Procurement
Operational controls for procurement — with maturity levels, evidence requirements, and implementation guidance.
Not sure where to start? Answer 3 questions and get a tailored compliance action plan.
What applies to me? →9 controls matching filters
AI Vendor Due Diligence
Assess AI vendors against security, governance, and compliance criteria before procurement and at defined intervals during the vendor relationship.
AI Contractual Requirements
Define minimum contractual provisions that must be present in agreements with AI vendors, covering data handling, transparency, audit rights, and incident notification.
AI Procurement Risk Assessment
Assess and document the risks of procuring an AI system or service before approval, including technical, legal, privacy, and operational risks.
Vendor Safety Commitment Verification
Establish a workflow to verify that AI vendors are honoring their published safety commitments, voluntary pledges, and contractual safety obligations on an ongoing basis — not only at the time of procurement.
Vendor Model Update Disclosure and Re-Assessment Protocol
Require AI vendors to disclose material model updates, including capability changes, safety evaluation results, and model card revisions, and establish an internal re-assessment trigger process so that vendor model changes do not nullify the organization's prior due diligence.
AI Vendor Concentration Risk Assessment
Assess and manage the risk arising from organizational dependence on a small number of AI vendors or underlying model providers, and maintain a documented supplier redundancy posture to ensure operational continuity if a primary vendor is disrupted, suspends access, or becomes unavailable.
Federal AI Procurement Submission and Review Process
Establish an internal process for meeting AI vendor submission requirements under federal procurement rules, and monitor the transition of voluntary pre-deployment evaluation commitments to mandatory requirements so that procurement workflows remain compliant as the regulatory baseline shifts.
Shadow AI and Third-Party Widget Inventory and Classification
Detect and classify AI capabilities embedded in third-party SaaS tools, browser extensions, and client-side scripts operating within the organization's environment, and apply appropriate data processor and vendor risk controls to these shadow AI vectors.
Procurement-Stage AI Governance Conditions
Establish governance preconditions that must be satisfied before AI system procurement is completed, including binding contractual commitments to governance standards, whistleblowing policy requirements, and internal approval workflow triggers that make governance a dependency of procurement rather than a post-hoc addition.
