This is the RFP template I send when buyers ask "give me the question list". Sixty questions across six sections, with a 1-to-5 scoring rubric and walk-away criteria. The template assumes enterprise procurement; small-team buyers should consider the lighter structured evaluation instead. Free to copy. Companion to the PoC checklist, vendor evaluation, and procurement checklist.

RFP structure

The six-section structure tracks the six evaluation criteria. Each section starts with two open-ended questions ("describe your approach to X") and then has 8 to 10 specific evidence-based questions.

Vendors should respond inline; do not let them attach a separate document. Inline responses are scoreable; document attachments are work avoidance.

Section 1: Capability and use cases (10 questions)

  1. Describe how your platform handles agent reasoning. Workflow with LLM steps, true agent reasoning (plan-and-execute, ReAct), or a hybrid? Cite the reference architecture or paper.
  2. Provide a 5-minute video of an agent on your platform running a use case similar to: [insert your top use case]. Real run, not a recording of a demo.
  3. What is the maximum context window the platform supports today, and what is the latency profile at the top of that window?
  4. How does the platform handle multi-step agent runs that pause for human approval? Provide the API for resume.
  5. How do you measure and report agent run quality? What are the headline metrics for your customers similar to us?
  6. Describe how a customer adds a custom tool to an agent. Provide a sample tool definition and the call surface the agent uses.
  7. How does the platform handle agent runs that exceed token, time, or cost budgets? What controls does the customer set?
  8. What models does the platform support today? Pinned snapshots, latest aliases, or both? How do customers control which model their agents use?
  9. Provide three reference customers running use cases similar to ours, with contact information. We will conduct independent reference calls.
  10. What does your roadmap look like for the next 6 months in capabilities relevant to our use cases?

Section 2: Security and compliance (12 questions)

  1. Provide the most recent SOC 2 Type II report (or ISO 27001, depending on jurisdiction). Date of issue and date of next audit.
  2. List the data centers and regions where customer data is processed. Confirm where our data would specifically reside.
  3. Describe tenant isolation at the data, retrieval, and prompt layers. Provide an architecture diagram.
  4. How are customer credentials and secrets stored? Provide the KMS or vault solution and the rotation policy.
  5. Does the platform train its own models on customer data? If yes, how does opt-out work? If no, is this contractually enforced?
  6. Provide the audit log API specification, including: events captured, retention, access controls, and a sample response for a single agent run.
  7. How does the platform handle GDPR data subject access requests, deletion requests, and data export requests? Provide the API and response SLA.
  8. Describe the incident response process. RTO and RPO commitments? Mean time to notify customers of a security incident?
  9. What is the platform's policy and tooling for prompt injection defense? Cite OWASP LLM Top 10 controls you address (OWASP, 2025).
  10. How does the platform handle PII detection and redaction in agent inputs and outputs?
  11. What encryption is used at rest and in transit? Specify cipher suites and key management.
  12. Provide your most recent penetration test summary. Date, scope, summary of findings, remediation status.

Section 3: Integrations and data (10 questions)

  1. List native integrations to: [your top 10 systems]. For each, specify auth model (OAuth, API key, service account) and whether reads, writes, or both are supported.
  2. How does a customer build a custom integration? Provide the SDK or framework.
  3. What is the latency and throughput profile of your integration layer? Per-integration if it varies.
  4. How are integration credentials scoped per tenant? Confirm one tenant cannot use another's credentials.
  5. How does the platform handle vendor-side rate limits on integrations? Backoff, queueing, error reporting to the agent.
  6. Does the platform support webhook ingress for event-driven agent triggers? Auth model, replay handling, delivery guarantees.
  7. How is data passed from integrations to the agent context? Inline, retrieval, or both?
  8. What knowledge-source connectors are native? (e.g., Confluence, Notion, Google Drive, SharePoint, S3.) Document refresh cadence.
  9. Describe the platform's retrieval architecture. Embedding model, vector store, retrieval algorithm, chunking strategy.
  10. How does the platform handle data residency at the integration layer? Can data from EU sources be processed only in EU regions?

