AI Procurement Risk Assessment
Assess and document the risks of procuring an AI system or service before approval, including technical, legal, privacy, and operational risks.
Objective
Prevent high-risk AI procurement decisions by requiring a structured risk assessment before purchase approval.
Maturity Levels
Initial
AI systems are procured without formal risk assessment.
Developing
Risk considerations are raised informally during procurement but no structured assessment exists.
Defined
A documented risk assessment template is completed for every AI procurement, covering technology, legal, privacy, and operational dimensions.
Managed
Risk assessments are reviewed by relevant stakeholders; high-risk procurements require executive or governance committee approval.
Optimizing
Risk assessment methodology is continuously refined; assessment quality is audited and improved.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Completed procurement risk assessment for each AI system acquired, covering intended use, risk tier, data sensitivity, and regulatory exposure
- —Risk assessment review and approval records showing the AI Governance function was consulted before procurement decisions
- —Rejected or deferred procurement records showing the process identified and acted on unacceptable risks
- —Risk register entries for accepted procurement risks, with named owner and review cadence
- —Post-deployment review records confirming actual risk profile matched pre-procurement assessment, or documenting deviations
Implementation Notes
Key steps
- Build an AI procurement risk assessment template that covers: intended use and risk classification, data flows and privacy implications, regulatory compliance implications, security posture, vendor stability, and exit/transition risk.
- Require sign-off from legal, privacy, and security on all AI procurements above a defined value or risk threshold.
- Include total cost of ownership in the risk assessment — AI systems often have hidden costs in data preparation, integration, monitoring, and governance.
- Maintain a registry of all procured AI systems with their risk assessment outcomes — this becomes the foundation of your AI system inventory.
Example Implementation
Procurement team evaluating an AI-powered workforce analytics platform
AI Procurement Risk Assessment — WorkforceAI Analytics
Procurement details: $180K/year · Risk tier: Critical (processes employee personal data; influences compensation recommendations)
Risk assessment summary:
| Dimension | Key Findings | Risk Level | Required Actions |
|---|---|---|---|
| Use case / intended purpose | Compensation benchmarking + performance analytics | Critical — HR decisions | Human approval gate required for all compensation outputs |
| Data flows | Employee PII, performance data, salary data sent to vendor | High | DPA required; data residency EU; zero-retention API |
| Regulatory compliance | GDPR Art. 22; EU AI Act High-Risk (employment context) | High | DPIA required before go-live; human oversight documented |
| Security posture | SOC 2 Type II (2025); ISO 27001 | Medium | Annual report review required |
| Vendor stability | Series C, $85M raised, 5 years operating | Medium | Financial viability review at renewal |
| Model transparency | Proprietary model; discloses feature categories not weights | Medium | Contractual obligation to disclose material changes |
| Exit / transition risk | Data export in standard CSV; 90-day transition support | Low | Export tested in POC |
Overall risk: High — approved with conditions
Approval required: AI Governance Committee (Critical tier procurement) Conditions: DPIA completed before go-live · Human review SOP documented · Annual vendor reassessment
Control Details
- Control ID
- PRC-005
- Domain
- Procurement
- Typical owner
- Procurement / AI Governance Team / Legal
- Implementation effort
- Medium effort
- Agent-relevant
- No