evaluation dimensions and weights

VEN-01

DPA requirements

DAT-03

Framework — RFP Architecture

RFP structure

The canonical RFP has eight sections:

Section

Content

1 — Executive summary and scope

Use case; expected scope; success criteria; commercial frame

2 — Governance and non-negotiable requirements

Mandatory contract conditions; DAT-03 DPA; SOC 2; AI BoM registration; training-on-client-data prohibition

3 — Technical specifications

Capability requirements; integration requirements; performance requirements

4 — AI Bill of Materials disclosures

Mandatory per-vendor BoM disclosure with model components, training data sources, fine-tuning approach, post-processing

5 — Risk Taxonomy 2026 evaluation

Per-class response requirements (one section per class)

6 — Evaluation criteria and weighting

Transparent scoring methodology aligned to VEN-01

7 — Commercial terms

Pricing structure; SLAs; commercial governance

8 — Standardised response format

Required response template for comparability

Risk Taxonomy 2026 — per-class mandatory response sections

Each vendor response must include, per Risk Class:

Class

Required response content

Class 1 — Hallucination

Hallucination rate; mitigation methodology; sampling protocol; evaluation discipline

Class 2 — Data leakage

Data residency; training prohibition; data isolation; encryption posture

Class 3 — Bias

Bias testing methodology; bias-detection cadence; remediation protocol

Class 4 — Vendor lock-in

Portability of trained artefacts; data export; exit-without-penalty terms

Class 5 — Regulatory non-compliance

Jurisdictional posture; regulatory-update cadence; compliance attestations

Class 6 — Shadow AI

Discovery / disclosure of any embedded foundation models or downstream AI; usage controls

Class 7 — Client confidentiality

Privilege-preserving architecture; retraining prohibition; engagement-letter language

Class 8 — Professional conduct

Supervisor-friendly architecture (ABA 5.3 alignment); user-level audit trail

Class 9 — Accountability dilution

Per-decision accountability trail; delegation interface; HITL configurability

Incomplete or evasive responses to any class are disqualification triggers; complete responses are scored against the calibration rubric.

AI BoM disclosure

The AI Bill of Materials disclosure section requires each vendor to enumerate:

Component

Required disclosure

Foundation model(s)

Name, version, provider, licensing posture

Fine-tuning data

Source, volume, last refresh, content-rights chain

Prompt-engineering

System prompts, prompt templates, prompt-management discipline

Post-processing

Filtering, scoring, formatting layers

Retrieval-augmented generation

Vector store, embedding model, retrieval index source

Agent orchestration (Tier 4 only)

Agent framework, tool surface, autonomous-action scope

Downstream AI components

Any embedded models in supporting infrastructure

Vendors unable to disclose components in full are disqualified — the discipline reflects the function’s Class 6 (Shadow AI) posture at the vendor surface.

Mandatory contract conditions

Condition

What it requires

DAT-03 Data Protection Agreement

Schedule 1 of the contract; vendor unable to satisfy DAT-03 = ineligible

Training-on-client-data prohibition

Default off; opt-in language explicit and scope-limited

SOC 2 Type II baseline

Type I permitted with remediation timeline

AI BoM registration

Condition precedent to implementation commencement

Risk Taxonomy 2026 mitigation attestations

Per-class attestation incorporated by reference into the contract

Agentic Tier provisions (Tier 4 only)

Four provisions per Agentic Tier section above

Scoring methodology

Dimension

Source weight

Scoring approach

Technical performance

30%

Calibrated against use-case-specific test criteria

Business value

25%

Vendor ROAI projection against USE-05 baseline

User experience

20%

Practitioner-facing capability assessment

Governance

15%

Risk Taxonomy 2026 + AI BoM disclosure + contract conditions

Commercial viability

10%

TCO including AI BoM impact + portability terms

Weights configurable per use case; defaults shown above.

Shortlist gate

To advance from RFP to POC:

Gate criterion

Pass requirement

Risk Taxonomy 2026 responses

All 9 classes complete and verified

AI BoM disclosure

Complete with no opaque components

Mandatory contract conditions

All satisfied or explicit remediation plan

Agentic Tier provisions (Tier 4)

All 4 satisfied

Aggregate score

≥ pre-set threshold (typically 75/100)

Failure on any criterion disqualifies; aggregate score below threshold disqualifies.

Worked Example

A 200-lawyer in-house function issues an RFP for second-generation eDiscovery (Tier 3 capability).

Week

Activity

Output

1–2

RFP drafted using master template; AI Task Force review; issuance approval

RFP v1.0 issued

3–6

Vendors respond (8 vendors invited)

8 vendor response packs

7

Risk Taxonomy 2026 verification: 2 fail Class 2; 1 fails Class 6; 5 advance

5 vendors verified

8

AI BoM disclosure review: 2 fail (incomplete BoM); 3 advance

3 vendors disclosed

9

Aggregate scoring against 30/25/20/15/10 dimension weights

Final scoring

10

Shortlist recommendation to AI Task Force: 3 vendors advance to POC

Phase-1 (RFP) closure

Total cycle: 10 weeks. POC (VEN-03) opens on the 3-vendor shortlist.

