# AI contractor red flags checklist

Use this checklist before signing a contract for AI audit, prototype, RAG, AI automation, AI agent, LLM workflow or internal AI tooling.

| Area | Red flag observed? | Evidence | Score 0-3 | Owner | Next action | Decision |
| --- | --- | --- | ---: | --- | --- | --- |
| Business outcome |  |  |  |  |  |  |
| Scope staging |  |  |  |  |  |  |
| Data access |  |  |  |  |  |  |
| Privacy boundary |  |  |  |  |  |  |
| Evaluation |  |  |  |  |  |  |
| Integrations |  |  |  |  |  |  |
| Human approval |  |  |  |  |  |  |
| Security failure modes |  |  |  |  |  |  |
| Delivery artifacts |  |  |  |  |  |  |
| Maintenance owner |  |  |  |  |  |  |

## Scoring

- 0: critical red flag; stop production scope.
- 1: weak signal; requires discovery before implementation.
- 2: reviewable signal; can proceed to audit or controlled prototype.
- 3: strong signal; evidence, owner, constraint and next action are clear.

## Routing

- Any 0 in privacy, write permissions or rollback: run risk audit first.
- Many 1 scores in data or integrations: map sources, permissions and API contracts.
- Weak evaluation answers: build an evaluation set before implementation.
- Weak ownership answers: define support, logs and handoff before contract.
