AI Third-Party Risk Management: The Vendor Assessment Checklist

The assessment framework: five categories

Category 1 — Governance and organisation. Does the vendor have a documented AI governance framework? Who is responsible for AI governance in the vendor organisation? Has the vendor had any AI-related regulatory investigations, enforcement actions, or material litigation? What is the vendor's incident history for AI systems, and how were incidents handled? A vendor that cannot answer these questions has not built AI governance and cannot demonstrate that their AI is managed responsibly.

Category 2 — Data and privacy. What data does the vendor's AI process? Where is that data stored and processed? Does the vendor use customer data to train their AI models? What are the vendor's data retention and deletion practices? Is the vendor ISO 27001 certified or equivalent? For regulated industries, does the vendor hold relevant certifications (SOC 2 Type II, HIPAA BAA, PCI DSS)? The data and privacy questions often reveal the most significant risks — vendors whose data processing practices are unclear or inadequately documented create compliance exposure for the organisations that use their products.

Category 3 — Technical AI governance. How is the vendor's AI validated before deployment? What bias testing has been conducted, using what methodology? What monitoring does the vendor conduct for AI performance in production? How does the vendor manage model changes — what is the change management process and how are customers notified? Has the vendor conducted adversarial testing or red-teaming of their AI? What is the vendor's explainability capability for AI decisions — can the AI provide explanations adequate for your regulatory context?

Category 4 — Regulatory compliance. Which AI regulations apply to the vendor's products, and how does the vendor track compliance? For EU AI Act high-risk AI — has the vendor conducted conformity assessment, and can they provide the technical documentation? For GDPR/Privacy Act — can the vendor execute a data processing agreement that satisfies your legal obligations? What are the vendor's obligations under applicable sector-specific regulation, and how are they meeting them?

Category 5 — Operational stability and resilience. What is the vendor's financial stability? What is the service level agreement for AI system availability? What is the vendor's business continuity plan for AI systems that support your critical operations? What happens to your data and your access to the AI system if the vendor is acquired, goes into administration, or discontinues the product? For high-risk AI vendor relationships, the operational stability assessment is not optional — a vendor failure that disrupts critical operations creates CPS 230 and equivalent regulatory risk.