The £50k checkbox: How unmanaged AI is disqualifying you from enterprise tenders

A single line on a tender form now decides whether your business is in the running or quietly removed from it. Most SMEs don't yet know it.

The question that didn't exist eighteen months ago

Open a recent enterprise procurement pack, financial services, public sector, large professional services, and you will increasingly find a question that wasn't there two years ago. It might be phrased as "Disclose any use of AI in the creation of this tender." Or "Set out your organisation's AI governance framework, including policies, oversight responsibilities, and evidence of staff training." Or "Confirm whether AI systems will be used in the delivery of the service and provide details."

These questions aren't optional. They aren't decorative. And answering them poorly, or being unable to answer them at all is now a common reason businesses are screened out before their proposal is even read.

This is what we mean by the £50k checkbox. Not the cost of any single response. The cost of the contracts you didn't win because of one section you couldn't credibly complete.

What's actually changed in UK procurement

The shift is no longer informal. In March 2024, the Cabinet Office issued Procurement Policy Note 02/24, "Improving Transparency of AI Use in Procurement." It has since been replaced for procurements commencing on or after 24 February 2025 by PPN 017, issued under the Procurement Act 2023.

Read together, these notes tell contracting authorities, every in-scope public sector buyer in the UK, to do three things during procurement:

• Ask suppliers to disclose their use of AI in creating tender responses

• Put proportionate controls in place to prevent confidential authority information being used to train AI systems

• Undertake additional due diligence where AI is used by the supplier, which may include site visits, clarification questions, or supplier presentations

The PPN also provides standard text and an example disclosure question (Annex B / Example Disclosure Question 3) that authorities can drop straight into procurement documentation. This is not theoretical guidance. It is the operational baseline for UK public procurement going forward.

The private sector is moving in the same direction, faster than most realise. A May-June 2025 Gartner survey of 360 IT leaders found that over 70% rank regulatory compliance among the top three challenges of deploying generative AI. Only 23% feel very confident in their organisation's ability to manage AI governance. The natural response by enterprise buyers, particularly in financial services, legal, healthcare, and any regulated sector, has been to push that governance burden out to suppliers via contract.

The result is a procurement environment in which AI disclosure, AI policies, and AI accountability are now standard supplier questions, not specialist ones.

Why the financial services sector is moving first

In the UK, financial services firms are subject to a specific cluster of obligations that turn AI governance into a procurement requirement almost by default.

Under the FCA's framework, firms are accountable for AI used in their operations, whether the AI is built in-house, bought, or supplied through a third party. The relevant levers are familiar: Consumer Duty, the Senior Managers and Certification Regime (SM&CR), operational resilience, and UK GDPR.

In practice, this means that when a regulated firm contracts with a supplier, it cannot simply trust the supplier's word on AI use. It needs to evidence that trust. Recent practitioner guidance from major UK and international law firms: Kennedys Law, Bird & Bird, Bryan Cave Leighton Paisner, is consistent on the contract clauses now considered standard for AI-enabled supplier relationships. They include:

• Disclosure obligations on supplier AI use before, during, and after engagement

• Restrictions on using client data to train AI models without written approval

• Audit and inspection rights covering AI performance, testing, and compliance

• Warranties on data provenance, bias mitigation, and accuracy testing

• Indemnities for third-party IP claims arising from supplier AI training data

The point worth absorbing: these aren't aspirational clauses. They are now the negotiating baseline in regulated supplier contracts. If your business has no AI policy, no documented oversight, no training records, and no evidence base to support warranties, you can't credibly sign these contracts. And you increasingly can't get through procurement to be offered them in the first place.

The mechanics of disqualification

Tender disqualification rarely looks dramatic. It looks like silence.

Under the Procurement Act 2023, contracting authorities must follow strict, defined processes. Every bid is assessed against compliance criteria before its substantive content is read. A missing document, an unchecked box, or an unsatisfactory disclosure answer can result in the submission being set aside before evaluation. The same logic now applies to AI-related questions. If a supplier cannot evidence policy, oversight, or staff training in a way that satisfies the buyer's threshold, the bid does not progress.

Private sector procurement uses softer language but the same logic. The bid is "noted." Another supplier is shortlisted. The SME never finds out exactly which question lost them the opportunity.

The cumulative cost is what makes this material. For a UK SME, the typical cost of preparing a medium-complexity tender response sits between £2,000 and £5,000; larger framework or enterprise bids can run from £5,000 to £20,000 each in internal and external resource. A business that submits ten meaningful tenders in a year and is disqualified on two or three of them at the AI disclosure question has lost more than the bid cost. It has lost the contract value behind each opportunity, often several hundred thousand pounds in expected revenue per cycle.

