AI procurement checklist for local authorities

An AI procurement checklist for local authorities should make cabinet approval conditional on evidence: lawful route to market, purpose, DPIA, equality assessment, supplier testing, ATRS position, NCSC cloud security mapping, human review, audit logs and contract monitoring before award.

That is the short answer. The longer one is that councils rarely build AI from scratch. The Local Government Association's buying guide, co-developed with the ICO, EHRC and LOTI, says councils typically procure AI-based technologies rather than develop them in-house (LGA responsible buying AI guide). The procurement process is therefore where many governance failures either get prevented or admitted into the council for three years.

This playbook sits under our broader article on AI governance for local authorities. It is written for cabinet members, monitoring officers, section 151 officers, procurement leads, DPOs, SIROs and service directors who need a buying decision that can be defended to residents, auditors and scrutiny.

Key takeaways

• The Procurement Act 2023 makes value for money, public benefit, transparency, integrity and SME access procurement objectives, so AI assurance belongs in the specification, evaluation and contract.
• For council AI, the buying process should start before the tender with the decision status: advisory, decision-supporting or decision-triggering.
• DPIA and equality evidence are not post-award paperwork. The LGA guide says councils should consider equality and data protection risks before starting and throughout procurement.
• If an AI tool supports public decisions, the ATRS position should be known before award, even where local government is recommended rather than mandated to publish.
• Contract management is part of procurement under the government guidance, so the contract must preserve monitoring, audit rights, model-change notice and exit routes.

AI procurement checklist for local authorities

Use this as the cabinet and tender gate. A bid should not pass because a supplier says its model is safe. It should pass because the authority can show which evidence was requested, who reviewed it, and what conditions will survive into the contract.

Check	Evidence to require before award	Owner
Purpose and route to market	Business case, procurement route, whether a framework or dynamic market call-off is lawful, and why AI is needed	Senior responsible owner and procurement lead
Decision status	Statement of whether the tool informs, recommends, scores, escalates or triggers a resident-facing outcome	Service director
DPIA and data map	Council DPIA started before tender, supplier DPIA reviewed, lawful basis, data flows, retention, processor terms and international transfer position	Data protection officer
Equality assessment	EqIA or PSED assessment, protected-characteristic risk review, testing plan and monitoring commitments	Equality lead and service director
Supplier testing	Accuracy, bias, subgroup performance, explainability, known limitations, human factors and failure modes	Evaluation panel with specialist advice
Transparency	Draft ATRS record or recorded reason why an ATRS record is not in scope, plus public-facing wording	Digital, transparency or governance lead
Security and resilience	NCSC cloud-principles mapping, access controls, data location, incident process, recovery plan and subcontractor list	SIRO or cyber lead
Human review	Named role with authority to review, override, pause and explain AI-influenced outcomes	Service director and monitoring officer
Contract controls	Audit rights, data access for monitoring, change notice, model versioning, incident notification, logs, termination and handover	Procurement, legal and contract owner

The LGA guide says councils can ask bidders for DPIAs, equality impact assessments and algorithmic impact assessments, and can build equality and data protection questions into tender and award processes. It also says councils should be ready to decide not to proceed where risks cannot be reduced or managed. That sentence is doing work: the checklist must be allowed to stop a purchase.

What cabinet must approve before award

Cabinet should not be asked to approve an AI product as a technology choice. It should be asked to approve a governed public-service intervention. The paper should answer six questions.

• What public problem is being solved? Name the service, the resident group, the current failure or cost, and why ordinary workflow, analytics or supplier process change would not be enough.
• Who could be affected? Include residents, staff, businesses and protected groups, especially where the system touches social care, homelessness, benefits, planning, enforcement, complaints or special educational needs.
• What decision does the output influence? An advisory summary is different from a risk score that changes priority, eligibility or enforcement.
• What law and guidance have been mapped? At minimum, the Procurement Act objectives, UK GDPR, Public Sector Equality Duty, ATRS, NCSC cloud principles and the council's own AI policy.
• What evidence exists now? Cabinet should see the gaps, not only the supplier's claim. Link the paper to the council's AI policy and the wider AI governance framework.
• What will stop the tool? State the thresholds for pause, rollback, non-renewal or contract termination.

The Government Commercial Function guidance on covered procurement says the Procurement Act objectives include delivering value for money, maximising public benefit, information-sharing, acting with integrity and reducing barriers for SMEs (covered procurement objectives guidance). For AI, those objectives are not abstract. A value-for-money case that ignores bias testing, retraining costs, data export, security monitoring and public complaints is not a complete value case.

The same guidance says the covered procurement concept includes award, entry into and management of the contract (covered procurement definition guidance). That matters because AI risk often appears after the first release: model drift, new supplier features, a changed data source, or a service area using the tool for a purpose the tender never described.

Controls and evidence to build into the tender

Most AI tender questions are too easy to answer. "Describe your approach to responsible AI" invites a polished paragraph. "Provide your DPIA, bias test method, subgroup results, change-control process and audit log fields" invites evidence.

For resident-facing or service-affecting AI, the invitation to tender should require:

• a clear model card or system description, including intended use, prohibited use, training or reference data categories, known limits and performance by relevant subgroup where available;
• the supplier's development DPIA, plus enough information for the council's own DPIA and Article 30 record;
• evidence of equality testing, including how the supplier identified protected-characteristic risks and proxy variables;
• a human-review design that gives council officers reasons, authority, time and an override route;
• logs that show input, output, model version, user, timestamp, decision status and any human action taken;
• security evidence mapped to the NCSC principles, including separation between customers, identity, audit information, operational security and subcontractor control;
• clear terms for model changes, new AI features, retraining, data use, deletion, export and exit.

