AI Vendor Due Diligence
Assess AI vendors against security, governance, and compliance criteria before procurement and at defined intervals during the vendor relationship.
Objective
Ensure third-party AI systems and services meet the organization's security, privacy, and governance standards before they are deployed.
Maturity Levels
Initial
AI vendors are selected based on capability alone; governance and security are not assessed.
Developing
Informal security questions are asked during sales processes but no structured assessment framework exists.
Defined
A documented AI vendor assessment questionnaire is completed before procurement, covering security, data handling, model transparency, and compliance.
Managed
Vendor assessments are refreshed annually; high-risk vendors undergo deeper review.
Optimizing
Due diligence methodology is continuously updated to reflect emerging AI governance standards; third-party audits are required for critical vendors.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Completed due diligence questionnaire or assessment report for each AI vendor, covering security, privacy, model governance, and incident history
- —Vendor risk tier assignments with rationale, reviewed by the AI Governance or Procurement function
- —Due diligence review records showing findings were assessed and any gaps were addressed before contract award
- —Periodic re-assessment records confirming ongoing vendor risk posture is reviewed at defined intervals
- —Escalation records for vendors where due diligence identified material issues, including resolution or accepted risk documentation
Implementation Notes
Key steps
- Develop an AI-specific vendor assessment questionnaire that covers: model transparency (what model is used, how is it updated?), data handling (how are prompts and outputs stored and used?), security controls, compliance certifications, and incident notification obligations.
- Weight assessment criteria by the sensitivity of the use case — a vendor providing a low-risk summarization tool requires lighter due diligence than one making credit or HR decisions.
- Require SOC 2 Type II or equivalent as a baseline for vendors processing sensitive data; review the report, not just the certification letter.
- Assess the vendor's own AI governance: do they use AI in their service delivery, and if so, how do they govern it?
Example Implementation
Enterprise evaluating an AI-powered contract analysis vendor for their legal team
AI Vendor Assessment — ContractAI Pro (excerpt)
Assessment date: 2026-03-15 · Assessors: Procurement, CISO Office, Legal
Security and compliance:
| Criterion | Requirement | Vendor Response | Status |
|---|---|---|---|
| Data encryption | AES-256 at rest, TLS 1.3 in transit | Confirmed; SOC 2 Type II covers this | Pass |
| SOC 2 Type II | Required for legal data processing | Current report (2025-08) provided | Pass |
| Prompt data use | No training use of customer prompts | Confirmed in DPA; zero-retention API available | Pass |
| Model transparency | Disclose model provider and version | Uses GPT-4o via Azure OpenAI; notified of updates with 14 days notice | Pass |
| Data residency | EU data processing in EU | EU instance available; selected in contract | Pass |
| Incident notification | Notify within 24 hours of security incident | SLA confirmed in contract | Pass |
AI governance assessment:
- Vendor's own AI governance: SOC 2 covers AI-related controls; no dedicated AI governance framework disclosed
- Subprocessors: Azure OpenAI (EU) · Confirmed in DPA subprocessor list
Recommendation: Approved for use with legal document analysis (non-adversarial documents only) · Annual reassessment due 2027-03
Control Details
- Control ID
- PRC-001
- Domain
- Procurement
- Typical owner
- Procurement / CISO / Legal
- Implementation effort
- Medium effort
- Agent-relevant
- No