Back to Insights

Governance 9 min read 2026

AI Vendor Due Diligence: What to Ask Before Procuring Any AI System

Most enterprise AI is now procured, not built. Third-party AI creates governance obligations you must own — you cannot outsource AI accountability to your vendor. Here is the due diligence framework.

A

AIRiskAware

Specialist AI Risk Governance & Compliance

Share

AI Vendor Due Diligence: What to Ask Before Procuring Any AI System

Key Takeaways

EU AI Act Articles 25–26 establish that deployers of high-risk AI are responsible for governance regardless of whether the AI was built by a vendor — accountability cannot be contractually outsourced to the provider.
APRA's CPS 230 (effective July 2025) requires regulated entities to maintain visibility and control over material services including AI-powered services.
Key vendor AI due diligence questions: what AI capabilities are in the product, what data the vendor trains on, what bias and accuracy testing has been conducted, and whether the vendor has its own AI governance framework.
AI-specific contract provisions: AI capability disclosure obligations, training data restrictions, right to audit bias audits and accuracy testing, and liability allocation for AI errors.
Vendors unwilling to provide access to bias audit results and accuracy testing documentation should be treated as higher risk.
Ongoing monitoring matters as much as initial due diligence — AI systems update frequently without customer notification. Assign a designated owner for vendor AI governance re-assessment.

Important: This content is AI-assisted and under ongoing accuracy review

Articles on AIRiskAware are drafted with AI assistance to summarise complex regulatory landscapes. Specific facts (dates, fine amounts, statute references, case citations) may contain errors. Do not rely on this content for legal, regulatory, financial, or professional decisions. Always verify directly against primary sources (regulator websites, official legislation) or consult a qualified specialist.

Spotted an error? Please report it — we review and correct promptly.

The third-party AI accountability problem

Regulators are clear that accountability for AI cannot be outsourced. The EU AI Act Articles 25–26 (value chain responsibilities and deployer obligations), APRA's CPS 230, FCA outsourcing guidance, and ASIC's operational resilience expectations all establish that organisations remain accountable for AI they deploy regardless of who built it.

What to assess in vendor AI due diligence

AI capability transparency: what AI does the product actually use? Training data: does the vendor use your data to train its models? Most standard SaaS terms allow this — restrict it explicitly if it concerns you. Accuracy and bias testing: can the vendor produce documentation? AI governance framework: does the vendor have its own AI governance programme?

AI-specific contract provisions

Negotiate beyond standard contracts: AI capability disclosure obligations (notification of material AI changes); training data restrictions (prohibition on using your data to train models without consent); right to audit bias audits and accuracy testing; liability allocation for AI errors; and Data Processing Agreements for AI involving personal data. Assign a designated owner for ongoing vendor AI governance monitoring with authority to escalate concerns.

Stay ahead of AI governance

Regulatory updates, practical frameworks, and new articles — free, monthly. No spam.

No spam. Unsubscribe anytime. We'll never share your email.

Work with AIRiskAware

Specialist AI risk governance and compliance advisory for enterprise organisations and businesses of all sizes.

Found this useful? Share it.

Share on LinkedIn

Related articles

AI Controls Framework: The Practical Guide for Enterprise Risk and Compliance Teams

Governance 12 min read

AI Controls Framework: The Practical Guide for Enterprise Risk and Compliance Teams

AI Internal Audit: What Audit Committees Should Demand and How to Test AI Controls

Governance 11 min read

AI Internal Audit: What Audit Committees Should Demand and How to Test AI Controls

Third-Party AI Controls: The Vendor Management Framework for AI Risk

Governance 9 min read

Third-Party AI Controls: The Vendor Management Framework for AI Risk

More from AIRiskAware

Practical AI governance guidance for organisations at every stage.

All Insights Free Assessment