AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← All controls
PRC

Procurement

Operational controls for procurement — with maturity levels, evidence requirements, and implementation guidance.

Not sure where to start? Answer 3 questions and get a tailored compliance action plan.

What applies to me? →

9 controls matching filters

PRC-001
medium

AI Vendor Due Diligence

Assess AI vendors against security, governance, and compliance criteria before procurement and at defined intervals during the vendor relationship.

PRC-002
medium

AI Contractual Requirements

Define minimum contractual provisions that must be present in agreements with AI vendors, covering data handling, transparency, audit rights, and incident notification.

PRC-005
medium

AI Procurement Risk Assessment

Assess and document the risks of procuring an AI system or service before approval, including technical, legal, privacy, and operational risks.

PRC-006
medium

Vendor Safety Commitment Verification

Establish a workflow to verify that AI vendors are honoring their published safety commitments, voluntary pledges, and contractual safety obligations on an ongoing basis — not only at the time of procurement.

PRC-008
medium

Vendor Model Update Disclosure and Re-Assessment Protocol

Require AI vendors to disclose material model updates, including capability changes, safety evaluation results, and model card revisions, and establish an internal re-assessment trigger process so that vendor model changes do not nullify the organization's prior due diligence.

PRC-009
medium

AI Vendor Concentration Risk Assessment

Assess and manage the risk arising from organizational dependence on a small number of AI vendors or underlying model providers, and maintain a documented supplier redundancy posture to ensure operational continuity if a primary vendor is disrupted, suspends access, or becomes unavailable.

PRC-011
medium

Federal AI Procurement Submission and Review Process

Establish an internal process for meeting AI vendor submission requirements under federal procurement rules, and monitor the transition of voluntary pre-deployment evaluation commitments to mandatory requirements so that procurement workflows remain compliant as the regulatory baseline shifts.

PRC-014
medium

Shadow AI and Third-Party Widget Inventory and Classification

Detect and classify AI capabilities embedded in third-party SaaS tools, browser extensions, and client-side scripts operating within the organization's environment, and apply appropriate data processor and vendor risk controls to these shadow AI vectors.

PRC-015
medium

Procurement-Stage AI Governance Conditions

Establish governance preconditions that must be satisfied before AI system procurement is completed, including binding contractual commitments to governance standards, whistleblowing policy requirements, and internal approval workflow triggers that make governance a dependency of procurement rather than a post-hoc addition.