This is the £50k figure. It isn't one line item. It is the realistic annual cost of being structurally disqualified from the contracts your business should be winning.

What "unmanaged AI" actually looks like to a buyer

The gap between businesses that can pass an AI disclosure question and those that cannot is rarely about technology. It is about evidence.

A buyer's AI disclosure question is really asking four things at once:

• Do you know which AI tools your staff are using on which data?

• Do you have a policy, signed off at leadership level, that governs that use?

• Have your staff been trained against that policy, and can you prove it?

• If something goes wrong, can you produce an audit trail showing who did what, when?

For most SMEs, the honest answer to all four questions today is no. Not because the business is careless. Because no one has yet built the layer that makes "yes" answerable.

The supplier who can answer those four questions with policy documents, an accountability map, training records, and an audit trail walks through the disclosure section in minutes. The supplier who can't either submits a vague answer that flags risk to the buyer, or doesn't submit at all.

The governance layer changes the conversation

There is a practical pattern in the businesses that are still winning enterprise tenders in 2025 and 2026. They have built, quietly ahead of the requirement, a governance layer that does three things:

Maps accountability. Someone is named, in writing, as responsible for AI oversight. Their authority is documented. Their decisions are logged. When a buyer asks "who owns this in your business," there is an answer that doesn't require improvisation.

Maintains an assured document library. Policies, registers, training records, application audits, and supporting evidence sit in one place: version-controlled, reviewed on a defined cadence, exportable for tender attachments without rebuilding them every time.

Operates in live mode. Governance documents reflect what the business actually does today, not what it documented eighteen months ago. When the market changes - a new regulation, a new client requirement, a new tool entering use - the documents update with it.

The businesses that have this layer treat AI disclosure as a routine question. The businesses that don't treat it as a recurring obstacle.

Where Turma fits

This is precisely the layer Turma is built to provide.

Turma Assured runs the live governance environment. It holds the company's AI policies, risk register, application audit, GDPR and cyber documentation in a single managed library, kept current as the market changes, with version control and audit trail built in. Workflow logic tracks what must happen by when and surfaces the evidence that supports each control.

Turma Passport covers the people layer, staff training on AI use, completion tracking, attestation, and the behavioural evidence buyers increasingly ask for.

Together, they generate an exportable governance certification that can be attached to tender responses, shared with insurers, or provided to partners, drawn from current live data rather than recreated for each request.

The phrase in the title, automated accountability mapping and assured document libraries, describes the everyday function of the platform. AI accountability mapped to named owners and roles. A document library that is genuinely assured because it is reviewed, version-controlled, and tied to live evidence. Both ready when the next tender pack arrives, not assembled in the seventy-two hours before deadline.

A practical first step

If you are not certain how your business would answer an AI disclosure question in your next major tender, the most useful first step is a structured view of where you currently stand. Not an audit. A snapshot, quick enough to be useful this week, honest enough to inform what to do next.

Turma's free Snapshot assessment is built for exactly this. It identifies where your governance is thin, where your evidence base is incomplete, and where the largest exposure sits relative to procurement requirements in your sector. It takes five to seven minutes.

The £50k checkbox is becoming a £150k one for businesses that miss the next wave of disclosure requirements. The work to answer it credibly takes weeks. The cost of not doing it is measured in tenders that quietly stopped converting.

You don't need to wait for the next bid to find out where you stand.

Sources

• Cabinet Office, Procurement Policy Note 017 (formerly PPN 02/24), Improving Transparency of AI Use in Procurement, applying to procurements commencing on or after 24 February 2025

• Cabinet Office, PPN 02/24, Improving Transparency of AI Use in Procurement, March 2024

• Procurement Act 2023

• Gartner, Survey of IT Leaders on Generative AI Deployment, May-June 2025 (n=360)

• Kennedys Law, Deploying AI in Financial Services in the UK: FCA and Data Protection Considerations, January 2026

• Kennedys Law, AI and Commercial Contracts: Five Clauses In-House Legal Teams Should Review Now (UK/EU), May 2025

• Bryan Cave Leighton Paisner, AI Regulation in Financial Services: Turning Principles into Practice, December 2025

• Bird & Bird, The AI Contract Conundrum: Beyond Standard Terms, October 2025

• IBM, Cost of a Data Breach Report 2025, in partnership with the Ponemon Institute

• UK Financial Conduct Authority - Consumer Duty, Senior Managers and Certification Regime, operational resilience framework

• UK GDPR (UK General Data Protection Regulation) and Data Protection Act 2018

This article is intended as general guidance for business leaders. Procurement, data protection, and contract obligations vary by sector and by contracting authority. Specific tender requirements and contractual positions should be reviewed with a qualified solicitor or compliance advisor based on the facts of each engagement.