How to Answer the AI Section of a Security Questionnaire
More and more, closing a deal means answering a security questionnaire, and those questionnaires now include a section on AI. Buyers and enterprise procurement teams have extended their third-party risk process to cover the AI you use, and a weak or missing answer can stall a sale. A strong one clears the path. This guide covers what the AI section asks, how to answer it, and the documentation that makes the whole thing fast.
Why the AI section appeared
When a company buys from you, your risks become their risks. AI adds new ones: whether your tools train on the data you are given, whether a human reviews automated decisions, and whether the models behind your product are governed at all. The questions map to the same frameworks that shape the field, ISO 42001, the NIST AI RMF, and the EU AI Act, so a buyer can check that you take AI seriously the same way they check your security posture.
What the AI section typically asks
- Policy. Do you have an AI acceptable use policy, and who owns it?
- Inventory. Can you list the AI systems and AI-enabled features you use?
- Training on data. Do your AI tools train on customer or company data, and can that be turned off?
- Human oversight. Where AI informs decisions, is there a person in the loop?
- Vendor and model governance. How do you assess third-party AI tools and the models behind them?
- Data handling. Where does data go, how long is it kept, and who can access it?
- Security of AI systems. How are prompts, outputs, and integrations secured?
- Incident response. Do you have a process for AI-specific incidents?
- Compliance mapping. How does your program relate to ISO 42001, the EU AI Act, and the NIST AI RMF?
How to answer well
Answer with what you actually do, not what you intend to do. Point to a named, dated policy and to the specific controls behind each answer. Reference the artefacts you can share, such as an acceptable use policy, an AI inventory, and a vendor assessment. Be precise about data: whether tools train on inputs, whether you have opted out, and your retention terms. And do not overstate. Say your program is mapped to ISO 42001 or aligned with the EU AI Act, not that you are certified, unless you hold the certificate.
What makes it fast
A short, standard set of documents covers almost every AI question a buyer will ask: an acceptable use policy, an AI system inventory, a vendor risk assessment, an impact assessment for higher-stakes uses, and an incident runbook. With those in place, the AI section stops being a fire drill and becomes a copy-and-adapt exercise.
The AI Security Questionnaire Response Kit
Skip the scramble. Pre-written, defensible answers to the AI questions buyers ask, mapped to the evidence behind each, plus a reusable trust page. Answer in an afternoon.
Common questions
A set of questions a buyer or procurement team includes to assess how you govern and secure the AI you use, as part of their third-party risk review before they buy from you.
In practice, yes. Most questions assume a documented acceptable use policy and an inventory of the AI you use. Without them, you are answering from memory, which reads as immature.
You still answer. The questions cover how you select, govern, and secure the AI tools you rely on, which matters to a buyer regardless of who built them.
Only claim what is true. Say your program is mapped to ISO 42001 or aligned with the EU AI Act. Reserve the word certified for a certificate you actually hold.