ai governanceprocurementresponsible sourcingingredient industryb2b saas

A Responsible Procurement Charter, but for AI

L'Oréal, Unilever, and Henkel ask their suppliers to sign Responsible Procurement Charters covering labour, sourcing, and sustainability. We borrowed the format for AI. Here is what changes when a software vendor's AI policy reads like a cosmetics buyer's sourcing policy.

June 18, 2026 · 9 min read

A corporate procurement office in soft daylight, a hardcover supplier code-of-conduct binder open on a desk next to a laptop, a fountain pen resting beside a signature line

Key Takeaways

✓ Most AI ethics policies are written for an ethics-research audience. The actual audience for a B2B AI vendor's policy is procurement, which already has a format it trusts: the Responsible Procurement Charter
✓ Five sections of a standard supplier charter (labour practices, sourcing geography, audit rights, sub-supplier disclosure, annual social audit) translate directly into AI vendor terms (training-data policy, inference region, third-party transparency scores, sub-processor list, annual charter review)
✓ The format choice that matters most is 'rules, not preferences'. Procurement does not buy values statements. It buys hard commitments with consequences
✓ Founder-signed beats committee-issued at company stages where a single accountable name is more credible than a department

The format already exists in the supply chain

Our customers sell ingredients into the biggest brands in cosmetics, personal care, and wellness. When L'Oréal, Unilever, or Henkel onboard a new ingredient supplier, the supplier signs a Responsible Procurement Charter. The document is short, specific, and uncomfortable in places. It commits the supplier to rules about labour, sourcing geography, sustainability, sub-supplier disclosure, and annual review. The supplier signs it, the brand signs it, and the document is treated as binding.

Procurement teams read these documents for a living. They know the format. They know what a good one looks like. They know which sections vendors typically water down and which they lean on.

When the same procurement team is asked to assess a software vendor's AI policy, the document they receive looks nothing like what they are used to reading. It is twelve pages of principles. It mentions an AI ethics committee. It uses the word 'ongoing' six times. There is no signature line. There is no consequence section. There is no name on it.

We borrowed the supplier charter format. The post is the argument for why that format is the right one for AI, and what changes when you actually use it.

What a Responsible Procurement Charter actually contains

Anyone who has signed an ingredient supplier agreement with a tier-one consumer brand already knows the shape. For everyone else, the short version:

A statement of rules the supplier commits to. Not preferences. Rules.
A list of exclusions: practices, materials, geographies, or end-uses the supplier will not engage in
Sub-supplier disclosure: every party in the chain that touches the goods, named in writing, updated when it changes
Audit rights: how the brand can verify the supplier is doing what it says, and how independent parties (often third-party auditors) confirm specific claims
Geographic restrictions on sourcing, where relevant: which countries the goods may come from and under what conditions
A named signatory, usually the supplier's CEO or country head. A real person. Not a department
An annual review and re-signing, with material changes notified in advance

Every line in that list has a direct counterpart in the AI vendor question. The reason most vendor AI policies do not look like this is that the vendor wrote the document for an internal ethics review or an investor question rather than for the procurement reader who actually evaluates it.

The translation, section by section

Here is the line-by-line mapping, in the same order. None of these translations are forced. The procurement question and the AI question are the same question pointed at different supply chains.

Labour practices map to training-data policy. Geographic restrictions on sourcing map to region of inference. Audit rights map to independent third-party scores. Sub-supplier disclosure maps to a public sub-processor list. Annual social audit maps to annual charter re-signing and quarterly model card review.

Start with labour practices. A sourcing charter commits the supplier to specific conditions about how the goods are produced: no forced labour, no child labour, working hours, wage floors. Translate that to AI and you get the training-data policy: a hard, written commitment about how the data your customers send the vendor will and will not be used. The standard rule is that customer data is never used to train any provider's models. Procurement wants this stated as a rule with a name behind it, not as a value.

