Vendor Safety Commitment Verification
Establish a workflow to verify that AI vendors are honoring their published safety commitments, voluntary pledges, and contractual safety obligations on an ongoing basis — not only at the time of procurement.
Objective
Detect when AI vendors materially change their safety practices, fail to fulfill their commitments, or when voluntary commitments that informed procurement decisions are downgraded or abandoned.
Maturity Levels
Initial
Vendor safety commitments are reviewed at procurement only; no ongoing verification process exists.
Developing
Safety commitments are tracked informally; changes are noticed reactively through news monitoring.
Defined
A structured review process verifies key vendor safety commitments on a defined cadence; material changes trigger a re-assessment of the vendor relationship.
Managed
Verification results are tracked and reported; contracts include clauses requiring vendors to notify of material changes to safety practices or governance.
Optimizing
Verification is continuous; automated signals (safety research publications, regulatory filings, news monitoring) feed into a live vendor risk profile.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Vendor safety commitment register documenting commitments made at procurement and their current verified status
- —Verification review records showing periodic assessment of each tracked commitment
- —Contract clauses requiring vendor notification of material safety changes
- —Re-assessment records triggered by material vendor changes
- —Process documentation for continuous monitoring of vendor safety developments
Implementation Notes
Key steps
- At procurement, document the specific safety commitments that informed the vendor selection decision (published safety policies, voluntary pledges, third-party audit results, model cards).
- Establish a verification cadence: review each commitment annually at minimum, and monitor continuously for material changes.
- Identify observable proxies for commitment fulfillment: safety team headcount, publication of safety research, third-party audit certifications, regulatory filings.
- Include contractual notification requirements: vendors should be obligated to inform you when they materially change safety policies, alter their model governance structures, or withdraw from voluntary commitment schemes.
- Build a decision framework for what constitutes a material change that would trigger a vendor re-assessment or contract review.
Example Implementation
Enterprise with three foundation model API providers
Vendor Safety Commitment Register — Q2 2026 Review
| Vendor | Commitment | Source | Verified | Status | Notes |
|---|---|---|---|---|---|
| Vendor A | Annual third-party safety audit | Published policy | 2026-04-10 | Confirmed | Audit report published March 2026 |
| Vendor A | Voluntary government safety pledge | Public pledge | 2026-04-10 | Confirmed | Still listed on government registry |
| Vendor B | Model card publication for all production models | API docs | 2026-04-12 | Partial | Model card missing for v3.1 released Feb 2026 — following up |
| Vendor C | 30-day notice of major model changes | Contract §8.2 | 2026-04-15 | Confirmed | No major model changes this quarter |
Action: Follow up with Vendor B re: missing model card. Escalate to legal if not resolved by 2026-05-15.