Before You Deploy: How to Underwrite AI Tools Before They Go Live

Your organization is adopting AI faster than your risk framework can keep up.

That's not a criticism — it's the reality facing every team responsible for AI oversight right now, whether that's a dedicated risk function, the CISO's office, Legal, or a hybrid of all three. Business units are spinning up AI tools, developers are integrating third-party models, and employees are reaching for whatever makes them faster. By the time oversight hears about it, the tool is already in production, the vendor contract is signed, and the data has been flowing for weeks.

The challenge isn't whether to allow AI. That ship has sailed. The challenge is building a repeatable process to underwrite AI tools before they go live — so you can say yes faster to the right things, and no earlier to the wrong ones.

Here's a framework for doing exactly that.

Why Existing Vendor Risk Management Falls Short

Most organizations try to route AI tools through their existing third-party risk management process. It doesn't work well. TPRM was designed for software that does what it's told. AI systems are probabilistic — they produce outputs that can't be fully predicted, and their behavior can drift over time as underlying models are updated by the vendor without notice.

The questions your TPRM questionnaire asks — uptime guarantees, disaster recovery, data encryption at rest — are necessary but insufficient. They don't capture the risks that are actually unique to AI: model drift, hallucination, data ingestion into training pipelines, or the downstream liability of an AI-generated decision that harms a customer.

You need a separate underwriting lens for AI, sitting alongside TPRM rather than inside it.

The Five Questions Every AI Tool Underwriting Should Answer

1. What does the model actually do — and what can it get wrong?

This sounds obvious but is consistently underdone. Most AI vendors describe what their tool does in best-case terms. Your job is to understand the failure modes: what happens when the model is wrong, how often it's wrong, and whether the error is detectable before it causes harm.

Ask for accuracy metrics, hallucination rates where applicable, and examples of known failure cases. If the vendor can't answer these questions, that's your answer.

2. Where does your data go — and does it stay there?

This is the question that should block more deployments than it does. When an employee submits a prompt to a third-party AI tool, where does that data go? Is it stored? Is it used to train or fine-tune the model? Is it accessible to the vendor's own teams?

For financial services firms, the answers matter enormously — for client confidentiality, data residency requirements, and regulatory obligations. Get contractual commitments, not marketing language. Then verify them.

3. Who inside your organization is accountable for this tool?

Every AI tool in production needs a named business owner who is accountable for its performance and responsible for flagging issues. This isn't bureaucracy — it's the minimum structure that makes ongoing monitoring possible.

Without a named owner, AI tools become orphaned. They get forgotten until something goes wrong, at which point the audit trail leads nowhere.

4. What does good look like — and how will you know if it changes?

Before a tool goes live, the oversight function and the business owner should agree on the performance thresholds that constitute acceptable behavior: accuracy floors, error rate ceilings, output review requirements. These become the monitoring benchmarks.

This step is where most AI oversight programs have a gap. They assess the tool at point of approval and then assume it stays the same. AI systems don't stay the same. Models get updated, training data changes, usage patterns shift. A tool that passed underwriting six months ago may not pass it today.

5. What's the off-ramp?

Every AI deployment should have a documented exit process: what triggers a suspension, who has authority to pull the tool, and how the organization reverts to a non-AI process in the interim. This is the equivalent of a circuit breaker.

In practice, off-ramps are rarely tested before they're needed. Building them in at underwriting — when everyone is optimistic — is dramatically easier than trying to construct them under pressure during an incident.

From One-Time Assessment to Living Oversight

Underwriting is the entry gate, not the finish line. The organizations getting AI oversight right are treating it as a continuous process: initial underwriting before deployment, periodic reassessment on a defined cycle, and event-triggered review when the vendor updates their model, when usage patterns change significantly, or when an incident occurs.

This is the shift from point-in-time compliance to a living control environment — and it's the standard that regulators are moving toward, even if the formal rules haven't fully caught up yet.

The firms that build this infrastructure now will be the ones that can demonstrate AI oversight on demand — to their regulators, to their board, and to their clients — when everyone else is scrambling.

The Practical Starting Point

If your organization doesn't have a formal AI underwriting process today, the place to start is inventory. You can't underwrite what you don't know exists.

Map what AI tools are currently in production, who approved them, and when. You'll almost certainly find tools that were never formally reviewed, tools whose original business owner has left, and tools whose vendor contracts say nothing meaningful about AI oversight.

That inventory is your baseline. Everything else builds from there.

Clarier helps modern enterprises build and operationalize AI oversight — from discovery and inventory through underwriting workflows, ongoing monitoring, and audit-ready reporting. If you're building an AI oversight program and want to compare notes, we'd love to talk.