Most AI founders think of an enterprise buyer as a single person. The reality is very different, and misunderstanding it is one of the main reasons promising deals fall apart. An enterprise buyer is not one person. It is an entire organisation, made up of multiple departments, each with its own job, its own fears, and its own power over your deal.

This article explains what actually happens inside an enterprise when they decide whether to buy from you. It covers who is really involved, who genuinely makes the decision, the approval process your deal has to pass through, and the stack of documents sitting behind the security questionnaire that most founders have never heard of. Understand this, and the whole process stops being a mystery.

Why this matters

When a security questionnaire lands in your inbox and the deal goes quiet, it is tempting to assume someone simply did not like your product. In reality, your deal was almost certainly moving through a structured internal process, and it stalled at a step you did not know existed.

The founders who win enterprise deals are the ones who understand this process before they enter it. They know who is involved, what each person is looking for, and what documents they will be asked for. That knowledge lets them prepare in advance instead of scrambling when it is already too late.

Procurement is not the decision maker

Here is the single most common misconception, and getting it wrong costs founders deals. Procurement does not decide whether to buy your product. Procurement is a process enforcer, not a decision maker.

Procurement does not decide whether your product is good enough, whether the company needs it, or whether the price is right. What procurement does decide is whether the correct process was followed, whether all the right people signed off, whether you met the minimum requirements, and whether the paperwork is complete.

In other words, procurement runs the process. The actual judgements about your product, your security, and your risk are made by other departments entirely. This is why charming the person who loves your product is never enough on its own. They are rarely the one who can say yes, and they are never the only one who can say no.

The departments that actually decide

Behind procurement sit several departments, and each one runs its own independent check with its own question. Crucially, they are not asking whether your product is impressive. They are each protecting the organisation from a different kind of risk.

• The CISO, or head of security, asks whether your product is safe enough to enter the organisation. They do not care how good it is. They care whether it is secure.
• Legal and compliance ask whether your company exposes them to legal or regulatory risk.
• Finance asks whether your company is financially stable enough to be a reliable supplier.
• IT asks whether your product works safely alongside their existing systems, and what happens if it goes down, which is why they care about service level commitments.
• The Data Protection Officer asks whether your company handles personal data lawfully.

Every one of these is a separate gate, and your deal has to pass all of them.

The purchase approval workflow

These checks happen inside a structured sequence often called the purchase approval workflow. Understanding the shape of it shows you exactly why a deal can feel stuck even when the person who wants your product is fully behind you.

It usually begins with a business sponsor, the internal champion who wants your product. They raise a purchase request, but they have no power to complete the purchase themselves. Procurement then reviews the request, checking whether you are an approved supplier, how large the contract is, what risk category you fall into, and which departments must therefore approve. An AI product handling personal data at a meaningful contract value typically triggers the highest risk category and the longest list of required approvals.

Procurement then opens the approval workflow, sending formal review requests to every required department at once. Each department runs its independent check. Procurement consolidates all the verdicts, and only then communicates the outcome. The purchase order is issued only when every single approval has been received and documented.

The key rules of this workflow are worth stating plainly, because they explain so much.

• The business sponsor cannot bypass procurement, no matter how senior they are.
• Procurement cannot override any department. If the CISO says no, it is no.
• All departments must approve. Not a majority, not most. All of them.
• The process is the same regardless of how good your product is. A brilliant product with a missing agreement fails the same way a poor product does.

That fourth point is the one that catches founders out. The process does not reward how good your product is. It rewards whether you are ready.

The documents behind the questionnaire

Most founders know they need to pass a security questionnaire. Very few realise that the questionnaire sits on top of a whole stack of other documents, several of which are legally required. These broadly fall into a few groups.

There is the legal foundation, the UK law that everything else is built on. This includes the UK GDPR and the Data Protection Act 2018, the Procurement Act 2023, which came into force on 24 February 2025 and governs how public bodies buy goods and services, and the Data (Use and Access) Act 2025, which received Royal Assent in June 2025 with its major data protection provisions coming into force in February 2026, adding new provisions relevant to AI and automated decision making.

Then there are the assessment documents you receive during procurement. Beyond the vendor security questionnaire itself, public and enterprise buyers increasingly use formal selection and pre qualification questionnaires that assess whether your company is even eligible to be a supplier, covering your financial standing, technical capability, certifications, and ethical compliance. Failing these can mean you never even reach the stage of submitting a proposal.

Then there are the legal and contractual documents that govern the relationship once procurement begins.

• Data Processing Agreement. A legally binding contract required under UK GDPR whenever you process personal data on the buyer's behalf.
• Sub processor agreements. When your product relies on third parties such as model providers or cloud services, those are sub processors, and the buyer has the right to know about them, approve them, and require equivalent protections.
• Master Services Agreement. The overarching commercial contract covering things like breach notification, audit rights, liability, and termination.
• Non Disclosure Agreement. Often signed before the security questionnaire is even issued, because the questionnaire itself can reveal sensitive details about the buyer.
• Service Level Agreement. Defines the performance and uptime standards you must meet, and what happens if you fall short.

Finally there are the certifications that make everything else credible, ranging from foundational schemes through to the standards expected in regulated sectors. These are the proof points that turn your claims into something a security team can rely on.

The newest layer, and where it gets hardest

On top of all of this sits the newest and least understood layer, specific guidance on artificial intelligence in procurement. Buyers increasingly expect suppliers to disclose how AI is used, to explain how their systems make decisions, and to demonstrate that AI specific risks are governed. This is the area most founders are least prepared for, precisely because it did not exist a few years ago.

This is exactly why understanding the AI specific risks in your product, the kind that a standard compliance checklist never touches, has become so important. The procurement process has evolved to ask about them, and it will keep evolving in that direction.

The honest takeaway

The reason so many AI startups lose their first enterprise deal is not that their product was weak. It is that an enormous amount of paperwork and process sits behind that polite security questionnaire, governed by real law and enforced by people whose job is to protect their organisation rather than to champion your product.

Most founders have never heard of half of these documents. They know they need to pass a questionnaire. They do not realise that behind it sits a data processing agreement, sub processor agreements, a master services agreement with specific security clauses, certifications, an AI governance expectation, and a legal framework that has tightened significantly in the last two years.

The good news is that all of it can be prepared for. None of it requires you to be a large company. It simply requires you to understand the process you are entering and to get your documentation in order before the questionnaire arrives, rather than after.