Section 4: Pricing and contract (10 questions)

  1. Provide the complete pricing structure: per-seat, per-run, per-token, credits, flat-rate. Include all overage charges and how usage is metered.
  2. Project our cost at: [Year 1 volume estimate], [Year 2 volume estimate], [Year 3 volume estimate]. Include all costs you can foresee.
  3. What is the model usage cost passthrough? Are model costs included in your pricing or billed separately?
  4. What is the volume discount schedule? At what point does enterprise pricing kick in?
  5. What are the standard contract terms? Term length, payment terms, auto-renewal, termination for convenience.
  6. What is your standard MSA and DPA? Provide both for legal review.
  7. What are your standard SLAs and SLA credits structure?
  8. Are there fees for: implementation, training, integration build, additional environments (dev, staging), API access, premium support?
  9. How does pricing scale if we add a second product team or department? Same agreement or separate?
  10. What is your policy on price increases at renewal? Cap on annual increase?

Section 5: Support and SLAs (8 questions)

  1. Describe support tiers offered, response time commitments per tier, and what tier comes with our contract size.
  2. Publish the platform uptime SLA and provide actual uptime for the last 12 months by month.
  3. Is there a public status page? Provide the URL and the notification subscription options.
  4. What is the support process for a customer-impacting incident? Channels, escalation path, executive engagement criteria.
  5. Provide named customer success or technical account management commitments at our contract size.
  6. Describe the documentation and self-service knowledge base. Are runbooks for common issues publicly available?
  7. What is the training and enablement provided to our team during onboarding?
  8. How does support escalate to engineering? Provide a recent example timeline.

Section 6: Vendor stability (10 questions)

  1. Provide the company's funding history, current investors, and approximate runway.
  2. Provide revenue scale (range), customer count (range), and year-over-year growth.
  3. Has the company pivoted product focus in the last 24 months? Describe.
  4. Describe customer concentration. What percent of revenue comes from the top 1, top 5, top 10 customers?
  5. Provide the leadership team and engineering org chart. Who owns this product specifically?
  6. What is the company's policy on acquisition and the customer impact of one? Reference the data portability and contract continuity terms.
  7. How does the platform support customer data export? Provide the export API and document format.
  8. What is your customer churn rate over the past 12 months?
  9. Has the platform deprecated any major feature in the last 24 months? How was the deprecation handled?
  10. What happens to our deployment and data if the company is acquired, restructured, or winds down?

Scoring framework

The scoring rubric applied per question.

The PMI procurement guidance treats RFP scoring as a multi-stage process: technical evaluation first, commercial evaluation second, with explicit conflict-of-interest separation (PMI procurement management). Section scoring follows the same separation: capability and security drive technical scoring; pricing drives commercial.

Process and timeline

A workable RFP timeline.

FAQ

What should an AI agent platform RFP cover?
Six sections: capability and use case fit, security and compliance, integrations and data, pricing and contract terms, support and SLAs, and vendor stability.
How long should an AI agent platform RFP be?
Sixty questions across six sections. Shorter and you miss material risk; longer and vendors will copy-paste rather than answer specifically.
How do you score AI agent platform RFP responses?
Score each answer 1 to 5: 1 missing or evasive, 3 standard with evidence, 5 best-in-class with documentation. Weight section totals by importance. Walk-away criteria override the total.
What questions catch vendors who oversell?
Ask for specifics: a reference customer running our use case, a live demo of audit log retrieval, a published SLA with credits, an architecture diagram showing tenant isolation.
Should I share my RFP template publicly?
Yes if you can. Public templates raise the floor for the whole market.
How long should vendors get to respond?
Two to three weeks is standard. Less signals copy-paste; more signals you are not yet committed.

Sources