How to evaluate an AI development company in the USA.

Three concrete checks. First, ask for named engineers on the proposal and confirm their LinkedIn profiles match the seniority claimed — eight-plus years of production AI or ML work, not eight years of general software with six months of LangChain. Second, ask for direct access to those engineers on the discovery call and again on the kickoff — the same names, not a swap. Third, ask for public artifacts: GitHub commits, conference talks, or shipped products you can find. Vendors who refuse all three are running a senior-figurehead-plus-junior-pool model, which is the single most common failure pattern in the US market.

Six non-negotiables. (1) IP assignment — your code, your prompts, your evals, your data, assigned to you on payment. (2) Source in your GitHub from day one, not a vendor repo. (3) Acceptance criteria written into the SOW with a defined test plan. (4) A 30-day production warranty — bugs introduced by the vendor are fixed at no charge for 30 days post-launch. (5) A clean exit clause — runbooks, on-call docs, and credentials handed over on termination for any reason. (6) Data handling terms aligned with your compliance scope (BAA for HIPAA, DPA for CCPA, SOC 2-aligned controls written in). Anyone resisting any of these six is protecting a lock-in.

It looks like the vendor losing zero leverage if you choose to leave. Concretely: code lives in your GitHub org from commit one. Deployment runs in your AWS, Azure, or GCP account under your IAM. Secrets live in your secret manager. Runbooks, on-call docs, and architectural decision records are checked into the repo, not in a vendor wiki. IP assigns to you on payment, not on contract end. If your vendor cannot describe a clean handover to a different team in a single page, the architecture is the lock-in. We see this most often with 'managed AI platforms' that wrap an open-source stack and then charge enterprise pricing for the wrapper — the moment you try to leave, the wrapper goes with them.

Assigned, with one narrow exception. Custom code, prompts, evals, fine-tuned weights trained on your data, and integration glue should all assign to you on payment — that is the default in US AI MSAs. The narrow exception is pre-existing vendor frameworks or internal libraries that pre-date the engagement; those are usually licensed to you under a perpetual, royalty-free, transferable license rather than assigned. That is fair, provided the license is genuinely perpetual and transferable. Watch for 'licensed for your use' language without 'perpetual and transferable' — that is a renewal trap.

A 30-day production warranty as default — the vendor fixes their own bugs at no charge for 30 days after the system is live. After that, an optional retainer for tuning, eval refresh, drift monitoring, and on-call response, priced separately and renewable monthly. The retainer should be optional, not bundled into a 'managed service' that you cannot cancel without losing access to your own code. If the vendor's post-launch model requires you to keep paying them to keep your system running, you bought a service, not a build — and you should know that before signing.

Four asks. (1) Show me your BAA template (HIPAA) and your DPA template (CCPA) — vendors who 'work with HIPAA data all the time' but cannot produce a template have not actually done the work. (2) Show me a redacted audit log from a comparable prior engagement — what fields are captured per model and tool call. (3) Tell me which region your inference endpoints run in and how that is enforced — vendors who say 'OpenAI handles that' have not pinned the region. (4) Walk me through a prior incident response — what happened, what was the timeline, what evidence was produced. Anyone who cannot do all four on the first call is selling compliance, not practicing it.

A focused v1 — single AI agent, single RAG system, or single voice pipeline — with US compliance scope (HIPAA, SOC 2, or CCPA) lands at $25,000-$120,000 fixed-price for a six-week build with offshore senior-only delivery, $80,000-$250,000 with mid-market US consultancies, and $200,000-$500,000+ with Bay Area boutiques. Anything quoted under $25k is either a pilot, a corner-cutter, or a junior-pool play — be honest about which. Anything quoted over $250k without fine-tuning, multi-system scope, or a multi-quarter timeline is paying for a sales narrative, not engineering. The most expensive vendor is rarely the best one; the cheapest one almost never is.

Three structural protections written into the contract before kickoff. First, a milestone-based payment schedule — typically 25 percent on kickoff, 25 percent on demo one, 25 percent on demo two, 25 percent on acceptance — so you can stop paying if the work stops shipping. Second, twice-weekly demos against the SOW acceptance criteria, with written go/no-go after each demo. Third, source access from day one in your GitHub, so if you do walk away you walk away with the work in progress. Vendors who resist any of the three are protecting their downside, which means they expect to need that protection — which is itself the signal.