The AI Vendor Risk Assessment
Most of the AI in your business will come from vendors, not code you wrote. That makes vendor diligence the front line of AI governance. Before you adopt a third-party AI tool that touches your data, a short assessment tells you whether it is safe to bring in, and on what terms. This guide covers what to check and points you to a free template.
Why vendor risk is different for AI
AI tools raise questions that ordinary software does not. The big one is training: some vendors use whatever you send to improve their models, which can expose client and company data. Beyond that, there is a chain of sub-processors and underlying models behind many tools, and the data terms are often buried. A quick assessment surfaces all of it before you commit.
What to check
- Data handling. Does the vendor train on your inputs? Can you opt out? Where is data stored, and for how long?
- Security posture. Do they hold SOC 2, ISO 27001, or equivalent? Any recent breaches?
- Sub-processors and models. Which third parties and underlying models sit behind the tool?
- Contract terms. Is a data processing agreement available? What do liability and indemnity look like?
- Compliance. Alignment with GDPR and CCPA, and, where relevant, the EU AI Act.
- Reliability and exit. Uptime commitments, and whether you can export your data and leave cleanly.
- Model governance. Does the vendor document model behavior, updates, and safeguards?
Score it, then decide
Rate each area as high, medium, or low risk with a short note, then reach an overall call: adopt, adopt with conditions, or do not adopt. Conditions might be an opt-out from training, a signed data processing agreement, or limiting the tool to non-sensitive data. Record the decision and revisit it when the tool or your use of it changes.
A ready-made vendor risk assessment
The Extrasphere Complete Toolkit, one-time $299 with 12 months of update re-issues included, has a vendor and third-party risk assessment with a scoring structure, plus the inventory and approval form that feed it. Start free with a policy and readiness checklist.
Make it part of procurement
The assessment only works if it happens before adoption, not after. Put it in the path any new AI tool has to pass through, alongside a simple approval form, so nothing enters the business without a record. Vendor answers land in your AI registry, so every tool you adopt has an entry with an owner from day one; the AI Registry Kit gives you that register ready to fill. That single step prevents most shadow-AI problems.
Frequently asked questions
A structured check of how a third-party AI tool handles your data, its security, its sub-processors, and its contract terms, done before you adopt it.
Usually data: whether the vendor trains on your inputs, whether you can opt out, and how long they retain what you send.
For any tool that touches company or client data, yes. Low-risk tools that never see sensitive data can use a lighter check.
SOC 2 or ISO 27001 for security, a data processing agreement, and clear terms on training, retention, and sub-processors.