AI vendors are not “just software vendors.” The moment a product includes AI, especially generative AI, you inherit new risk categories that change over time: data retention and training exposure, opaque behavior, rapid feature releases, auditability gaps, and fuzzy incident response.
This post is a practical AI vendor due diligence worksheet you can use immediately whether you’re buying a standalone AI tool or approving an “AI add-on” inside an existing enterprise platform.
Use the full scorecard: For a structured review template with scoring categories, evidence requests, and go/no-go guidance, use the AI Vendor Due Diligence Scorecard.
Why AI Vendor Due Diligence Is Different
Here’s what changes when “AI” shows up in a contract or product roadmap:
- Data exposure changes. Prompts, files, and outputs may be retained, reviewed, or used to improve models; sometimes by default.
- Behavior changes over time. The same workflow can produce different answers after model updates.
- Features ship fast (and can be on by default). Your governance can be bypassed by a release toggle.
- Outputs can be wrong while sounding confident. That’s a quality problem and a risk problem.
- Auditability often lags adoption. Teams adopt first; controls and logs come later, if ever.
The devil is in the details: you need evidence-backed answers on data handling, controls, logging, and change management.
Before You Start: Define Your Use Case and Risk Tier
Good AI vendor due diligence starts with context. Otherwise you’ll collect PDFs and still not know if the tool is safe for your use.
Mini checklist (answer these first)
- What data touches the tool? (PII, client confidential, regulated, internal-only)
- Who uses it? (which roles, contractors, external users)
- Where do outputs go? (internal drafts, client-facing deliverables, systems of record)
- What’s the impact if it’s wrong? (low annoyance vs financial/compliance harm)
- Can it take actions automatically? (email, file access, workflow triggers, write-back)
Risk tiers (simple):
- Low: internal drafting, no sensitive data, no automation.
- Medium: decision support, limited sensitivity, internal distribution.
- High: client-facing outputs, sensitive data, regulated environment, or automation/integrations.
Your risk tier determines how strict your evidence requirements should be.
The Questions Most Teams Forget
A useful AI vendor review should force evidence, not vague reassurance. Ask questions that produce documents, screenshots, log samples, contract language, or a clear escalation path.
- Data handling: Is customer data used to train models? What is retained, for how long, and how is deletion verified?
- Security and access: Does the platform support SSO, RBAC, MFA, sharing restrictions, and an admin kill switch for AI features?
- Auditability: Can activity, prompts, outputs, exports, and admin changes be traced and exported for investigation?
- Model and feature changes: How are model updates, default-on AI features, and new integrations announced or controlled?
- Quality controls: How does the vendor test for regressions, hallucinations, citation failures, unsafe behavior, and human review workflows?
- Incident response: What notification timelines, support paths, escalation contacts, and post-incident evidence will the vendor provide?
- Legal and IP terms: Who owns outputs, what reuse rights exist, and where are training, retention, and subprocessor obligations stated?
Evidence To Save Before Approval
AI vendor due diligence should leave behind a decision record. Save the vendor answers, contract excerpts, data-processing terms, subprocessor list, security evidence, screenshots of admin controls, logging documentation, and release-change policy. If a vendor gives a verbal answer, convert it into a written follow-up before approval.
The goal is not paperwork for its own sake. The goal is to make the approval explainable later. If leadership, legal, IT, or a client asks why the tool was approved, the evidence pack should show the use case, risk tier, key controls, unresolved issues, and the reason the decision was acceptable.
Use A Repeatable Scoring Method
Score each vendor against the same categories every time, then weight the score by use-case risk. The AI Vendor Due Diligence Scorecard gives the review team a simple 1-5 structure for evidence quality, risk flags, and decision recommendations.
Common Red Flags (Fast Read)
Use this list as your “walk-away” filter:
- “We don’t log prompts/outputs (or meaningful metadata).”
- “We can’t clearly answer whether your data trains our models.”
- “No admin controls for AI features.”
- “No clear retention/deletion process.”
- “No disclosure of subprocessors.”
- “Feature changes without notice or release notes.”
- “Default-on AI features that expand sharing/automation.”
- “No incident response commitments or timelines.”
- “SSO/RBAC not supported for enterprise.”
- “Output ownership is unclear or vendor retains reuse rights.”
- “No way to export logs for audit.”
- “No sandbox/testing path before rollout.”
How This Maps to Responsible AI Governance
This checklist turns vendor selection into a repeatable governance control: you can review suppliers consistently, record evidence, and run a cadence that prevents unmanaged AI features from “sneaking in.” It aligns with a NIST AI RMF-style approach to governing suppliers and operational risk—without turning your procurement motion into a research project. NIST AI RMF
How FCG Helps
Most teams don’t need a full-time AI governance org to do this well. They need an operator who keeps vendor governance moving.
FCG can:
- Build the AI vendor due diligence scorecard and evidence pack
- Run vendor reviews (new tools and AI add-ons inside existing platforms)
- Set the decision cadence (monthly/quarterly) and maintain the inventory
- Keep “AI features” from slipping into production unmanaged
For implementation support, see FCG?s AI Risk Management Services.
Example: The “Default-On AI Assistant” Surprise
Scenario: a core SaaS vendor adds an “AI assistant” to an existing platform. It becomes enabled by default after an update. Users start pasting sensitive client information to get faster summaries. There’s no tenant-wide admin disable, and prompt/output logging is limited.
How the due diligence checklist would have caught it:
- Change management questions surface default-on behavior and rollout controls.
- Data handling questions force clarity on retention and training exposure.
- Security/admin controls questions reveal whether features can be disabled or restricted.
- Auditability questions flag missing logs before you’re trying to investigate an incident.
Policy helps you say “don’t paste that.” Due diligence ensures the platform gives you the controls to enforce it.
CTA Block
If you want to implement this checklist quickly—and keep vendor governance operational—FCG can lead it through our AI Risk Management Services and Fractional CAIO model.
Primary CTA: Explore Fractional CAIO support
Secondary CTA: Review AI Risk Management Services
Tool: Use the AI Vendor Due Diligence Scorecard