Next, geography. Supplier charters often restrict sourcing to countries that meet specific regulatory or ethical standards. The AI version of geography is the region of inference: a commitment about which jurisdictions the customer's data is processed in. At Corial we publish that as a tier choice between US-routed under Standard Contractual Clauses and an EU residency tier that routes every AI call through Vertex AI EU. The argument for that choice is in our earlier post on EU residency.

Then audit rights. In a sourcing charter, the brand reserves the right to verify the supplier's claims: third-party auditors, certifications, periodic inspections. The AI equivalent is independent third-party transparency assessments. Stanford runs the Foundation Model Transparency Index. MLCommons runs the AILuminate safety benchmark. A vendor that cites these by score, including the unfavourable ones, is doing the audit-rights equivalent. A vendor that publishes its own ethics rating is doing the marketing-rating equivalent. Procurement knows the difference.

Then sub-supplier disclosure. A supplier charter requires a list of every party in the chain. For AI vendors that becomes the sub-processor list: every third party that processes customer data, named, with category, with country, and with a notice period before any change. Thirty days is the common standard. Anything that hides the chain breaks the format.

Finally, the annual social audit. In sourcing, it's the once-a-year confirmation that the commitments are still being met. The AI version has two layers: an annual re-signing of the charter itself, plus a more frequent review of the model card where the providers and regions are listed. Quarterly is a reasonable cadence for the model card because the underlying model landscape moves faster than the policy framework around it.

Rules, not preferences

The single most important difference between a procurement charter and a typical AI ethics page is the verb. The procurement charter says 'will not'. The ethics page says 'aims to', 'seeks to', 'considers', 'is committed to ongoing dialogue with'. The verbs in the ethics page are doing the work of softening the commitment so the document does not have to be enforced.

Procurement reads verbs. It treats 'will not' as a hard commitment with consequences if breached. It treats 'aims to' as a preference. A document full of preferences does not survive a procurement review because the procurement team cannot use it as a basis for anything.

When we wrote section 2 of the Corial Responsible AI Charter, the section is titled 'What we will not do' and every line is a hard rule. No customer data goes into provider training. No deployment for military, surveillance, or political-influence use cases. No production traffic to a provider that refuses to disclose training data sources or safety practices. No messages sent on a customer's behalf without the customer reading and approving the draft first. No quiet routing changes: if a provider changes, the public sub-processor list updates with at least thirty days of notice.

Compare 'We are committed to responsible AI use and believe customer data should be treated with care' to 'No AI provider trains on customer data. Ever.' The first one means nothing. The second one is a sentence procurement can enforce.

Founder-signed beats committee-issued

Procurement charters in the supply chain world are signed by a named human, almost always at the CEO or country-head level. They are not signed by an ethics committee. The reason is structural: a committee can change membership and dilute responsibility. A name on a page is more accountable than a department on a page.

Early-stage vendors have an advantage here that they should use. The Corial Responsible AI Charter is signed by me, personally, as Founder and AI Lead. I review it once a year. If a commitment in it turns out to be unfounded, the person to come to is me. The Charter says so.

Later-stage companies often inherit a committee structure and find it harder to reduce the accountability down to a single name. The trade-off is the trade-off. A founder-signed document is more credible to procurement but less robust to the founder leaving. A committee-issued document is the reverse. At our stage, the founder-signed version is the honest one and the more useful one.

What to copy if you are writing one

If you are writing your own AI charter and want it to survive a procurement review, the sections to lift directly from the supplier-charter format are:

A short framing paragraph that names who the document is for and why it exists. Procurement, not an internal ethics review
A section on how providers are picked, with concrete weighted criteria, not value statements
A 'will not' section. Hard rules. No softening verbs. Five to seven lines is the right length
A 'where we lean' section for soft preferences, clearly separated from the hard rules. Procurement reads the separation as honesty
A disclosure section listing every public artefact (sub-processor list, model card, trust page, DPA) the customer can verify against
A short 'why a charter rather than a certification' section if you are not formally audited. Naming the gap is more credible than hiding it
A 'what this does not claim' section. The strongest AI policies are the ones that mark out their own limits
A signature block: name, role, date, place. Annual review date in writing

The Corial Charter is at corial.app/responsible-ai-charter and follows this structure. You are welcome to use it as a template. The format is not proprietary; the procurement teams who will eventually read your version certainly do not think it is.

