Computer Vision Vendor Due Diligence - 12 Questions IT Should Ask Before a Pilot

After a strong demo, IT often inherits the risk: unclear success criteria, unverified privacy claims, ambiguous data ownership, and pressure to approve a pilot quickly. That is a risky place to start.

This guide helps IT, security, EHS, and operations teams qualify computer vision safety vendors before the pilot begins. It uses privacy-preserving, event-based safety detection as the baseline, with a focus on claim verification, evidence requests, pilot scoping, reference checks, and a practical go/no-go scorecard.

It is especially useful for warehouses, distribution centers, logistics sites, and manufacturing facilities where people, vehicles, and changing workflows create both safety and operational risk.

The most important points covered in this article:

• Which vendor claims need documented proof before a pilot agreement is signed
• 12 due diligence questions IT should ask any safety AI provider
• How to scope a pilot without blind spots that inflate performance results
• What to ask customer references and support teams before rollout
• A six-category go/no-go scorecard for vendor approval

‍

What should IT validate before a computer vision pilot?

Start with the data flow. Confirm where video is processed, if live CCTV streams or raw footage ever leave the site, and how event clips, metadata, access controls, retention, and deletion are handled. Then check security evidence, integration fit, real-world detection performance, post-detection workflows, support maturity, and written pilot success thresholds.

‍

Vendor Claims That Need Proof

Computer vision sales demos often run in controlled environments. Real industrial sites introduce variables that demos rarely capture, including lighting shifts, occlusion, camera placement, traffic density, and changing work patterns.

Leave three claim categories unverified until the vendor provides evidence: privacy architecture, real-world detection performance, and compliance support. 

At a minimum, request: 

1. A data-flow diagram
2. Security certification evidence
3. A recent penetration-test summary or executive summary
4. DPIA support materials
5. Integration documentation
6. Model-performance evidence
7. Support or SLA documentation

A provider that cannot provide clear documentation should undergo a deeper enterprise InfoSec review before pilot approval.

‍

Privacy Architecture Claims

Start with one question: where does the video processing happen?

For a privacy-preserving safety AI deployment, detection, anonymization, blurring, and encryption should happen locally on an edge device. Raw CCTV streams should not be continuously sent to the cloud for processing.

Instead, the platform should send only event metadata or short anonymized event clips to a secure cloud dashboard when a configured safety risk is detected.

That architecture matters because it helps IT reduce unnecessary data exposure while giving EHS and operations teams evidence they can act on. It also helps position computer vision as a safety and operational intelligence tool, not an individual worker surveillance system.

At Protex AI, our enterprise privacy and security approach follows that model: event detection, blurring, encryption, and access controls are applied on-site before anonymized event clips or metadata reach the cloud.

‍

Accuracy in Real Conditions

Published accuracy figures often reflect controlled test conditions. Ask vendors for false positive rates (alerts for events that did not happen) and false negative rates (missed events that did happen) from industrial deployments that resemble your environment.

Look for evidence from sites with similar lighting, occlusion, camera coverage, traffic patterns, PPE use, and shift schedules. False positives create alert fatigue and reduce trust in the system.

False negatives leave risk undetected. Aggregate accuracy rates are not enough for pilot approval. IT and EHS need site-specific validation criteria before the system goes live.

‍

Compliance Evidence

For enterprise review, ask for SOC 2 Type II or ISO 27001 evidence, recent penetration-test findings or an executive summary, MFA and RBAC documentation, data-flow diagrams, retention and deletion controls, and DPIA support where GDPR or internal privacy policy requires it.

‍

Security Standards

For application security, ask how the vendor maps secure-development practices to the OWASP Top 10:2021 and maintains controls as new OWASP guidance emerges.

‍

Privacy Review

For video data protection, use the European Data Protection Board's guidelines on processing personal data through video devices as a reference point for privacy review in GDPR-regulated environments. The European Data Protection Supervisor's DPIA guidance can also help teams assess when high-risk processing requires a formal Data Protection Impact Assessment.

‍

Data Governance

The vendor should also explain how it handles data retention, deletion, ownership, and model-training restrictions. Protex's computer vision privacy guidance shows how those questions apply to AI safety deployments that use video data.

‍

12 Due Diligence Questions to Ask Any Safety AI Vendor

Structured questions before a pilot prevent arguments later about what was promised, what was measured, and what counts as success. Ask these questions in writing and request documented responses. Ask the vendor to attach evidence to each answer, not just a yes or no response. Verbal commitments during a polished demo will not help if the pilot underperforms.

1. Does video processing and anonymization happen on the edge device, or does raw footage leave the site?
2. Can the provider supply SOC 2 Type II or ISO 27001 evidence, a recent penetration-test summary, and documentation for MFA, RBAC, audit logs, and secure-development practices before the pilot agreement is signed?
3. Has the provider completed or supported a Data Protection Impact Assessment for GDPR-regulated deployments?
4. What false positive and false negative rates has the system recorded in industrial settings with comparable lighting, occlusion, camera coverage, and shift patterns?
5. How does the platform integrate with our existing CCTV estate or VMS without a large rip-and-replace project?
6. Which EHS, WMS, MES, BI, or ticketing platforms do you support, and can you provide API documentation, event schemas, and export examples?
7. What does the post-detection workflow look like, who receives the alert, how is the issue assigned, and how is closure tracked?
8. How are permission-based access controls and audit trails structured, and who can view event clips?
9. Where is event data stored, what data residency options are available, and how are retention and deletion rules configured?
10. What recalibration process applies when site layouts, worker behaviors, camera views, or seasonal lighting conditions change?
11. Who owns the footage, event clips, metadata, and model outputs, and can we restrict model training rights by contract?
12. What defines a successful pilot, and what specific thresholds trigger a production rollout recommendation?