Common Failure Modes

Failure mode

Detection signal

Recovery

RFP issued without governance section

No DAT-03 / SOC 2 / BoM requirements

Reject; require governance section before issuance

Risk Taxonomy responses evaluated qualitatively without scoring

Subjective shortlist

Bind to scoring rubric; re-evaluate

AI BoM disclosure section skipped

Vendor disclosure not requested

Mandatory; cannot skip

Agentic Tier provisions absent for Tier 4 RFP

Tier 4 evaluation proceeds without 4 provisions

Reject; reissue with provisions

Scoring weights configured without sponsor sign-off

Weights drift between RFPs

Standing weights template; deviations require sponsor approval

Shortlist proceeds with incomplete responses

Vendors advanced despite missing class responses

Hold; require complete responses or disqualify

Vendor selection bypasses POC

Final selection on RFP scoring alone

POC is mandatory per VEN-03

Edge Cases

The Module does not apply when:

  • The function is acquiring a single-purpose tool with no AI component — general SaaS procurement applies
  • The vendor is sole-source by regulatory requirement — Methodology operates abbreviated (governance + Risk Taxonomy sections only)
  • The function is renewing an existing capability — light-touch RFP with refresh of Risk Taxonomy and BoM only
  • The vendor is operating under a parent-organisation MSA with existing governance posture — Module produces gap analysis against MSA rather than full RFP

Operational Signals

ven-02.rfp-issuance-cycle

Defensibility Posture Statement

Structured RFP issued to every legal AI vendor evaluation — DE-2 Methodology transparency record.

On change

ven-02.response-completeness-rate

Annual Legal AI OS Index

Vendor response completeness rate against Risk Taxonomy 2026 criteria feeds Annual Index procurement-discipline signal.

Quarterly

ven-02.evaluation-criteria-coverage

Console

Legal-specific criteria coverage scored per vendor for Console intelligence substrate.

On change

Inputs · Outputs

Inputs

  • · USE-01 ranked use case
  • · STR-07 AI Task Force RFP issuance approval
  • · VEN-01 evaluation dimensions and weights
  • · DAT-03 DPA requirements

Outputs

  • · Structured vendor responses scored against VEN-01 dimensions
  • · Risk Taxonomy 2026 class evidence record per vendor
  • · AI BoM vendor inventory (per vendor)
  • · Vendor ROAI projections against USE-05 baseline
  • · Vendor selection recommendation for STR-07 approval

Framework Crosswalk

NIST AI Risk Management Framework

NIST

Supports Govern and Map functions by embedding structured risk and governance requirements into AI vendor procurement.

ISO/IEC 42001 AI Management System

ISO

Contributes to AIMS planning and operational controls for supplier and lifecycle management of AI systems.

EU AI Act (draft/entered into force)

European Union

RFP requires vendors to provide an EU AI Act compliance roadmap, supporting obligations for high-risk and general-purpose AI systems.

ABA Model Rules 1.6 and 5.3

American Bar Association

Non-negotiable requirements on confidentiality and vendor supervision are aligned to Model Rules 1.6 and 5.3.

Operational Artefacts

  • Legal AI RFP Master Template

    docx · v2026.1

    Gated
  • Legal AI Vendor Response Workbook

    xlsx · v2026.1

    Gated
  • AI BoM Disclosure Checklist for Vendors

    checklist · v2026.1

    Gated

Diagnostic Relevance

Running the RFP Template strengthens the Sophistication lens — expected Band progression: Foundational → Operational.

Confidence: high

Key Takeaways

  • Vendors must confirm all nine Risk Taxonomy 2026 class mitigations in writing before shortlisting — incomplete responses are a governance red flag

  • AI BoM registration is a mandatory contract condition and condition precedent to implementation commencement

  • Data Protection Agreement per DAT-03 is required as a mandatory contract Schedule 1; vendors unable to satisfy DAT-03 are ineligible

  • Vendors must provide ROAI projections using USE-05 Baseline Metrics Capture Guide data categories and success metrics for USE-04

  • Agentic Tier solutions require four additional contract provisions: autonomous action audit trail, configurable intervention thresholds, permanent human override, and scope limitation controls

Run this Module

Operational artefacts available to Practitioner Membership members. Methodology v2026.1.

View Membership

Targeting

Audience

GC / CLOLegal OperationsRisk & Compliance

Strengthens

Sophistication lensAdoption lens

Module Details

Format
Module
Difficulty
Foundational
Pillar
P6
Owner
Legal Operations, STR-07 AI Task Force, Technology and Procurement
Access
Practitioner Membership
Certification
Practitioner

Maturity Bands

FoundationalOperational

Where this Module lives

The RFP Template sits at the front of the vendor lifecycle — issued before VEN-03 (POC Testing Framework) and VEN-04 (Security & Compliance Checklist). It consumes the AI Use Policy (GOV-02) scope to set the procurement boundary and produces a structured response set that downstream evaluation modules score. The Module produces DE-2 (Methodology transparency) and DE-3 (Evidence framework) records into the DPS. Without it, vendor evaluation begins with vendor-supplied talking points.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.