Editorial

How to tell if an AI tool is legit (a 2026 buyer's checklist)

Sydney Weiss
By Sydney Weiss
Senior AI Reviewer · 2026-06-19 · 11 min read
How to tell if an AI tool is legit (a 2026 buyer's checklist)

Figuring out whether an AI tool is legit got harder in 2026, not easier. The barrier to launching an "AI-powered" product is now a weekend and an API key, regulators are fining companies for inventing AI capabilities they never had, and the tool you sign up for today has a real chance of quietly disappearing within a year. So "is this AI tool legit?" has become a question worth answering deliberately — before you hand over your data or your budget. This is our checklist for doing exactly that.

We review AI tools for a living, and we also maintain the AI graveyard — the record of the ones that didn't make it. That gives us an unusually clear view of how AI tools go wrong: the scams, the vaporware, the thin wrappers, and the ones that simply ran out of money. Here is how to separate a real, durable AI tool from a dud, in about fifteen minutes.

Why "is this AI tool legit?" is a 2026 problem

Three things changed at once, and together they make vetting essential rather than optional.

Regulators are now policing fake AI claims. In September 2024 the FTC launched Operation AI Comply, a sweep of enforcement actions against companies using "AI" to deceive. The headline case: DoNotPay, the self-described "robot lawyer," which settled for $193,000 after the FTC said it never tested whether its AI matched the work of a human attorney. The SEC has run a parallel crackdown on "AI washing" — it fined the investment advisers Delphia and Global Predictions a combined $400,000 in March 2024 for marketing AI they had not actually implemented, and in January 2025 sanctioned Presto Automation, whose drive-thru "AI" turned out to need human agents for more than 70% of orders.

Some of the most-hyped tools turned out to be people. Builder.ai, a Microsoft-backed startup once valued above $1 billion, collapsed into insolvency in 2025. The Wall Street Journal had reported as far back as 2019 that it leaned on human engineers for work it marketed as AI, and the Financial Times later reported its revenue had been overstated roughly fourfold — about $220 million claimed against some $55 million real. The gap between the AI story and the AI substance is not a fringe problem; it reached unicorn scale.

Durability is its own risk. Gartner expects more than 30% of generative-AI projects to be abandoned. And in our own data, the single most common way an AI tool dies is a silently expired domain — 40% of the graveyard simply went dark, no announcement. A tool can be entirely real today and gone by next quarter.

The good news: the signals that separate a legit, durable AI tool from a risky one are mostly public. Here is what to check.

1. Confirm the company is real

Start with the basics, because the worst offenders fail here. Look for a team page with named, LinkedIn-verifiable people — not stock photos or invented "AI avatars." Confirm the company is an actual registered entity (a Secretary of State business search, or SEC EDGAR for a US public company). Check Crunchbase for funding history and named investors.

None of these is disqualifying on its own — plenty of legitimate tools are bootstrapped and absent from Crunchbase. But a product with no named founders, no traceable legal entity, and no public footprint, that is asking for your payment details, is a product with something to hide.

2. Read the security and data posture — especially "do they train on your data?"

This is where a fifteen-minute check earns its keep.

Ask for SOC 2 Type II, not just Type I. A Type I report says a vendor designed security controls as of one date; a Type II says those controls actually operated over a period of at least six months. For anything touching business data, Type II is the real bar — ask directly whether they can share one under NDA. For European or regulated data, ask for ISO 27001 as well.

Find out whether the tool trains on your inputs. Open the privacy policy and terms and search (Ctrl+F) for "train," "improve," and "model." Many consumer-grade AI tools reserve the right to train on whatever you put in unless you actively opt out. If you plan to feed it anything sensitive, that one clause matters more than any feature on the pricing page.

Expect a DPA and a trust center. A vendor built for business data can send you a Data Processing Agreement on request and usually publishes a trust or security page listing its certifications and subprocessors. If neither exists, the tool is not enterprise-ready yet — regardless of what the homepage says.

3. Check it's maintained — and likely to survive

A legit tool that gets abandoned six months from now is still a bad bet. Look for signs of an actively maintained, funded product: a changelog or release notes updated within the last ~90 days, a public status page that shows real incident history (not a permanent green light), and a domain that isn't freshly registered, which a quick WHOIS lookup will tell you.

