AI vendor questionnaire

AI vendor questionnaire

Questions to ask AI vendors about prompts, files, outputs, training use, retention, deletion, subprocessors, and enterprise controls.

Buyer

IT, security, procurement, privacy, operations, and AI governance teams

Problem

Generic vendor questionnaires often miss AI-specific data use, model training, output handling, and embedded third-party model dependencies.

What to look for

  • Questions for prompts, files, outputs, embeddings, metadata, logs, and feedback.
  • Evidence requests covering retention, deletion, training opt-out, subprocessors, audit logs, SSO, and role controls.
  • Approval bands that define when a tool can be approved, piloted, deferred, or blocked.

Red flags

  • The vendor cannot explain whether customer data is used for training.
  • No retention or deletion commitment exists for uploaded content.
  • The review ignores third-party model providers and subprocessors.

FAQ

Why not use a normal security questionnaire?

AI tools introduce specific risks around prompts, uploaded files, outputs, feedback, model training, and downstream model providers.

Should every AI vendor be blocked until review is complete?

Low-risk pilots can sometimes proceed with limits, but sensitive data or high-impact workflows need stronger evidence first.