Vendor Risk Management for AI
You are responsible for your vendors' AI. If they hallucinate or leak data, it's your liability. Here is how to vet them.
The "AI Inside" Problem
Almost every SaaS tool you use—from HR software to CRMs—is adding "AI features." This creates a massive, hidden attack surface.
The Questionnaire
Add these questions to your standard TPRM (Third-Party Risk Management) questionnaire:
1. Data Usage
"Do you use our customer data to train your models? If so, is it aggregated or individualized? Can we opt out?"
2. Model Provenance
"Which foundation models are you using? (e.g., GPT-4, Claude, Llama). Are you hosting them yourselves or calling a public API?"
3. Liability & Indemnification
"Do you indemnify us against copyright claims related to the AI's output? Who is liable if the AI gives bad advice?"
Continuous Monitoring
A one-time questionnaire isn't enough. Models change. You need continuous monitoring of your vendors' AI performance and security posture.
AI Vendor Questionnaire
Download our comprehensive Excel template with 40+ questions for AI vendors.