How Singapore enterprises actually buy AI — the 6-step procurement flow vendors miss

By the time a vendor writes the proposal, the deal was already won or lost three rounds earlier. The real procurement flow is six steps. None of them show up in the RFP, and most happen before procurement is copied on the email thread.

The myth: "we'll just send a great proposal"

The linear model — find a need, send a deck, send a proposal — works for SMEs spending out of an owner's pocket. It does not work for buyers operating under MAS Notice 658, GeBIZ thresholds, or a board-approved AI policy. In SG enterprises, the proposal is the output of a successful evaluation, not the input.

By the time an RFP lands in a vendor's inbox, the buyer has already shortlisted two or three names based on signals nobody told us they were collecting. What kills most vendors is showing up at step five in a six-step process and assuming it was step one.

Step 1 — the shadow evaluation

Before any meeting is booked, somebody on the buyer side has already read the vendor's website, LinkedIn, and (if AI is on the menu) GitHub. The questions they want answered have nothing to do with the pitch deck. Does this vendor exist as a real business. Do they ship. Is the team senior enough that we won't get junior consultants.

For AI vendors specifically, buyers want to see opinions published on AI governance, not just product pages. The people doing this reading will later sit on the AI committee. They want vendors who won't embarrass them in front of their board.

Three things move this needle. A founder LinkedIn that posts substantive technical takes weekly. An open-source repo with real commit history (which is exactly why we open-sourced sgdata-mcp). And a blog where the writing sounds like an engineer who has actually shipped, not a marketer retrofitting trends. When the shadow evaluation fails, the vendor never learns why. The buyer simply doesn't respond, and we assume the email copy was off.

Step 2 — the internal champion

Every successful enterprise AI sale runs through one specific person on the buyer side, and that person is almost never the procurement officer or the CIO. It is a director-level operator with a P&L, a problem they cannot ignore, and political cover to spend.

This person appears in cycles. After a board meeting where AI was raised. After a competitor announced a deployment. After a regulator audit flagged manual processes. They have roughly a six-week window to look like they're doing something about it before the urgency fades.

What they need is not a feature list. They need three things they can take into their next steering committee: a credible vendor story, a 90-day plan that does not require a budget reshuffle, and one or two reference proof points that match their specific risk profile.

The vendors who close at this stage treat the champion like a co-author. We have run observed engagements where the champion privately told us what their CIO was sceptical about, and we redrafted the deck the night before the steering committee. Two meetings in and we still cannot name the champion. That is not a deal. That is a reference call.

Step 3 — the AI committee gate

Almost every Singapore enterprise above a certain size now has an internal AI committee, AI council, or responsible-AI working group. Banks have had them since the MAS FEAT principles landed in 2018. Most government agencies and GLCs have stood theirs up in the last 18 months, accelerated by the Model AI Governance Framework for Agentic AI IMDA published this year.

These committees are real gates, not theatre. They have veto power. They meet on a fixed cadence, usually monthly. And they ask a consistent set of questions that vendors who haven't done this before invariably fail.

The five questions we now pre-answer in every Lyra pitch: where does the data sit, what model are you using and can it be swapped, who has approval authority on agent actions, what is the audit trail format, and how do we exit the contract without lock-in. None are technical curveballs. They are board-level risk questions wearing technical clothing.

We map every Lyra deployment to AI Verify principles and ISO/IEC 42001 controls before the first committee meeting, not after. That is how the chair clears their own paper trail with their auditor. If a vendor cannot speak fluently to FEAT, AI Verify, and ISO 42001 in committee, even with a technically excellent product, they lose to a competitor who can.

Step 4 — security and governance review

Once the AI committee gives a conditional yes, the file moves to security and governance, and the timeline lengthens dramatically. Banks operating under MAS Notice 658, and merchant banks under Notice 1121, must enter every outsourced relevant service (AI software included) into an Outsourcing Register that is filed with MAS semi-annually.

