What is an AI vendor security assessment?

An AI vendor security assessment is the process of evaluating whether an AI vendor meets your organisation's security and compliance standards before procurement. It covers governance, data handling, security controls, AI model security, and contractual protections. Unlike a standard vendor assessment, it includes AI-specific questions about model training data, prompt injection defences, and AI governance policies.

What should I look for in a SOC 2 report when evaluating an AI vendor?

When reviewing a SOC 2 report for an AI vendor, check whether it is Type 2 (covers a period of time, not just a point in time). Review which trust service categories are in scope - Security is the minimum, but Availability and Confidentiality are also important for AI services. Check for any exceptions or qualified opinions noted by the auditor. For vendors with reports older than 12 months, request a bridge letter confirming controls remain in place.

Does my AI vendor need to be GDPR compliant?

Yes, if the AI vendor processes personal data belonging to EU residents, GDPR applies regardless of where the vendor is located. Before procurement, check that the vendor can provide a Data Processing Agreement (DPA), maintains an up-to-date sub-processor list, and supports data residency requirements if applicable. Also verify their process for handling data subject rights requests and their approach to cross-border data transfers.

How often should I reassess AI vendors?

AI vendors should be reassessed at least annually, as part of your vendor risk management programme. Additionally, trigger an out-of-cycle reassessment when the vendor announces major product changes, new data processing activities, a change of ownership or acquisition, a significant security incident, or when your organisation's data sharing with the vendor materially increases.

Get your Free 90 Days Gen AI Risk Discovery Trial -90 Days Gen AI Risk Trial -Start Now

Book a demo

Free TemplateVendor Assessment

AI Vendor Security Assessment Questionnaire

50+ questions to evaluate any AI vendor before procurement. Free to use and customise.

Updated March 2026 - 5 domains - Governance, data handling, security controls, model security, compliance

Download Template Book Demo

50+

assessment questions

5 domains

coverage areas

4 levels

risk scoring

Free

to use and customise

Why AI Vendor Security Matters

When your team adopts an AI vendor, they are handing over some of the most sensitive data in your organisation - prompts containing customer records, financial analysis, legal documents, and intellectual property. Most procurement teams use standard vendor security questionnaires that were designed long before AI tools existed.

The risk is real: shadow AI adoption is outpacing procurement controls. Employees are using AI tools before security teams have assessed them. Vendors are training models on customer data without clear disclosure. And regulatory exposure from AI-related data breaches is growing as GDPR enforcement, the EU AI Act, and the Australian Privacy Act are all increasingly applied to AI processing.

This questionnaire gives security teams, CISOs, and procurement leads the AI-specific questions that standard frameworks miss. Use it before signing any contract with an AI vendor, and revisit it annually or after significant vendor changes.

Shadow AI Risk

Employees may already use the vendor without IT approval - assess the threat surface before procurement.

Data Leakage

AI vendors may retain, log, or train on your data. Know exactly what happens to your inputs.

Regulatory Exposure

GDPR, AU Privacy Act, and the EU AI Act create real liability for AI data processing. Assess before you sign.

The 50-Question Assessment

Click each section to expand the questions. Score each section from 0 to 10 based on the completeness and credibility of vendor responses.

Does the vendor have a published AI ethics or responsible AI policy?

Who is accountable for AI governance at the vendor? (CAIO, CTO, dedicated team?)

Does the vendor maintain an AI risk register or inventory of AI systems?

Do they publish model cards or transparency reports for their AI models?

Is there an AI incident disclosure process - will they notify you of AI-related security events?

What is their policy on using customer data for model training or fine-tuning?

Do they have a process for human oversight of high-stakes AI decisions?

Have they conducted an AI impact assessment or ethical review?

Is there a process for customers to contest or appeal AI-generated decisions?

Do they have a documented AI change management process for model updates?

Scoring Guide

Score each of the five sections from 0 to 10 based on the quality and completeness of vendor responses. Add the scores for a total out of 50. Use the table below to determine your procurement recommendation.

45-50

Low Risk

Proceed with procurement

35-44

Medium Risk

Negotiate additional controls before signing

25-34

High Risk

Escalate to CISO - remediation plan required

Below 25

Very High Risk

Do not proceed without a formal remediation plan

How to use this scoring guide

A total score is a starting point, not a final decision. A vendor scoring 40 overall may still have a critical gap in data handling that creates regulatory risk. Always review individual section scores and flag any question where the vendor provides no evidence or declines to answer - these are your highest-risk areas regardless of total score.

Get the Full Questionnaire as a PDF

Download the complete AI vendor security questionnaire as a formatted PDF ready to send to your vendors. Includes scoring columns, guidance notes, and evidence request checklist.

Start Free Trial

Related Resources

Aona AI Platform AI Governance Framework All Templates

AI Vendor Security Assessment Questionnaire

Why AI Vendor Security Matters

The 50-Question Assessment

Scoring Guide

Get the Full Questionnaire as a PDF

Product

Solutions

Resources

Compare

Compliance

Company

Contact