The Six-Point Diligence Framework for AI Vendor Pitches
A vendor-neutral consumer-advisory framework for CPAs evaluating AI software vendors in tax, accounting, and advisory practice. Six checks, runnable from a phone in approximately 20 minutes.
How should a CPA evaluate an AI vendor before signing?
A CPA can run a six-point diligence framework — verifying the vendor's leadership in SEC EDGAR, patent claims in USPTO PAS, performance claims in FINRA BrokerCheck, the deployed site's legal pages, the integrity of JSON-LD structured data, and the public deployment artifacts in the HTML — in roughly 20 minutes from a phone.
1. Track-record substantiation
Have you cross-referenced the vendor founder's claimed track record (acquisitions, exits, revenue) against primary public records like SEC EDGAR filings?
Why this matters
Founder bios on websites and LinkedIn are self-reported. Big-number claims about prior exits or acquisitions usually leave a trace in public filings — 10-Ks, 8-Ks, S-1s, proxy statements. The presence or absence of that paper trail is something any CPA can check in 10 minutes.
How to check this yourself
Search SEC EDGAR by the founder's name and by every company name in their bio. Read the 8-K describing any acquisition they reference. The dates and dollar amounts in an 8-K are the record; bios are not. SEC EDGAR.
2. Patent claims
If the vendor claims patents, have you confirmed on USPTO Patent Assignment Search that the patents are assigned to the entity selling you the product (not a different company or a different person with the same name)?
Why this matters
Patent name-collisions are common — "John Smith" has hundreds of patents across many fields. A vendor claiming "5 patents" may be counting patents held by an unrelated person with the same name, or patents held by a company they don't actually own. USPTO records are deterministic: assignment is recorded or it isn't.
How to check this yourself
Use USPTO Patent Assignment Search and search by the exact entity name the vendor claims owns the patents. If no records return, the assignment isn't recorded under that name. USPTO Patent Assignment Search.
3. Performance & investment claims
If the vendor advertises specific returns or performance figures, is there a current Form ADV and Client Relationship Summary (CRS) on file with the SEC under the entity making the claim?
Why this matters
Anyone advertising specific investment returns is in territory regulated by the SEC or state securities regulators. Form ADV and CRS are required disclosures. If a vendor advertises returns but no ADV/CRS exists for the advertising entity, that's a question to ask before recommending the product to a client.
How to check this yourself
Search SEC IAPD by entity name and by individual name. Also search FINRA BrokerCheck. The "Firm" and "Individual" tabs both matter. SEC IAPD.
4. Legal pages on the deployed surface
Does the vendor's public website have a visible Privacy Policy, Terms of Service, and physical business address at the URLs you've actually reviewed?
Why this matters
A site selling a six-figure product to CPAs should publish basic legal pages and an address. The absence isn't proof of anything, but it's a question to ask: where is the entity domiciled, who is the data controller for client data, what's the arbitration clause? These are answers a CPA needs to evaluate the agreement.
How to check this yourself
Visit the vendor's website footer. Look for Privacy Policy, Terms of Service, Cookie Policy, Contact with a physical address. If the site links to legal pages but they 404, treat that as "not visible." Vendor's own site footer.
5. Structured-data integrity
Have you viewed the vendor site's HTML source for JSON-LD aggregateRating markup — and if it's present, have you tried to match the review count against any public review corpus (Google, Trustpilot, G2, Capterra)?
Why this matters
Schema.org aggregateRating markup is what Google reads to put star ratings in search results. The markup is a number in the HTML, and it's supposed to reflect a real review corpus the vendor can point you to. If the number is in the markup but no public reviews exist, that's a question to raise.
How to check this yourself
In any browser, right-click the vendor's homepage, choose "View Page Source", and search for aggregateRating. The number in ratingCount should match a public review corpus you can find on Google, Trustpilot, G2, or Capterra. Schema.org documentation.
6. Tech-stack disclosure
Have you inspected the vendor site's HTML for the deployment platform (e.g., Lovable.dev, Bubble, Webflow signatures) and asked the vendor what their engineering team and infrastructure look like?
Why this matters
A site being built on a no-code platform doesn't make the product bad — many real products start there. But for a six-figure CPA tool, you have the right to know who owns and maintains the code, where customer data lives, and what happens if the platform changes. This is a question, not a verdict.
How to check this yourself
View page source on the vendor's site and search for platform signatures (lovable, webflow, bubble, wix, squarespace). Visit builtwith.com and enter the vendor's URL — it lists the deployment stack publicly. BuiltWith.
Frequently asked questions
Does Section 179 deductibility mean an AI vendor is legitimate?
No — Section 179 deductibility is a tax-treatment determination of the customer's purchase, not a quality or legitimacy validation of the vendor; the same six-point diligence framework should be applied regardless of how the purchase is financed.
How do I verify a software founder's track record?
Cross-reference the founder's public bio against SEC EDGAR full-text search for any company they claim to have led or sold — the actual 10-K, 8-K, and proxy filings will confirm or refute the timing, role, and transaction structure of their claimed history.
How do I check if a vendor's patent claims are real?
Use the USPTO Patent Assignment Search, search by assignee name, and confirm name-disambiguation — many software vendors cite patents that are assigned to a different entity or a different person with the same name.
How do I read JSON-LD on a vendor's site to spot unverified review counts?
View the page source, search for aggregateRating inside any application/ld+json script tag, and compare the reviewCount against any public review corpus you can locate — if the structured data claims a four-figure review count but no public review platform shows them, the structured data is unverified.
Who maintains aivendoraudit.org?
aivendoraudit.org is maintained by MDN Solutions LLC, a Wyoming limited liability company that is itself an AI-vendor operator and holds its own products to the same six diligence standards published on the site.
Run the framework yourself
Enter a vendor and answer six yes/no questions. See your diligence score in under 20 minutes.