AI vendor risk questionnaire
Last reviewed: June 18, 2026 by Grant Holloway.
AI Vendor Risk Questionnaire
AI vendor risk review should identify whether third-party tools use AI, how data is handled, how models are controlled, and what evidence the vendor can provide. A good questionnaire turns a vague vendor claim about AI into reviewable evidence for procurement, third-party risk, compliance, information security, and model risk teams.
Free resource
Get the free AI vendor risk questionnaire checklist
Send yourself the vendor AI review checklist covering model transparency, data use, monitoring, contracts, and evidence requests.
We'll email the requested resource and may send governance updates. Unsubscribe any time. See our privacy policy and terms.
Core vendor questions
Teams should ask whether AI is embedded in the product, what data is used, whether outputs affect customers, how performance is monitored, and what audit rights exist. The questionnaire should also ask how the vendor manages model changes, data retention, explainability, exceptions, incidents, and subcontractors.
- Is AI used in the product or service?
- What data is used for training, tuning, or outputs?
- Are customer-impacting decisions explainable?
- How are changes, drift, and exceptions monitored?
- What evidence can the vendor provide?
Evidence to request
Request documentation that matches the risk of the tool. A high-impact vendor AI model may require model documentation, validation or testing summaries, monitoring metrics, data-use descriptions, security controls, incident history, change-management records, and contractual commitments. Lower-risk productivity tools may only require acceptable-use, data-handling, and security evidence.
- AI feature inventory and intended-use statement.
- Data input, retention, training, and confidentiality documentation.
- Performance, drift, explainability, fairness, or quality monitoring evidence.
- Change-notification, incident-response, audit-right, and termination language.
How to score vendor responses
Do not score every missing answer the same way. Missing monitoring evidence for a customer-impacting model is more serious than missing a marketing description for a low-risk summarization feature. Tie scoring to use case, data sensitivity, customer impact, operational criticality, and whether the institution can compensate with internal controls.
Find My Top Governance Gaps
Take the free assessment to turn this topic into a readiness score, domain-level results, and prioritized gap summary.
Get My Free AI Governance ScoreImportant limitation
AI Vendor Risk Questionnaire is an informational planning resource for regulated financial institutions. It does not determine legal compliance, regulatory sufficiency, audit conclusions, supervisory outcomes, model validation status, privacy compliance, security adequacy, or control effectiveness. Institutions should adapt the guidance to their use cases, vendors, data, governance structure, and risk profile with qualified legal, compliance, audit, security, privacy, and model risk advisors.
Last reviewed: June 18, 2026 by Grant Holloway. Review scope: regulatory currency, practical applicability for financial institutions, and alignment with the AegisAI governance methodology.