That register is not optional, and the security review is what populates it. Reviewers ask for SOC 2 or ISO 27001 reports, model and data residency commitments, the incident-response runbook, the sub-processor list, and a contractual clause confirming the bank's right to audit. Any one of those missing, the file sits.

Government agencies run a parallel process. GovTech's vendor onboarding and the IT Standards and Guidelines (IM8) impose their own controls around data classification, hosting location, and acceptable use of foreign LLMs. Most agencies require vendors to demonstrate that sensitive data does not leave Singapore-hosted infrastructure.

This is where most foreign AI vendors stall out for six to nine months. The Singapore-incorporated, Singapore-hosted, Singapore-citizen-engineered story is not jingoism. It is risk reduction the buyer can defend in writing. We treat security and governance documentation as a first-class deliverable, refreshed quarterly, and the difference in deal velocity is dramatic.

Step 5 — procurement and the GeBIZ flow

Only now does formal procurement enter the picture. For government and statutory boards, this means GeBIZ, Singapore's central e-procurement portal. Which lane a vendor lands in depends entirely on contract value.

The lanes: small-value purchases at or below S$6,000 (single-quote), Invitations to Quote (ITQ) typically between S$6,000 and S$90,000, Open Tenders above S$90,000, and Period Contracts or panel agreements that pre-qualify a roster of vendors for repeat draw-down. The full ladder is documented in the Singapore Government Procurement Regime guide.

Before any vendor can transact at all, they need to be a registered government supplier through the Vendors@Gov system. That is a separate registration from GeBIZ itself, requiring an ACRA business profile, audited financials, and tax filings. The current registration guidelines are publicly published, and we recommend new vendors complete this step well before any tender goes live.

Banks and GLCs run their own approved-vendor lists, which are functionally similar. Onboarding requires the same documentation set as security review, plus a master services agreement that survives across multiple statements of work, plus (increasingly) a separate AI addendum covering model changes, retraining, and human-in-the-loop boundaries.

The detail vendors miss most often: the procurement team's job is not to evaluate the product. It is to verify that the people upstream did their evaluation correctly, document the audit trail, and make sure the contract is enforceable.

Step 6 — POC, then production

Almost no Singapore enterprise will move directly from contract to full production. The default path is a paid proof-of-concept, typically 8 to 12 weeks, with a defined success criterion—and this is the step where deals quietly die.

POCs fail in three predictable ways. Success criteria were never written down, so the buyer can move the goalposts. The vendor delivered something demo-able but not operationally credible. Or the production-scaling contract terms were not negotiated up front, so the buyer has to restart procurement to scale.

The POCs that convert to production share a pattern. Success criteria are baked into the SOW with numeric thresholds (accuracy, latency, cost-per-query, audit-coverage). The production contract is pre-drafted as an option to extend rather than a new procurement. And the human-in-the-loop pattern is demonstrated end-to-end. Not as a screenshot. As a real owner approving a real action with a real audit trail.

Every agent action Lyra takes is gated on a human owner, every action writes to an immutable trail, and the production-scaling story is the same gate that ran during the POC, just at higher volume. When buyers see the same governance pattern in POC and production, the second contract is a renewal conversation, not a re-procurement.

Three mistakes vendors keep making, and one thing that always works

The three repeated mistakes, in order of frequency: pitching features before pitching governance, treating security review as a back-office formality instead of a sales motion, and assuming the procurement team is the buyer.

The thing that always works is publishing. The patterns we observe across SG enterprise buyers tend to start the same way: the buyer read something we wrote. A blog. A public repo. A clause-by-clause governance walkthrough. None of the wins started with a cold email that performed.

Singapore enterprises buy from vendors they trust their auditor to approve of. The shortest path to that trust is to be visibly the kind of vendor who already thinks like an auditor, in public, before anybody asks.

If you are building AI for Singapore enterprises and want to compare notes on this flow, we are at altronis.sg.