Upstream is here! Cornerstone’s next-generation data platform is now live. Learn More.
Support Login
GET IN TOUCH
Resources / Blog

10 Questions Every Travel Buyer Should Ask Suppliers About AI Risk 

At GBTA 2025, Cornerstone had the pleasure of facilitating a panel with Jennifer Steinke and Jay Richmond where we dug into one of the most urgent topics facing the travel industry today, how to manage the risks of AI in supplier relationships. Our session, 10 Questions You Need to Ask Your Suppliers About AI (and Vice Versa), explored real-world examples of data exposure, transparency challenges, and governance gaps, along with a practical question framework travel buyers can use immediately. 

AI is transforming how travel suppliers operate, from chatbots and recommendation engines to dynamic pricing models. But with innovation comes risk, especially when it comes to data.In today’s AI-driven landscape, your sensitive information could be exposed, misused, or even repurposed to train models and policy management without your knowledge. 

Recent case studies from Samsung’s confidential code leak via ChatGPT to Air Canada’s chatbot fiasco show that AI-related data risks are real and can have legal, financial, and reputational consequences. Whether you’re a travel buyer or supplier, asking the right questions is the first step toward protecting your organization. 

Here’s a framework of 10 critical questions to guide those conversations. 

1–3: Data Exposure 

  1. How do you prevent my data from being used in AI training—now and in the future? 
    Require explicit commitments that your data won’t be used to train models without your consent. 
  1. Do you isolate my data from other clients, systems, and AI workflows? 
    Ask about dedicated instances, virtual private clouds (VPCs), or other segregation measures. 
  1. What controls do you have to detect and block shadow AI use? 
    Ensure there are safeguards against unauthorized integrations with generative AI tools. 

💡 Don’t assume your data is safe—verify how it’s kept out of AI pipelines. 

4–6: Transparency & Oversight 

  1. Can I audit how many data is accessed —and how it was used? 
    Access logs and detailed reports are essential for accountability. 
  1. What alerts or reports will I receive if my data is accessed by an AI system? 
    Look for real-time notifications and scheduled reporting. 
  1. How often will we review your AI and data protection policies together? 
    Policies should be reviewed at least annually—or whenever they change. 

💡 If you can’t see it, you can’t control it. Trust but verify. 

7–10: Legal & Data Governance 

  1. Does our contract explicitly prohibit use of our data for AI model training or development? 
    If it’s not in writing, it’s not enforceable. 
  1. What is your data retention policy—and can we shorten or customize it? 
    Define timelines for deletion and ensure they’re enforced. 
  1. What certifications and audits do you have—and when was your last review? 
    Look for SOC 2 Type II, ISO 27001, GDPR, and CCPA compliance. 
  1. What happens in the event of a data incident—how fast will we be notified, and what are the penalties? 
    Response times, escalation paths, and financial remedies should be clearly defined. 

💡 Lock it down in the contract to keep the door closed to risk. 

Why These Questions Matter 

The AI ecosystem is fueled by data from public web crawls to licensed proprietary sources. Without strong controls, your company’s traveler information, contracts, and internal documentation could end up in training datasets. This isn’t just a privacy concern; it can affect competitive advantage, contract negotiations, and brand trust. 

Consider the cautionary tales: 

  • Samsung engineers inadvertently exposed proprietary code by pasting it into ChatGPT. 
  • Zoom faced backlash after quietly changing terms of service to allow AI training on customer data. 
  • The New York Times took legal action when its paywalled content was scraped for AI training. 
  • Air Canada was held liable for misinformation given by its AI chatbot. 

In each case, the damage could have been mitigated or avoided through proactive oversight and contractual safeguards. 

Next Steps for Travel Buyers 

  1. Review your top supplier contracts for AI-related clauses. 
  1. Request access logs and data retention details to understand your current exposure. 
  1. Update your internal AI use policy to set clear boundaries for employees. 
  1. Add AI risk to vendor onboarding checklists and renewal reviews. 
  1. Engage Legal, InfoSec, and Procurement teams in ongoing policy reviews. 

AI adoption in travel is accelerating. By making these 10 questions part of your regular supplier conversations, you create a culture of transparency, accountability, and shared responsibility. 

Bottom line: AI risk management isn’t about saying “no” to technology, it’s about making sure innovation works for you, not against you. Ask the hard questions, get the answers in writing, and keep asking as the technology evolves. 

Download the full resources here to access the complete question framework, real-world case studies, and checklists to start safeguarding your program today. 

Download Presentation

GO TO TOP