AIRiskAware
All resources
FRAMEWORKProcurement, legal, risk

AI Vendor Due Diligence Framework

Structured questionnaire for assessing third-party AI vendors before procurement. Covers technical documentation, bias testing, data processing, and contractual protections.

About this resource

Most enterprise AI risk does not come from AI you build but from AI embedded in software you buy. Under the EU AI Act, deployer obligations cannot be contracted away. This framework gives procurement, legal, and risk teams a structured assessment to apply before signing any AI vendor contract.

What this resource covers

  • Vendor governance maturity assessment (50+ questions)
  • Technical documentation requirements (what to demand)
  • Bias and fairness testing review framework
  • Data processing assessment (training data use, residency, retention)
  • Incident response capability assessment
  • Required contract terms: audit rights, notification, change management
  • Concentration risk evaluation worksheet
  • Red flag indicators that should trigger deeper review

Who it's for

  • Procurement teams buying AI-powered software
  • Legal counsel reviewing AI vendor contracts
  • Risk officers managing third-party AI exposure
  • CISO and CTO teams assessing AI supply chain

Read the detail on-site

The full analysis behind this resource is published in our insights, each linked to primary regulatory sources.

Put it to work

See where you stand

Take the free 7-question AI governance maturity assessment, it runs entirely in your browser and gives you a tailored view of your gaps in about three minutes.

Free assessment, 3 minutes Browse all insights

Everything here is free and on this site, no sign-up, no download required.