Procurement
Operational controls for procurement — with maturity levels, evidence requirements, and implementation guidance.
Not sure where to start? Answer 3 questions and get a tailored compliance action plan.
What applies to me? →15 controls
AI Vendor Due Diligence
Assess AI vendors against security, governance, and compliance criteria before procurement and at defined intervals during the vendor relationship.
AI Contractual Requirements
Define minimum contractual provisions that must be present in agreements with AI vendors, covering data handling, transparency, audit rights, and incident notification.
Third-Party AI Model Evaluation
Evaluate third-party AI models against defined performance, safety, and bias criteria before deploying them in enterprise workflows.
Vendor AI Incident Notification Requirements
Require AI vendors to notify the organization of incidents affecting their AI systems within defined timeframes and with specified information.
AI Procurement Risk Assessment
Assess and document the risks of procuring an AI system or service before approval, including technical, legal, privacy, and operational risks.
Vendor Safety Commitment Verification
Establish a workflow to verify that AI vendors are honoring their published safety commitments, voluntary pledges, and contractual safety obligations on an ongoing basis — not only at the time of procurement.
Vendor Governance Change Monitoring
Monitor material changes to AI vendors' governance structures, safety leadership, and organizational policies that may affect the risk profile of deployed systems.
Vendor Model Update Disclosure and Re-Assessment Protocol
Require AI vendors to disclose material model updates, including capability changes, safety evaluation results, and model card revisions, and establish an internal re-assessment trigger process so that vendor model changes do not nullify the organization's prior due diligence.
AI Vendor Concentration Risk Assessment
Assess and manage the risk arising from organizational dependence on a small number of AI vendors or underlying model providers, and maintain a documented supplier redundancy posture to ensure operational continuity if a primary vendor is disrupted, suspends access, or becomes unavailable.
AI Vendor Financial Stability Assessment
Assess the financial stability and organizational viability of AI vendors as part of vendor selection and periodic due diligence, applying criteria calibrated to the current market environment including consolidation pressure, regulatory cost exposure, and dependence on continued investor funding.
Federal AI Procurement Submission and Review Process
Establish an internal process for meeting AI vendor submission requirements under federal procurement rules, and monitor the transition of voluntary pre-deployment evaluation commitments to mandatory requirements so that procurement workflows remain compliant as the regulatory baseline shifts.
AI Safety Index and Benchmark Monitoring
Track external AI safety indices, benchmark ratings, and third-party evaluation results for AI vendors and models used by the organization, and incorporate material findings into the vendor risk assessment and re-assessment cycle.
AI Platform Conflict-of-Interest Assessment
Assess and manage conflicts of interest that arise when an AI vendor both develops or deploys AI models and provides the oversight tooling, monitoring, or safety evaluation services used to govern those same models, ensuring governance decisions are not structurally dependent on vendor-controlled inputs.
Shadow AI and Third-Party Widget Inventory and Classification
Detect and classify AI capabilities embedded in third-party SaaS tools, browser extensions, and client-side scripts operating within the organization's environment, and apply appropriate data processor and vendor risk controls to these shadow AI vectors.
Procurement-Stage AI Governance Conditions
Establish governance preconditions that must be satisfied before AI system procurement is completed, including binding contractual commitments to governance standards, whistleblowing policy requirements, and internal approval workflow triggers that make governance a dependency of procurement rather than a post-hoc addition.