Then run the abandonment test. Five warning signs: no product updates in 90+ days, social accounts dormant for a couple of months, a domain near expiry, no response to a pre-sales support question, and — for venture-backed tools — no new funding round in more than two years. Any one of these is noise. Three at once is a tool already drifting toward the graveyard, and you should plan an exit before you depend on it.

4. Make sure it's a real product, not a thin wrapper

A "wrapper" is a thin interface over someone else's model — no proprietary data, no real integrations, no defensibility of its own. Wrappers are not automatically scams, but they are fragile: when the underlying models improve, the gap they filled disappears. Jasper is the cautionary tale here — it reportedly fell from around $120 million in revenue toward $35–55 million once ChatGPT closed the writing-assistant gap it had been charging for.

Four questions expose a wrapper quickly:

  • If OpenAI or Anthropic shipped this exact feature natively tomorrow, would the product still have a reason to exist?
  • Does it get better the more you use it — accumulating your data, corrections, and workflows — or is every session a fresh prompt?
  • What can it do that you couldn't get by pasting your own prompt straight into ChatGPT or Claude?
  • Is there engineering in the changelog beyond interface tweaks?

If the only honest answer is "it has a nicer interface," that is not a moat, and the durability risk is high.

5. Pressure-test the reviews

Assume, going in, that a meaningful share of the reviews you read are fake or paid. The problem got large enough that the FTC banned fake and AI-generated reviews outright in a rule effective October 2024, carrying penalties of up to $51,744 per violation. Trustpilot alone removed 4.5 million fake reviews in 2024 — about 7% of everything posted to the platform that year.

You can screen for the obvious ones in two minutes:

  • Sort by most recent and look for bursts — a cluster of glowing five-star reviews landing within a 24-to-48-hour window, after long stretches of quiet, is the signature of a paid campaign.
  • Distrust generic praise that names no specific feature, outcome, or problem. Authentic reviews describe the thing that actually helped; fabricated ones reach for vague enthusiasm.
  • Check the reviewer — a brand-new account with a single five-star review and no other activity is a tell.
  • Read the rating distribution. A 4.9 average across hundreds of reviews with essentially no low scores usually means negative reviews are being filtered out — which, as of the 2024 rule, is itself illegal.

6. The red flags that should stop you

These are the patterns regulators actually went after in 2024–2025. They double as your stop signs:

  • Vague "AI-powered" language with no description of what the model does or how it was tested. (Delphia was charged for advertising AI it had never put into its product.)
  • Guaranteed or extreme returns tied to AI — "an AI that builds you a million-dollar business." Most of Operation AI Comply was exactly this.
  • Autonomy claims with no human-in-the-loop disclosure. (Presto marketed "no human order-taking"; humans handled the majority.)
  • "Replaces your lawyer / doctor / accountant" with no evidence the tool was ever measured against the professional it claims to replace. (This is what sank DoNotPay's claims.)
  • Pressure to pay now, refunds refused, and negative reviews punished — old-fashioned fraud signals wearing an AI costume.

One of these warrants slowing down. Two warrants walking away.

The 15-minute legitimacy check

If you remember nothing else, run this list before you trust an AI tool in 2026:

  1. Named founders you can verify on LinkedIn.
  2. A real, registered company entity.
  3. SOC 2 Type II (or ISO 27001) available on request.
  4. A privacy policy you've actually searched for "train" and "model."
  5. A Data Processing Agreement and a trust/security page.
  6. A changelog updated in the last ~90 days.
  7. A public status page with real incident history.
  8. A domain that isn't brand-new (WHOIS).
  9. Reviews that name specifics, with a believable rating spread.
  10. No guaranteed-ROI, no undisclosed humans, no "replaces a professional" claims.

Clear most of these and you are probably dealing with a real, durable tool. Fail several and you have your answer.

How we do this

This is the reader's version of how we review AI tools. We run these checks on every product we list, we follow the ones that fail all the way to the AI graveyard — and we wrote up what actually kills them so the patterns are on the record. The tools that clear the bar consistently are the ones that end up in our Top 100. Vetting is not a one-time gate; in a market where 40% of failures are silent, it's a habit.