Question five should test whether the vendor can support CCTV integrations without forcing a rip-and-replace project.

Use the 12 questions above as your computer vision due diligence checklist before signing a pilot agreement.

‍

Scoping the Pilot Without Blind Spots

When the vendor owns pilot scoping alone, the pilot can become too controlled to reflect actual operating conditions. IT, EHS, and operations should agree on four decisions before day one: the target outcome, the success thresholds, the camera estate, and the adoption workflow.

Camera selection, network load, and bandwidth planning still matter during IT implementation of a safety CV system. Here, the focus is pilot validity.

‍

Operational Outcome Anchoring

Ask the provider to name the exact metric the pilot is meant to move. It might be near-miss frequency, PPE compliance rate, forklift-pedestrian interaction count, area control violations, corrective action close-out time, or another measurable safety and operations metric.

Pick one primary outcome and make it the anchor. A vendor that cannot connect detection capability to a measurable industrial outcome is proposing a technology demonstration, not a business validation. A clear pilot metric gives IT, EHS, and operations a defensible way to evaluate safety and operations ROI.

‍

Pre-Agreed Thresholds

Pre-agreed thresholds prevent scope drift and post-pilot renegotiation. Before launch, document the minimum acceptable detection performance, the maximum tolerable alert volume per shift, the baseline measurement method, and the data-collection period required before go/no-go scoring begins.

Define what happens when results are mixed. For example, a pilot might pass on privacy and integration but need a conditional extension if the team needs more time to validate night-shift performance.

‍

Live Camera Estate Review

Confirm that the pilot design accounts for your actual AI camera coverage. The vendor should review mounting positions, fields of view, lighting conditions, blind spots, occlusion patterns, and the target site's real traffic flow.

A pilot designed without a live site review reflects assumptions. It does not prove the system can handle your operating environment.

‍

Adoption and Workflow Readiness

A computer vision safety pilot does not succeed because a model detects an event. It succeeds when teams act on the event.

Before launch, decide who receives alerts, who reviews event clips, who coaches frontline teams, how corrective actions are assigned, and how closure is tracked. IT should also confirm access roles, audit logs, escalation paths, and support handoffs between EHS, operations, and the vendor.

‍

Reference Checks and Support Questions Worth Asking

A reference list is a qualification instrument, not a formality. Generic satisfaction comments do not prove enterprise readiness. Ask references for specifics that reveal deployment maturity, operational fit, and support quality. Commercial and legal reviewers can use a safety AI procurement checklist to test vendor claims on privacy, ownership, integration, support, and rollout risk.

‍

What to Ask References

Ask each reference the following:

• Which operational or safety metric improved, and how was the result measured?
• What did false positive volume look like in the first 30 days?
• Did support respond within the agreed SLA during rollout?
• Has the customer expanded from one site to multiple locations?
• What changed in supervisor behavior, coaching, or corrective action follow-through after deployment?

If a provider cannot share documented multi-site evidence, even anonymized, treat scalability as unproven until they can explain rollout scope, support model, governance, and customer results.

‍

What to Ask the Support Team

Pilot support is a preview of the production support model. Before signing anything, confirm the following:

• Are documented response times available by severity tier?
• Is a named implementation contact included during the pilot period?
• What changes to support access and resourcing when the pilot moves to a production contract?
• How are recalibration requests handled when site layouts, camera views, or workflows change?
• What reporting cadence will the vendor support during pilot review meetings?

For IT teams managing multi-site deployments, these answers matter more than a polished demo.

‍

Common Questions Before a Safety AI Pilot

Use these answers to pressure-test vendor evidence before the pilot moves into procurement, legal review, or site rollout.

‍

What should IT validate before a computer vision pilot?

IT should validate data flow, security evidence, integration fit, real-world detection performance, workflow ownership, data governance, support maturity, and written success thresholds. The 12-question checklist above turns those areas into documentable vendor questions.

‍

Who should own a computer vision safety pilot?

IT should own vendor risk, security review, integration fit, and data governance. EHS should own safety objectives, event review, coaching, and corrective actions. Operations should confirm that the pilot reflects real site conditions, shift patterns, traffic flows, and productivity constraints.

‍

Does raw CCTV footage leave the site?

In a privacy-preserving deployment, live CCTV streams should be processed locally on an edge device. Only anonymized event clips or metadata tied to detected safety events should be sent to the cloud for review and reporting. Ask for a written data-flow diagram before signing the pilot agreement.

‍

How long should a computer vision safety pilot run?

The pilot should run long enough to capture normal site variation across shifts, lighting conditions, traffic patterns, and operating schedules. Agree on the data-collection period before day one, and do not approve production rollout based on ideal conditions alone.

‍

How do you assess vendor risk for a safety AI system?

Request an evidence pack covering security certifications, penetration-test evidence, data protection documentation, data-flow diagrams, and support commitments. Then run reference calls, define pilot thresholds in writing, and score the vendor against the go/no-go scorecard before approval.

‍

Start Your Computer Vision Pilot With Evidence

A computer vision safety pilot should not start with trust in a demo. It should start with clear evidence, written success criteria, and a deployment model that IT, EHS, and operations can defend.

When those pieces are in place, the pilot becomes a business validation instead of a technology experiment.

Watch the Protex AI demo to see how our edge processing, privacy controls, and event-based safety intelligence work before you scope a computer vision pilot.

‍