Skip to main content
RiscLens

AI Vendor Risk
Questionnaire Template

Standard security questionnaires fail to capture the nuances of AI risk. Use this programmatic template to audit LLM providers, GenAI startups, and SaaS vendors with AI features.

View Audit Guide

Data & Model Privacy

Q1

Is customer data used to train your foundational models?

Q2

Do you support Zero-Retention (API) for high-sensitivity data?

Q3

What are your data isolation mechanisms between different customers?

Q4

How do you handle PII/PHI redaction before model processing?

Model Governance & Safety

Q1

What is your process for red-teaming new model releases?

Q2

Do you provide an AI System Impact Assessment (AISIA)?

Q3

How are hallucinations and biases monitored and reported?

Q4

What guardrail technologies (e.g., LlamaGuard) are implemented?

Legal & Regulatory

Q1

Are you compliant with the EU AI Act risk tiering requirements?

Q2

Do you offer indemnification for copyright infringement by GenAI output?

Q3

What is your opt-out policy for data usage in diagnostic improvements?

Q4

Is your AI system registered in the EU database (if applicable)?

Operational Resilience

Q1

What is your fallback mechanism if the LLM provider experiences downtime?

Q2

How do you handle rate limits and capacity surges for enterprise users?

Q3

What is the frequency of security audits for your AI infrastructure?

Q4

Do you have a vulnerability disclosure program specifically for AI assets?

Crucial Red Flag

The "Training Leak" Clause

If a vendor cannot confirm that your data is excluded from their model training weights, they are effectively using your IP to subsidize their R&D. This is the #1 risk for enterprise procurement in 2026.

"Look for 'Zero Data Retention' (ZDR) clauses in their Terms of Service before signing."

Programmatic Enrichment

Don't just trust their answers. Use RiscLens to scan their domain for:

  • Hidden LLM API calls in their JS bundles
  • Social proof of enterprise-grade AI safety
  • Infrastructure provider (AWS vs Azure vs Anthropic)

Need a formal Audit Template?

Our AI Vendor Audit Template provides the scoring logic and evidentiary requirements needed for ISO 42001 or SOC 2 + AI.

Get Audit Template
KA

Kevin A

CISSPCISMCCSPAWS Security Specialist

Principal Security & GRC Engineer

Kevin is a security engineer turned GRC specialist. He focuses on mapping cloud-native infrastructure (AWS/Azure/GCP) to modern compliance frameworks, ensuring that security controls are both robust and auditor-ready without slowing down development cycles.

Connect on LinkedIn →Chat on Reddit →