AI vendor questionnaire
AI vendor questionnaire
Questions to ask AI vendors about prompts, files, outputs, training use, retention, deletion, subprocessors, and enterprise controls.
Buyer
IT, security, procurement, privacy, operations, and AI governance teams
Problem
Generic vendor questionnaires often miss AI-specific data use, model training, output handling, and embedded third-party model dependencies.
What to look for
- Questions for prompts, files, outputs, embeddings, metadata, logs, and feedback.
- Evidence requests covering retention, deletion, training opt-out, subprocessors, audit logs, SSO, and role controls.
- Approval bands that define when a tool can be approved, piloted, deferred, or blocked.
Red flags
- The vendor cannot explain whether customer data is used for training.
- No retention or deletion commitment exists for uploaded content.
- The review ignores third-party model providers and subprocessors.
FAQ
Why not use a normal security questionnaire?
AI tools introduce specific risks around prompts, uploaded files, outputs, feedback, model training, and downstream model providers.
Should every AI vendor be blocked until review is complete?
Low-risk pilots can sometimes proceed with limits, but sensitive data or high-impact workflows need stronger evidence first.