Frequently asked questions

How do I know if an AI tool is legit? Run a short, public-records check: verify the company is a real registered entity with named founders, confirm it has security credentials (SOC 2 Type II or ISO 27001) and a Data Processing Agreement, read the privacy policy for whether it trains on your data, and look for an actively updated changelog and status page. A tool that clears those is very likely legitimate; one that fails several is not worth your data.

Is it safe to put my data into an AI tool? Only after you've read how it handles that data. Open the privacy policy and terms and search for "train," "improve," and "model" — many consumer AI tools reserve the right to train on your inputs unless you opt out. For sensitive data, require a Data Processing Agreement, SOC 2 Type II, and an explicit statement that your data won't be used for model training.

What is "AI washing"? AI washing is overstating or fabricating a product's use of artificial intelligence to ride the hype. It's now an enforcement target: the SEC fined the advisers Delphia and Global Predictions a combined $400,000 in 2024 for it, and the FTC's Operation AI Comply brought several deceptive-AI cases the same year. The tell is vague "AI-powered" language with no specifics about what the model actually does.

How can I tell if AI tool reviews are fake? Look for review bursts (many five-star reviews in a short window), generic praise that names no specific feature or outcome, reviewer accounts with a single review and no history, and an implausibly perfect rating distribution with no low scores. Fake and AI-generated reviews are now illegal under a 2024 FTC rule, but they persist — Trustpilot removed 4.5 million of them in 2024 alone.

What is a "thin AI wrapper"? A thin wrapper is a product that's mostly an interface over someone else's model (like GPT or Claude) with no proprietary data, integrations, or defensibility. The risk is fragility: when the base models add the feature, the wrapper loses its reason to exist — as happened to a number of early writing and chat tools. Ask what the product does that you couldn't get by prompting the underlying model yourself.

Will this AI tool still exist next year? Maybe not — Gartner expects over 30% of generative-AI projects to be abandoned, and in our graveyard data the most common death is a silently expired domain. Check for recent product updates, a live status page, a non-expiring domain, and (for funded startups) recent investment. If several of those are missing, build an exit plan before you commit.

Does an AI tool need SOC 2 to be trustworthy? For consumer use, not necessarily — but for any tool handling business or customer data, a SOC 2 Type II report (audited over at least six months) is the practical standard, and ISO 27001 matters for European and regulated contexts. A vendor that can't produce either, and has no trust or security page, hasn't invested in enterprise readiness yet.

Where to go next

For the evidence behind the durability warnings, our AI graveyard report breaks down what actually kills AI tools, and the graveyard itself is the running record of the ones that are gone. For how the survivors are being bought up, see our analysis of the 2026 AI consolidation. And for the standard we hold tools to before we list them, our review methodology and the Top 100 AI Tools are the place to start.

The honest version: in 2026, "is this AI tool legit?" has two halves — is it real, and will it last. The scams are getting policed, but slowly; the quiet failures aren't policed at all. Fifteen minutes of public-records checking is the cheapest insurance you can buy against both.

— The ToolDirectory.AI editorial team

More from the blog
Editorial

The EU AI Act in 2026: what's now in force and what it actually changes for AI tools

Jake Snider · 2026-06-17
Editorial

Where AI is actually replacing jobs in 2026 (and where it isn't)

Jake Snider · 2026-06-11
Newsletter

Get the weekly roundup.

One email each Friday. The week's additions, the week's deaths, and one thing we changed our mind about. No drip sequences, no AI-generated filler.

Subscribe to the newsletter →

Sign up for our newsletter

Receive weekly updates so you can stay up-to-date with the world of AI

Discover, explore, and compare the most innovative AI tools in the industry

Explore

Top 100 AI tools

Curated collections

AI tool alternatives

AI categories

Pricing

AI glossary

Compare AI tools

Blog

Methodology

Editorial team

AI graveyard

Latest collections
Policy

Terms & conditions

Privacy policy

FAQ

Refund policy

Affiliate disclosure