AI Vendor Audit
Standard Template
Bridge the gap between "asking questions" and "verifying security." Use our scoring-based rubric to audit AI vendors with enterprise rigor.
Pre-Audit Scoping
- Identify AI usage (Embedded, API-based, or Standalone)
- Classify AI Risk level (EU AI Act tiers)
- Define data sensitivity boundaries
- Inventory sub-processors (LLM providers)
Evidence Collection
- System Architecture Diagrams (AI flow)
- Model Card / Transparency Documentation
- AI Policy & Ethical Guidelines
- Data Processing Addendum (DPA) with AI clauses
Scoring & Assessment
- Evaluate model robustness vs expected use cases
- Score data privacy controls (Encryption, ZDR)
- Assess bias mitigation efforts
- Risk-weighting based on business impact
Evidence Checklist
Request these specific documents to verify the vendor's AI governance maturity.
Technical Evidence
- • Penetration Test Report (AI infrastructure)
- • SOC 2 Type II with AI Trust Criteria
- • Vulnerability Scan Results (Models)
Governance Evidence
- • Ethical AI Usage Policy
- • Data Retention Schedule
- • Model Bias Monitoring Logs
Programmatic Audit Intelligence
Automate the "pre-audit" phase by extracting signals from the vendor's domain.
Instant Stack Detection
Our engine detects which AI APIs (OpenAI, Anthropic, Bedrock) a vendor is using under the hood.
Peer Benchmarking
Compare a vendor's risk profile against 5,000+ other AI companies in our database.
Kevin A
Principal Security & GRC Engineer
Kevin is a security engineer turned GRC specialist. He focuses on mapping cloud-native infrastructure (AWS/Azure/GCP) to modern compliance frameworks, ensuring that security controls are both robust and auditor-ready without slowing down development cycles.