CLUSTER 5.2 — AI Procurement Standards for Universities
URL: /education/ai-governance-education/ai-procurement-standards/
---
Most universities are buying AI products through procurement processes designed for software products that don't make decisions, generate content, or handle student data the way AI products do. The mismatch produces vendor risk, compliance exposure, and integration failure at scale.
The institutions that have rebuilt procurement standards for AI vendors operate from defensible posture. The institutions that haven't are accumulating risk.
The seven evaluation dimensions modern AI procurement requires
1. Privacy and data handling. FERPA, COPPA, state student privacy laws, GDPR for institutions with EU operations. Data residency, retention, deletion, training data use, third-party access. Vendor contractual representations and institutional audit rights.
2. Security posture. SOC 2 Type II or equivalent. Encryption at rest and in transit. Incident response protocols. Subprocessor management. Standard cybersecurity diligence at higher rigor than general SaaS.
3. Pedagogical evaluation. Does the product align with institutional educational frameworks? Is the underlying pedagogy defensible? Has the product been evaluated by faculty domain experts — not just IT and procurement?
4. Bias and equity audit. Has the vendor conducted bias testing? Is demographic equity in outcomes documented? Are accessibility standards met?
5. Hallucination and accuracy. What is the vendor's documented approach to hallucination control? Factual accuracy testing? Subject-matter validation in education-specific contexts?
6. Integration and interoperability. SIS, LMS, identity providers, gradebook, reporting. Surface-deployment products produce limited value and high renewal risk.
7. Vendor stability. Financial backing, leadership, customer base, contractual continuity protections. EdTech bankruptcies in 2024 and 2025 made this dimension procurement-critical.
The procurement process
Step 1: Central governance review. No AI tool gets procured without governance committee evaluation — regardless of budget source or department.
Step 2: Risk-tiered evaluation. Higher-risk categories (student-data-handling, decision-making, content-generating) receive more rigorous evaluation than lower-risk categories.
Step 3: Faculty pedagogical review. For products affecting instruction or student learning, faculty domain experts must evaluate.
Step 4: Legal and security review. Contractual terms, data handling, security posture.
Step 5: Pilot before scale. Major AI deployments piloted before institution-wide rollout.
Step 6: Continuous monitoring. Post-deployment monitoring of vendor practice changes, incidents, and outcomes.
What gets procured around the standards
Departmental shadow procurement is the most common failure mode. Individual departments purchase AI tools through departmental budgets, bypassing central governance. The institution accumulates an unauditable inventory of AI systems handling student data without institutional review.
The fix is institutional procurement authority. No AI tool — at any budget level — gets procured without governance review. Most institutions have not yet implemented this discipline. The ones that have operate from defensible posture. The ones that haven't will eventually learn the cost when an incident exposes the gap.
---