Write for procurement, not for ethics research

Underneath all of this sits a deeper claim. Most AI ethics writing assumes an academic or policy-research reader. The document is written to engage with the literature, position the company within a debate, and demonstrate seriousness through length and citation.

The actual audience for a B2B AI vendor's policy, in the moment that matters, is a procurement officer evaluating whether to add the vendor to an approved list. That officer reads supplier codes for a living. The format the officer trusts is the supplier charter format. The verbs the officer trusts are the hard ones. The document the officer trusts has a name on the bottom of it.

AI vendors have spent a few years writing policies for the wrong reader. The reader who matters is already reading documents that look a specific way. Write for that reader. The ethics-research audience can read it too. The procurement audience would not have read the alternative.

If you want to see the worked example, the Corial Responsible AI Charter is at corial.app/responsible-ai-charter and the wider Trust page that sits beneath it is at corial.app/trust. Both are written for the procurement reader first.

Frequently asked questions.

How is a Responsible Procurement Charter for AI different from a generic AI ethics policy?

An AI ethics policy is usually a values document aimed at an internal or academic audience: long, principle-based, full of softening verbs. A Responsible Procurement Charter for AI is short, rule-based, written for the procurement reader, and signed by a named human. It commits the vendor to specific 'will not' clauses with consequences and lists the public artefacts (sub-processor list, model card, audit-equivalent scores) that the customer can verify against. Same subject, very different audience.

Do we need to be ISO 42001 certified to sign a Responsible AI Charter?

No. ISO 42001 is the AI management standard published in 2023 and certification takes months and serious budget. A charter is something a founder can sign today, in plain language, with their own name on it. The two artefacts serve different functions: a certification verifies that the organisation does what it claims; a charter states what it claims. Most vendors at our stage should publish the charter now and pursue certification when a specific customer relationship calls for it. Saying 'designed in alignment with ISO 42001' is honest where 'ISO 42001 certified' would not be.

Who should sign the charter: the founder, the CTO, or a committee?

Procurement reads a name. At early-stage companies the most credible signatory is the founder, especially if the founder is also the de facto AI Lead, Privacy Officer, and Incident Commander. As the company scales, the signatory may shift to a named executive (Chief AI Officer, Chief Privacy Officer) but the principle holds: a single accountable name beats a department or committee. A committee diffuses responsibility, which is the opposite of what a procurement reader is looking for.

How often should the charter be updated?

Re-signed at least once a year, with a date in writing on the document. Material changes (new provider added, region change, exclusion removed) should be notified to customers at least thirty days in advance, the same notice period used for sub-processor changes. The model card that lists the providers, regions, and third-party scores should be reviewed more frequently, usually quarterly, because the underlying model landscape moves faster than the policy framework.

Can we use the Corial Responsible AI Charter as a template for our own?

Yes. The charter format is not proprietary. The Corial version is published at corial.app/responsible-ai-charter and follows the supplier-charter structure described in this post. The most useful sections to lift are the 'how we pick providers' criteria, the 'what we will not do' rule list, the separation between hard rules and soft preferences, and the 'what this does not claim' disclosure section. Adapt the specifics to your business; keep the structure and the signature block.

Share this article LinkedIn X

Want an AI vendor your procurement team can actually approve?

Corial is the AI-native CRM for B2B ingredient sales teams whose downstream brand customers run formal supplier risk assessments. Founder-signed charter. Public model card. Sub-processor list with thirty days of notice. Read the charter before the call.

Get early access