AEGISAIStart Assessment

Third-party AI risk questionnaire

Third-Party AI Risk Assessment Questionnaire for Financial Institutions

AI-enabled vendors can create model, data, privacy, security, operational, and consumer compliance risk before an institution has full visibility into how the system works. A dedicated questionnaire helps teams ask the AI-specific questions that generic vendor forms miss.

Use this page as a preview of a third-party AI risk assessment questionnaire for banks, credit unions, and fintechs. The full Starter Kit includes a complete 40-question version with evidence prompts, response fields, scoring, and remediation tracking.

Download the Complete 40-Question QuestionnaireView Vendor Risk Template

Why third-party AI risk is different

Third-party AI risk is different because the institution may rely on a model it did not build, data it cannot fully inspect, and updates it does not control. A vendor may change model features, retrain on new data, add subcontractors, adjust thresholds, or introduce generative AI functionality in ways that affect the institution's risk profile.

Traditional vendor review often emphasizes financial health, information security, privacy, business continuity, and contract terms. Those still matter. AI review adds questions about model purpose, intended use, limitations, validation, performance monitoring, fairness, explainability, data training restrictions, and evidence access.

The institution remains responsible for managing the risk of the activity. If the vendor supports customer decisions, compliance controls, fraud detection, AML alerting, cybersecurity, or critical operations, the vendor file should contain AI-specific evidence, not only generic security documentation.

Regulatory context

OCC Bulletin 2023-17 and the interagency third-party risk management guidance describe a risk-based life cycle for third-party relationships: planning, due diligence and selection, contract negotiation, ongoing monitoring, and termination. AI-enabled vendors should be evaluated through that life cycle with questions calibrated to the use case and criticality.

For model-driven vendor tools, model risk governance also matters. Current model risk language should reflect SR 26-2 and OCC Bulletin 2026-13 where applicable, while SR 11-7 continuity mapping can help institutions connect older policies and validation procedures to current AI review.

A questionnaire does not prove compliance by itself. It creates a documented basis for due diligence, contract negotiation, monitoring, issue tracking, and escalation. The completed responses should be reviewed by the appropriate mix of vendor management, information security, privacy, model risk, compliance, legal, business owners, and audit.

How to use the questionnaire

Start by classifying the vendor relationship. Determine whether the AI tool supports a critical activity, customer-facing process, regulated decision, compliance function, security function, or sensitive data flow. The risk tier should determine how much evidence you request and who reviews it.

Send the questionnaire before contract approval, renewal, or material expansion. Ask the vendor to provide evidence, not only narrative answers. Useful evidence may include model documentation, validation summaries, SOC reports, data processing terms, security architecture, incident procedures, monitoring reports, and change management notices.

Turn incomplete answers into action. Missing documentation, weak audit rights, unclear data reuse terms, absent monitoring, and vague incident notification timelines should become contract asks, remediation items, or approval conditions.

15 key questions to ask AI vendors

These sample questions are drawn from the vendor and third-party AI risk domain. Use them to supplement your existing vendor questionnaire or to scope a deeper review before onboarding or renewal.

  1. 1Where is AI, machine learning, automated decisioning, or generative AI used in the product?
  2. 2What is the intended use of the AI system, and what uses are prohibited or unsupported?
  3. 3Does the vendor provide model documentation, limitations, assumptions, and performance evidence?
  4. 4What data is processed, stored, logged, or transmitted by the AI system?
  5. 5Is institution or customer data used to train, tune, evaluate, or improve vendor models?
  6. 6What security controls protect prompts, outputs, embeddings, logs, training data, and access?
  7. 7How does the vendor test for bias, fairness, explainability, and customer-impacting errors?
  8. 8What monitoring detects model drift, degraded performance, exceptions, and inaccurate outputs?
  9. 9How are model changes, retraining, feature changes, and new data sources communicated?
  10. 10What audit rights, examiner support, and evidence access are available to the institution?
  11. 11Which subcontractors or foundation model providers support the AI functionality?
  12. 12What incident notification timeline applies to AI failures or data exposure?
  13. 13What contractual restrictions apply to data reuse, retention, confidentiality, and deletion?
  14. 14What business continuity, exit, and data return support would apply at termination?
  15. 15Who at the vendor is accountable for AI governance, compliance, security, and model oversight?

Download the complete 40-question questionnaire

The Starter Kit includes a 40-question AI vendor questionnaire with evidence prompts, response fields, scoring, and remediation tracking so vendor management, security, model risk, legal, and compliance teams can review the same facts.

Download the Complete 40-Question QuestionnaireView Vendor Risk Template

FAQ

What is a third-party AI risk assessment questionnaire?

It is a structured set of due-diligence questions sent to an AI-enabled vendor before onboarding, renewal, material change, or expansion. It asks for evidence on model transparency, data practices, security, compliance, monitoring, contracts, and exit support.

How is this different from a normal vendor questionnaire?

A normal vendor questionnaire may cover security, privacy, financial health, and business continuity. An AI questionnaire adds model documentation, intended use, validation, explainability, bias testing, drift monitoring, data training restrictions, and AI change management.

When should a vendor receive the full 40-question version?

Use the full questionnaire for high-risk or critical AI vendors, customer-impacting tools, credit or fraud systems, compliance monitoring, security tools, and vendors that process sensitive data or support material business operations.

Which guidance is most relevant for third-party AI risk?

OCC Bulletin 2023-17 and the interagency third-party risk management guidance are central for vendor life-cycle controls. Model-related vendor tools should also connect to current model risk governance expectations and legacy SR 11-7 mapping where applicable.

Make vendor AI review evidence based.

Start with the free governance assessment, then use the third-party questionnaire to turn vendor AI uncertainty into documented due diligence, contract asks, monitoring requirements, and remediation work.

Get My Free AI Governance ScoreDownload the Starter Kit

Important limitation

This resource is for informational and educational purposes only. It does not constitute legal, regulatory, audit, supervisory, model validation, privacy, security, or compliance advice. Institutions should consult qualified counsel and risk, compliance, audit, privacy, security, and model risk professionals regarding their specific obligations.

  • Tier vendors before choosing questionnaire depth.
  • Request evidence, not only narrative assurances.
  • Document unresolved AI vendor gaps.
  • Refresh the questionnaire after material vendor changes.