The recent Mercor reporting has become a useful wake-up call for enterprise AI buyers. Mercor confirmed a security incident tied to a LiteLLM-related supply-chain attack, and reports said Meta paused work with the company while investigations continued. For security, procurement, and AI leaders, the lesson is simple: vendor review can no longer stop at the top layer.
1. Where does your data come from, and how is it governed?
Ask for specifics on sourcing, consent, licensing, provenance, retention, and deletion. If the answer is vague, that is a warning sign.
Shaip’s public guidance around AI data collection emphasizes provenance, documentation, privacy safeguards, and structured collection practices.
2. What third-party and open-source tools are embedded in your workflow?
This matters more now because Mercor publicly linked its incident to LiteLLM and described itself as one of thousands of companies affected by a supply-chain attack.
3. How do you control access to sensitive datasets and evaluation assets?
Access restriction, encryption, audit logging, and data segregation should be baseline requirements.
4. What does your quality assurance process actually look like?
Look for measurable practices such as multi-tier review, gold datasets, adjudication, and structured correction loops.
Shaip’s public positioning around human-in-the-loop quality and LLM training data services supports the idea that quality should be engineered into the workflow, not added as a final check.
5. How do you handle edge cases and ambiguous judgments?
In enterprise AI, not everything can be automated safely. Some tasks still require domain-sensitive human review.
Shaip’s public HITL guidance argues that humans should be placed at the highest-leverage points in the workflow, where judgment and accountability matter most.
6. What proof do you have for compliance and security maturity?
7. What happens if your ownership, partnerships, or strategic priorities change?
This is where neutrality and customer protection matter. Buyers should ask how their data is ring-fenced, whether the vendor’s incentives remain aligned with the customer, and how customer interests are protected over time.
Shaip’s public article on data neutrality argues that neutrality matters because customers need providers whose incentives are aligned with trust, not competing product agendas.
Final takeaway
AI data vendors should not be treated like interchangeable service providers. They sit too close to model quality, IP protection, operational continuity, and enterprise trust. The right partner is not simply the one that can deliver fastest. It is the one that can show how data is governed, how workflows are secured, how quality is measured, and how customer interests remain protected. Shaip’s public messaging across its site aligns strongly with that trust-first positioning.