The ICO's DPIA guidance says its list of high-risk processing includes innovative technology such as AI when combined with other risk criteria, and it treats a DPIA as required where processing is likely to result in high risk to individuals (ICO DPIA high-risk examples). The Data (Use and Access) Act 2025 also changes the UK automated-decision-making framework: GOV.UK says organisations may make significant solely automated decisions in wider circumstances, but must provide information, challenge routes and human intervention safeguards (DUAA data protection changes).

The equality question is just as direct. EHRC guidance on AI and the Public Sector Equality Duty says public authorities must have due regard to eliminating unlawful discrimination, advancing equality of opportunity and fostering good relations when using AI (EHRC AI and PSED guidance). For procurement, that means equality is not a paragraph in the specification. It is an evaluation criterion, a contract-monitoring duty and a reason to reject a tool that cannot be tested.

Map the checklist to procurement, data, transparency and security frameworks

Councils do not need to create a separate AI procurement religion. They need to connect the buying gate to frameworks officers already recognise.

Framework	Procurement question	Evidence in the file
Procurement Act 2023 objectives	Does the process evidence value for money, public benefit, transparency, integrity and fair supplier treatment?	Cabinet paper, evaluation model, moderation record, conflicts register and award rationale
National Procurement Policy Statement	Has the authority documented how the procurement relates to current NPPS policy priorities, or why they are not relevant?	NPPS note in the strategy, specification or decision record
UK GDPR and DUAA	Can the council show lawful basis, fairness, minimisation, DPIA, human intervention and challenge routes where decisions are significant?	DPIA, Article 30 entry, privacy notice, human-review workflow and complaint route
Public Sector Equality Duty	Were equality impacts considered before award and monitored during use?	EqIA, test results, monitoring data and review minutes
ATRS	Can a resident understand what the tool does, why it is used, what data it uses and who is accountable?	Draft or published transparency record
NCSC cloud security principles	Has the supplier provided evidence against data protection, separation, governance, operational security, audit and secure use?	Security assessment, supplier evidence pack and incident response plan

The National Procurement Policy Statement guidance says contracting authorities must have regard to the current NPPS where the statutory duty applies, and should document which policies a procurement can contribute to and why others are irrelevant or unsuitable (NPPS guidance). That is useful discipline for AI because it forces the authority to write down why the procurement design, award criteria and contract terms were chosen.

The Algorithmic Transparency Recording Standard hub says ATRS establishes a standardised way for public-sector organisations to publish how and why they use algorithmic tools, and that it remains recommended for the broader public sector even where central-government mandate does not apply (ATRS hub). For a council, the practical test is simple: if you cannot draft the ATRS record before award, you probably cannot explain the tool clearly enough to buy it.

Security belongs in the same file, not a late technical appendix. The NCSC cloud principles ask buyers to consider evidence from the provider and cover data in transit, asset protection, separation between customers, governance, operational security, supply chain, secure user management, audit information and secure use (NCSC cloud security principles). Many council AI systems will be cloud-hosted, API-mediated or embedded in SaaS. The security review is therefore part of the procurement decision.

Contract management after award

The contract should assume that the AI system will change. That is not a defect in the market; it is the nature of the product. The authority needs rights that keep governance live after award.

Build these clauses into the contract or call-off order:

• the supplier must give advance notice of new AI features, material model changes, new subprocessors and changes to data use;
• the council can require evidence refreshes: DPIA inputs, equality testing, performance results, security evidence and incident reports;
• the council receives enough logs to investigate a resident complaint or scrutiny question without asking the supplier to reconstruct the record by hand;
• the supplier must support pause, rollback, human-only fallback and data export;
• the council owns or can access the service evidence needed for ATRS, audit, subject access requests, complaints and contract review;
• termination includes handover, deletion evidence and continuity for residents.

The AI Playbook for the UK Government warns that embedded AI applications and extensions carry their own security concerns, and that buyers should understand architecture and vendor mitigations before adoption (AI Playbook for the UK Government). That warning maps exactly to local government. An AI feature switched on inside an existing casework, CRM or productivity tool is still a procurement and contract-management issue if it processes council data or influences a public function.

The contract owner should report three figures at review: how many cases the tool touched, how many human overrides or complaints arose, and whether outcome monitoring shows any differential impact. If the answer is "the supplier dashboard does not show that", the contract did not buy enough evidence.

Common mistakes and next step

The first mistake is starting with a preferred supplier and then asking governance to justify it. The proper order is purpose, risk, evidence, route to market, evaluation, then award.

The second is treating a framework call-off as assurance. A framework can shorten procurement. It does not answer whether this council, this dataset, this resident group and this use case are lawful, fair and secure.

The third is accepting "human in the loop" without testing whether the human can act. A named officer needs reasons, training, time, authority and a log. Otherwise the review is theatre.

The fourth is leaving transparency until communications. Our public-sector go-live checklist explains why ATRS, DPIA and NCSC evidence should be ready before launch. Procurement should ask for the same artefacts before award.

Start with the highest-risk live or planned AI procurement and run the table above against it. If the evidence is thin, take the free Board AI Scorecard to establish your current oversight baseline. For a fuller review, our AI governance diagnostic maps council AI use against procurement evidence, DPIA and PSED duties, ATRS readiness and operational controls.

Last reviewed: 18 June 2026.

Sources: LGA responsible buying AI guide · GOV.UK covered procurement objectives guidance · GOV.UK covered procurement definition guidance · ICO DPIA high-risk examples · GOV.UK DUAA data protection changes · EHRC AI and Public Sector Equality Duty guidance · GOV.UK National Procurement Policy Statement guidance · GOV.UK Algorithmic Transparency Recording Standard hub · NCSC cloud security principles · GOV.UK AI Playbook