10 AI Data Security Questions to Ask When Evaluating CPQ Software

From model hallucinations to cybersecurity breaches, AI adoption is a risky endeavor if your company doesn’t have AI security best practices in place. According to Accenture, 77% of companies are failing at AI data security as they continue to rush AI adoption without foundational security practices.  

Of over 200 surveyed manufacturers, low confidence in AI and its data is a core barrier to AI adoption. And as CPQ software—which continues to be a crucial part of the sales process—integrates AI into its capabilities, companies can expect to have more questions for vendors.  

These questions and AI security best practices make it easier to set up the guardrails you need to safely and securely reap the benefits of AI-driven CPQ.  

What is AI data security and why is it so important? 

AI is capable of processing vast amounts of data, from publicly available data to confidential, internal information. That may include personal identification details, product details, financial data, and other sensitive information. With so much data comes the risk of AI security vulnerabilities, including breaches, non-compliance, and errored outputs.  

As you adopt AI tools and integrate them across your digital systems and software, you are putting confidential information in the hands of your vendors. Your customers and your internal teams rely on IT leaders to evaluate and choose trusted partners that keep their information safe.  

10 questions and best practices for AI data security in CPQ software  

In addition to understanding available AI use cases in a vendor’s CPQ platform, it’s crucial to know a vendor’s policies around data security, especially if the company is using generative AI or LLMs.  

Start conversations around AI security with these essential questions. 

1. How is customer data handled when processed by AI features within the CPQ tool?

Start with what customer data is used by the AI algorithms. Understand the flow of that data through the system, as well as any governance practices that limit user access to sensitive data and clearly define where that data exists to prevent exposure. 

2. Does the CPQ vendor use any customer data to train AI models—either their own or third-party models?

Buyers should clarify whether their data contributes to model improvement and whether opt-out mechanisms exist to prevent data leaks. Your data should never be used to train public AI models. Consider what contractual guarantees exist to prevent data sharing with third parties, including model providers. 

3. Are AI models hosted in secure, enterprise-controlled environments or in public cloud AI systems?

When evaluating CPQ that uses generative AI and LLMs like OpenAI (ChatGPT), vendors should clearly state whether sensitive configuration, pricing, and product data is exposed to external, public environments. Work with CPQ partners that process data using enterprise-grade level environments or AI tools that keep all data within their internal environment.  

4. How does the vendor ensure compliance with relevant data protection standards?

AI tools must align with both global privacy requirements and internal corporate governance. AI data security regulations are often more stringent in the European Union, for example, than in North America. Different divisions and regions may have different data security regulations, such as the AI Act in the EU, which are important to be aware of if you are a global company.  

Helpful follow-up questions:  

• How is it ensured that my data remains within the EU (for global or European businesses)? 

• Are all AI interactions logged for audit and compliance purposes? 

• Are your AI services compliant with GDPR / CCPA / ISO 27001 / SOC 2? 

These certifications signal whether a vendor has independently audited, repeatable security processes in place. Buyers should confirm that compliance applies not only to the core CPQ platform but also to all AI components, including sub-processors and model providers. Ask whether the vendor supports data residency requirements (e.g., EU-only processing), maintains audit logs, enforces role-based access controls, and provides documentation for security reviews. 

5. What mechanisms are in place to ensure human oversight of AI-generated outputs?

Garbage in equals garbage out, no matter how secure your AI CPQ software data may be. First, verify with your internal experts that your data used by the AI is clean and consistent—an important step for all companies adopting AI. Then, ensure that AI suggestions, configurations, or automated content are validated before being used in sales or engineering processes. All outputs generated by the CPQ vendor should be subject to human review for internal quality control to prevent hallucinations and other errors.  

Helpful follow up question:  

• Who owns outputs created by AI, the customer or the vendor?  

AI is not a person, so who owns its outputs? AI output can be considered intellectual property, which means that suggestions, documentation, or configuration assets may be property of the CPQ vendor rather than the customer. Ensure you are the owner of AI outputs, especially if those outputs are to be patented or commercialized.  

6. What encryption and security practices protect data during storage, transmission, and AI processing?

Buyers should look for a vendor that can clearly describe how data flows, where it is encrypted, who can access it, and how the environment is monitored. Is data encrypted in both transit and at rest? Vendors should also monitor AI environments for anomalies, unauthorized access attempts, or unusual model behavior. If vendors have appropriate role-based access and segregated environments, there is less probability of misuse or external access.  

7. What level of transparency does the vendor provide about the AI system’s behavior, limitations, and decision logic?

AI-enabled CPQ shouldn’t be a black box. Can your CPQ vendor easily explain the types of AI algorithms and logic rules that are used? Does it use a mix of symbolic AI and generative AI to improve trustworthiness? Understanding how the AI arrives at recommendations is critical for trust and auditability. 

8. How does the vendor manage model updates, patching, and lifecycle governance to ensure ongoing security?

AI models evolve, so companies should know how updates are applied and validated. Equally, if your vendor is not consistently investing in modernizations and improvements to its capabilities and platform, it may be time to look elsewhere.  

Helpful follow-up questions:  

• How are updates to the AI model made, and how are customers notified? 

• Are the AI functionalities AI-native or AI-enabled? 

AI-native capabilities are built directly into the core CPQ architecture, ensuring unified governance, security, and consistent use of product logic. AI-enabled (“bolt-on”) features often rely on external components, which can introduce additional data transfers, limited governance, and higher security risks. 

Ask whether: 

• AI runs within the same rules engine 

• It depends on external orchestration tools 

• Product logic is governed centrally or duplicated across service 

• Safeguards are built into your architecture to switch models or rebalance cost/performance without disruption 

These questions address fears about model vendor lock-in, AI regulation changes, and tech bubble volatility for long-term data security.  

9. What technical safeguards exist to prevent inaccurate, biased, or non-compliant AI outputs from entering customer-facing quotes?

Buyers should confirm that the CPQ vendor has technical, automated safeguards that prevent the AI from generating outputs that violate or override product rules, pricing policies, compliance requirements, or accuracy standards. Unlike human oversight, these safeguards are built directly into the system and ensure that AI-generated recommendations are always validated against the product model, pricing structures, and regulatory logic before they appear in a quote. This avoids, for example, a potential regulatory issue or an unauthorized discount. 

10. How is the CPQ vendor using AI in its own internal operations?

This question often goes overlooked. But it’s a major red flag if an AI-driven CPQ company is not operationalizing AI within its own teams. When a company uses AI to drive its own efficiencies and innovations—especially operationalizing an AI use case internally before marketing it externally—then you know they have full confidence and trust in their AI capabilities.  

Keep your data secure in AI-enabled CPQ 

Tacton CPQ AI capabilities protect your product, pricing, and customer information across tools like AI Product Modeling and configuration assistance. We combine enterprise-grade security with human oversight, so you can innovate and sell highly configurable products with confidence. 

Learn More