Pillar 6 governs the vendor side of legal AI. It is the pillar that turns vendor relationships into institutional assets rather than dependency liabilities. Three operating disciplines work in concert: the Vendor Index (which evaluates external vendors against a defensibility-tier frame), the AI BoM (which inventories the function's active vendor and component footprint), and the procurement contract framework (which embeds the deployer-side obligations the EU AI Act and ISO/IEC 42001 impose into commercial terms).
Functions that build Pillar 6 well treat vendor selection as a defensibility decision, not a feature comparison. They maintain a current AI BoM the way a manufacturer maintains a bill of materials for a regulated product. They negotiate procurement terms that reflect the burden ISO 42001 places on the deployer rather than the provider. Functions that build Pillar 6 poorly accumulate vendor lock-in, substitution friction, and a footprint they cannot inventory under regulator request.
The four capability domains
6.1 Vendor Index discipline
The Advanta Vendor Index applies a defensibility-tier frame to legal AI vendors. The Defensible tier captures vendors whose tooling can be deployed inside an institutional legal function without compromising the deployer's own defensibility posture. Other tiers are useful for specific use cases at specific maturity bands; only the Defensible tier survives the institutional procurement bar. Pillar 6 vendor selection should consult an independent index rather than rely on vendor self-classification.
6.2 AI BoM — Bill of Materials
The AI BoM inventories every active AI component touching production work: language models (foundation models, fine-tuned variants), retrieval systems, vector stores, prompt management systems, output filtering layers, audit logging components, and the orchestration framework that connects them. Each entry carries vendor identity, version, contractual basis, data residency posture, retention policy, and the use cases that depend on it. The BoM is refreshed at every component change; functions that maintain the BoM can answer "what is in this AI output" against any specific deliverable.
6.3 Procurement contract framework
Procurement terms for legal AI vendors must embed the obligations the EU AI Act high-risk regime and ISO/IEC 42001 impose on the deployer. The burden of demonstrating compliance sits with the deployer, not the provider. Standard SaaS terms do not address the deployer-side burden. Pillar 6 procurement requires bespoke terms: training data provenance attestation, model version notification with rollback rights, vendor cooperation in regulator request response, audit log access, data residency commitments, and notification obligations for incidents on the vendor side that touch deployer use.
6.4 Substitution and lock-in posture
Vendor lock-in is the structural exposure that the function carries when substitution between vendors becomes impractical. Pillar 6 maintains a substitution posture per active vendor: how long would substitution take, what data and prompt migration is required, what client-facing risks substitution would surface. The posture is refreshed annually. Functions without a substitution posture discover the cost only at the moment substitution becomes necessary, typically at a moment of compounding pressure.
Common failure modes
Pillar 6 fails in four characteristic patterns. Feature-driven selection: the function selects vendors on demo quality and feature lists rather than against the deployer-side compliance burden. Inventory drift: AI systems are deployed without BoM updates; the Evidence Register cannot answer "what is in production." Shadow AI: practitioners use unsanctioned tools that the function does not know about; the AI Inventory understates exposure. Lock-in without posture: the function builds critical workflows on a single vendor with no documented substitution path and no leverage in renewal negotiation.
What Bands 4 and 5 look like at Pillar 6
At Band 4, Pillar 6 produces a current AI BoM, vendor selection against the Defensible tier of an independent index, procurement terms that address the deployer-side burden, and a documented substitution posture per active vendor. At Band 5, the AI BoM carries quarterly attestation from the system owner, vendor reviews are scheduled at fixed cadence, the function can answer "what AI components touched this output" within minutes for any production work, and Shadow AI controls produce active detection rather than passive policy.
Interlock with adjacent pillars
Pillar 6 supplies Pillar 4 the AI BoM that the Evidence Register relies on. It receives selection criteria from Pillar 1 (institutional posture frames acceptable vendor tier) and Pillar 5 (use-case portfolio scopes what vendors are needed). It contributes to Pillar 7 benchmarking (vendor estate maturity is a measured dimension). Pillar 8 lifecycle discipline retires vendors on the same cadence it retires use cases. Pillar 2 retrieval architecture is itself a Pillar 6 procurement decision when delivered as a managed service. Pillar 6 is the pillar that determines whether the function controls its tooling estate or is controlled by it.