Mercor’s latest report has become a useful wake-up call for business AI buyers. Mercor has confirmed a security incident related to the attack related to LiteLLM, and reports say that Meta has temporarily suspended work with the company while the investigation continues. For security, procurement, and AI leaders, the lesson is simple: vendor reviews will no longer stand tall.
1. Where does your data come from, and how is it managed?
Ask for clear information about availability, consent, licensing, disclosure, retention, and removal. If the answer is not clear, that is a warning sign.
Shaip’s public guidance on AI data collection emphasizes the basis, documentation, privacy protections, and systematic collection processes.
2. What third-party and open source tools are embedded in your workflow?
A vendor may appear secure while relying on a fragile middleware underneath. You need to know what sits between your data and the final workflow output.
This is especially important now that Mercor has publicly linked its incident with LiteLLM and identified itself as one of thousands of companies affected by the supply chain attack.
3. How do you control access to sensitive datasets and test assets?
Access restriction, encryption, audit logging, and data classification should be basic requirements.
4. What does your quality assurance process look like?
Look for measurable processes such as multi-stage reviews, gold data sets, judgments, and systematic repair loops.
Shaip’s public stance on human-in-the-loop quality and data services for LLM training supports the idea that quality should be developed in the workflow, not added as a final check.
5. How do you handle tough cases and unclear judgments?
In enterprise AI, not everything can be safely automated. Some functions still require background-sensitive human review.
Shaip’s public guidance for HITL states that people should be placed at the highest points in the workflow, where judgment and accountability are paramount.
6. What evidence do you have of compliance and security maturity?
Ask for evidence, not claims. Buyers should expect clarification of certifications, audits, and performance controls. Shaip publicly references ISO 27001:2022, HIPAA, and SOC 2 on its compliance page.
7. What happens if your ownership, partnership, or key priorities change?
This is where neutrality and customer protection are important. Consumers should ask how their data is protected, whether the seller’s incentives are always aligned with the customer, and how the customer’s interests are protected over time.
Shaip’s public article on data neutrality argues that neutrality is important because customers need providers whose motivations align with trust, not competing brand agendas.
The final takeaway
AI data vendors should not be treated as interchangeable service providers. They stay very close to model quality, IP protection, operational continuity, and business reliability. A good partner is not just one who can deliver quickly. It is the one that can show how data is managed, how workflows are protected, how quality is measured, and how customers’ interests are always protected. Shaip’s public messaging throughout its site strongly aligns with that prioritization of trust.
