AIRiskAware
Zurück zu EinblickenAuf Englisch lesen

Dieser Artikel ist derzeit auf Englisch verfügbar.

Governance 9 min read 2026

AI Vendor Due Diligence: What to Ask Before Procuring Any AI System

Most enterprise AI is now procured, not built. Third-party AI creates governance obligations you must own — you cannot outsource AI accountability to your vendor. Here is the due diligence framework.

AI Vendor Due Diligence: What to Ask Before Procuring Any AI System

Key Takeaways

  • EU AI Act Articles 25–26 establish that deployers of high-risk AI are responsible for governance regardless of whether the AI was built by a vendor — accountability cannot be contractually outsourced to the provider.

  • APRA's CPS 230 (effective July 2025) requires regulated entities to maintain visibility and control over material services including AI-powered services.

  • Key vendor AI due diligence questions: what AI capabilities are in the product, what data the vendor trains on, what bias and accuracy testing has been conducted, and whether the vendor has its own AI governance framework.

  • AI-specific contract provisions: AI capability disclosure obligations, training data restrictions, right to audit bias audits and accuracy testing, and liability allocation for AI errors.

  • Vendors unwilling to provide access to bias audit results and accuracy testing documentation should be treated as higher risk.

  • Ongoing monitoring matters as much as initial due diligence — AI systems update frequently without customer notification. Assign a designated owner for vendor AI governance re-assessment.

"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."

The third-party AI accountability problem

Regulators are clear that accountability for AI cannot be outsourced. The EU AI Act Articles 25–26 (value chain responsibilities and deployer obligations), APRA's CPS 230, FCA outsourcing guidance, and ASIC's operational resilience expectations all establish that organisations remain accountable for AI they deploy regardless of who built it.

What to assess in vendor AI due diligence

AI capability transparency: what AI does the product actually use? Training data: does the vendor use your data to train its models? Most standard SaaS terms allow this — restrict it explicitly if it concerns you. Accuracy and bias testing: can the vendor produce documentation? AI governance framework: does the vendor have its own AI governance programme?

AI-specific contract provisions

Negotiate beyond standard contracts: AI capability disclosure obligations (notification of material AI changes); training data restrictions (prohibition on using your data to train models without consent); right to audit bias audits and accuracy testing; liability allocation for AI errors; and Data Processing Agreements for AI involving personal data. Assign a designated owner for ongoing vendor AI governance monitoring with authority to escalate concerns.