Use this AI Vendor Due Diligence Scorecard to review AI tools, embedded AI features, and generative AI platforms before approval. It is designed for leadership, IT, risk, compliance, legal, and operations teams that need a practical way to compare vendors and document evidence.
The scorecard pairs with John Dawson?s article, AI Vendor Due Diligence: The Questions Most Teams Forget to Ask.
How To Use The Scorecard
- Define the use case and risk tier.
- Ask each vendor for evidence, not just written assurances.
- Score each category from 1 to 5.
- Record red flags and compensating controls.
- Make a go, conditional go, defer, or no-go recommendation.
Scoring Scale
| Score | Meaning | Decision Signal |
|---|---|---|
| 1 | Unclear, unsupported, or unacceptable | No-go or executive escalation |
| 2 | Weak evidence or material gaps | Defer unless risk is low |
| 3 | Workable with compensating controls | Conditional approval |
| 4 | Good controls with usable evidence | Approval likely |
| 5 | Strong, evidence-backed, operationally mature | Approval with normal monitoring |
Scorecard Categories
| Category | Key Questions | Evidence To Request | Score |
|---|---|---|---|
| Use Case And Risk Tier | What data, users, outputs, integrations, and decisions are in scope? | Use-case summary, data classification, workflow map | 1-5 |
| Data Handling And Retention | Is customer data used for training? What is retained? How is deletion verified? | Data flow diagram, retention policy, DPA, training opt-out evidence | 1-5 |
| Security And Access Controls | Does the tool support SSO, RBAC, MFA, admin controls, and sharing restrictions? | SOC 2 or ISO scope, admin screenshots, access-control documentation | 1-5 |
| Auditability And Logs | Can activity, prompts, outputs, exports, and admin changes be traced? | Audit log documentation, export sample, retention settings | 1-5 |
| Model Transparency And Change Management | How do models, features, defaults, and integrations change over time? | Release notes, model change policy, rollout controls | 1-5 |
| Quality And Human Review | How are hallucinations, regressions, citations, and unsafe outputs tested? | Evaluation method, review workflow, sandbox test option | 1-5 |
| Incident Response And Support | What happens when data, quality, access, or availability issues occur? | Incident policy, SLA schedule, escalation path, RCA process | 1-5 |
| Legal, IP, And Subprocessors | Who owns outputs? What reuse rights exist? Who else processes the data? | MSA, DPA, AI addendum, subprocessor list, notification terms | 1-5 |
No-Go Triggers
- The vendor cannot clearly state whether customer data is used to train models.
- Retention or deletion is indefinite, unverifiable, or only best effort.
- There is no admin control for AI features used in medium- or high-risk workflows.
- There are no exportable logs for activity that may need investigation.
- Contract terms conflict with security or governance assurances.
Decision Summary
| Decision | Use When | Next Action |
|---|---|---|
| Go | Controls are strong and evidence is complete. | Approve with normal monitoring cadence. |
| Conditional Go | Gaps are manageable with compensating controls. | Assign owner, deadline, and review date. |
| Defer | Important evidence is missing. | Request evidence before approval. |
| No-Go | Material risk is unresolved or unacceptable. | Decline or escalate to leadership. |
FCG can help turn this scorecard into a working vendor-review cadence through AI Risk Management Services and Fractional CAIO support.