AI assistants for enterprise — what procurement actually requires

Enterprise AI procurement is evaluated on criteria that have almost nothing to do with which AI assistant is most capable. The team that benchmarked ChatGPT versus Claude on reasoning tasks during the evaluation phase will spend most of the procurement process answering questions from IT security, legal, and compliance that have nothing to do with reasoning quality. Does the vendor have a signed DPA for GDPR? Is SOC 2 Type II in scope? Can SSO be configured with the corporate identity provider? What's the data retention policy and is it contractually binding?

This isn't a bureaucratic obstacle. It's the right set of questions. Enterprise AI deployment means putting organizational data — customer information, employee records, strategic documents, proprietary IP — through a third-party system at scale. The security and compliance review isn't separate from the AI evaluation; it's part of it. The tool that passes security review and is 85% as capable as the one that doesn't is more useful than the more capable tool that IT blocks.

Most enterprise teams assume 'Enterprise plan' means the tool is enterprise-ready. Enterprise is a pricing tier, not a compliance certification. The features in an Enterprise plan vary significantly by vendor — some include SOC 2, DPA, SSO, and audit logs; some just include higher seat counts and priority support. Review what's actually in the Enterprise plan against your procurement checklist, not what 'Enterprise' implies.

Most enterprise teams assume the IT security review is primarily about data breaches. It's also about training data, subprocessors, and jurisdiction. Does the vendor train on enterprise data? (Should be contractually excluded.) Who are the subprocessors that touch the data? (Should be listed and auditable.) What jurisdiction governs the data? (US-incorporated vendors are subject to CLOUD Act regardless of where the data is stored.) These questions often come from legal and compliance, not IT security, and they have different answers than the standard security checklist.

Most enterprise teams assume the AI assistant is a standalone deployment. It often isn't. Enterprise AI assistant deployment typically integrates with the corporate identity provider (SSO), feeds outputs into other enterprise systems (CRM, HRIS, project management), and creates data flows that require mapping and documentation for compliance. The scope of the deployment determines the scope of the compliance review.

The enterprise-ready AI assistants in this category are Claude Enterprise (Anthropic) and ChatGPT Enterprise (OpenAI). Both provide: contractual training exclusion, data processing agreement for GDPR, SSO (SAML/OIDC), audit logs, expanded admin controls, and SOC 2 Type II certification. Both are US-incorporated and subject to CLOUD Act. For organizations with strict data sovereignty requirements that exclude US jurisdiction, neither fully addresses the concern — Synthesia's UK incorporation is the exception in this vertical, for video specifically.

The differentiation between Claude Enterprise and ChatGPT Enterprise at the feature level is smaller than the differentiation at the ecosystem level. ChatGPT Enterprise benefits from Microsoft's enterprise sales infrastructure, Azure deployment options, and Microsoft 365 integration. Claude Enterprise benefits from Anthropic's AISI pre-deployment safety evaluations, Amazon Bedrock and Google Cloud Vertex native availability, and a privacy default that applies at all tiers — meaning the team can use Claude on any plan without creating a shadow IT privacy gap that gets fixed at enterprise tier.

The enterprise procurement timeline for AI assistants is typically 3–6 months from evaluation to signed contract, depending on the organization's vendor assessment process. This is not unusual for enterprise SaaS and shouldn't be treated as a problem with the vendors. Plan for this timeline when evaluating AI tools for enterprise deployment, and avoid building team workflows around tools that haven't passed procurement review.

Enterprise AI assistant deployment doesn't solve the human factors: how well people prompt, how diligently they review AI output before sharing it, and whether the AI quality standard is owned and maintained. Technology procurement gets you the tool; organizational change management gets you the adoption. Both are required for enterprise AI to deliver on the promise.

SOC 2 Type II covers the operational security of the platform during the audit period. It doesn't cover everything: model training practices, subprocessor data handling, or the AI application layer specifically may be outside the audit scope. Review the SOC 2 report's system description, not just the certificate, to understand what the audit actually covered.

Enterprise AI tool contracts have renewal cycles, minimum seat requirements, and exit terms that are worth understanding before signing. The minimum commitment at enterprise tier across these platforms is typically 12 months and a minimum seat count. Building organizational workflows around a tool before understanding the exit cost creates switching costs that weren't visible at procurement time.