How to evaluate an AI development company in the UK.

Three concrete checks. First, ask for named engineers on the proposal and confirm their LinkedIn profiles match the seniority claimed — eight-plus years of production AI or ML work, not eight years of general software with six months of LangChain experience. Second, ask for direct access to those engineers on the discovery call and again at kickoff — the same names, not a swap. Third, ask for public artefacts: GitHub commits, conference talks, or shipped products you can locate. Vendors who refuse all three are running a senior-figurehead-plus-junior-pool model, which remains the most common failure pattern in the UK consultancy market.

Six non-negotiables. (1) IP assignment — your code, your prompts, your evals, your data, assigned to you on payment under English law. (2) Source in your GitHub organisation from day one, not a vendor repository. (3) Acceptance criteria written into the SOW with a defined test plan. (4) A 30-day production warranty — bugs introduced by the vendor are fixed at no charge for 30 days post-launch. (5) A clean exit clause — runbooks, on-call docs, and credentials handed over on termination for any reason. (6) Data protection terms (UK GDPR-aligned DPA, processor obligations, sub-processor list, breach notification timeline) signed before any personal data is processed. Anyone resisting any of the six is protecting a lock-in.

It looks like the vendor losing zero leverage if you decide to leave. Concretely: code lives in your GitHub organisation from commit one. Deployment runs in your AWS London, Azure UK South, or GCP europe-west2 account under your IAM. Secrets live in your secret manager. Runbooks, on-call docs, and architectural decision records are checked into the repository, not parked in a vendor wiki. IP assigns to you on payment, not on contract end. If your vendor cannot describe a clean handover to a different team on a single page, the architecture itself is the lock-in. We see this most often with 'managed AI platforms' that wrap an open-source stack and charge enterprise pricing for the wrapper — the moment you try to leave, the wrapper goes with them.

Four asks on the first call. (1) Show me your DPA template — vendors who 'work with personal data all the time' but cannot produce a UK GDPR-aligned DPA template have not done the work. (2) Walk me through how you would scope a DPIA for an engagement processing personal data at scale, in plain English. (3) Tell me which UK or EU region your inference endpoints run in and how that is enforced — vendors who say 'OpenAI handles that' have not pinned the region. (4) Walk me through a prior incident response — what happened, what was the timeline, what evidence was produced for the ICO. Anyone who cannot do all four on the first call is selling compliance, not practising it.

Indian Standard Time is GMT+5:30, which gives roughly four to five hours of native daily overlap with UK business hours — 1:30pm IST is 8am GMT, 6:30pm IST is 1pm GMT. Daily standups, twice-weekly demos, and most ad-hoc problem-solving fit inside that window without late-night calls on either side. The honest framing from an offshore vendor is that overlap, not a claim of 'full UK business hours all day.' If a vendor cannot articulate the overlap precisely on the first call, they are either bending the truth or have not thought about it — neither is a good signal. Onshore vendors should be honest about senior availability during peak project months, when senior staff often get rotated onto larger accounts.

Assigned, with one narrow exception. Custom code, prompts, evals, fine-tuned weights trained on your data, and integration glue should all assign to you on payment — that is the default in UK AI MSAs and what your legal team will expect. The narrow exception is pre-existing vendor frameworks or internal libraries that pre-date the engagement; those are usually licensed to you under a perpetual, royalty-free, transferable, sub-licensable licence rather than assigned. That is fair, provided the licence is genuinely perpetual, transferable, and survives change of control. Watch for 'licensed for your internal use' language without 'perpetual and transferable' — that is a renewal trap.

A focused v1 — single AI agent, single RAG system, or single voice pipeline — with UK compliance scope (UK GDPR, FCA-awareness, ICO posture) lands at £20,000-£100,000 fixed-price for a six-week build with offshore senior-only delivery, £60,000-£200,000 with UK mid-market consultancies, and £150,000-£400,000+ with City boutiques. Anything quoted under £20k is either a pilot, a corner-cutter, or a junior-pool play — be honest about which. Anything quoted over £200k without fine-tuning, multi-system scope, or a multi-quarter timeline is paying for a sales narrative, not engineering. The most expensive vendor is rarely the best one; the cheapest one almost never is.

A 30-day production warranty as default — the vendor fixes their own bugs at no charge for 30 days after the system is live. After that, an optional retainer for tuning, eval refresh, drift monitoring, and on-call response in UK business hours, priced separately and renewable monthly. The retainer should be optional, not bundled into a 'managed service' that you cannot cancel without losing access to your own code. If the vendor's post-launch model requires you to keep paying them to keep your system running, you have bought a service, not a build — and you should know that before signing the MSA.