The AI vendor due-diligence questionnaire every enterprise should use
- A consistent questionnaire turns AI vendor assessment into a reliable, comparable, repeatable process.
- Cover governance, risk and classification, data and training, documentation, oversight and security, and compliance.
- Treat the quality of answers as data; evidence is good, vague assurances are a warning sign.
- Keep answers connected to your AI inventory so vendor diligence feeds your own governance and deployer obligations.
- Current as of June 2026. This is general information, not legal advice.
How to use a questionnaire well
A questionnaire is a tool, and its value depends on how you use it. Send it early in procurement, before you are committed, so the answers can inform the decision. Treat the quality of the answers as data: a vendor that answers clearly and with evidence is signalling good governance, while vague or evasive answers are a warning. Keep the completed questionnaires as part of your records, since they feed your own governance and your obligations as a deployer.
Governance and accountability
Ask about how the vendor governs its AI:
- Does the vendor have a defined AI governance practice, and who is accountable for it?
- Does the vendor align with recognised frameworks (such as the NIST AI RMF) or hold certifications (such as ISO 42001)?
- How does the vendor manage AI governance across its own organisation?
Risk and classification
Ask about how the vendor understands the system's risk:
- Has the vendor assessed the risks of the system, and what are the main ones?
- What is the system's risk classification under relevant frameworks, such as the EU AI Act?
- What measures does the vendor take to manage the identified risks?
Data and training
Ask about the data behind the system:
- What data was the system trained on, and how was it sourced and governed?
- How does the vendor address data quality, representativeness, and bias?
- How is your data handled if it is used by the system, and what are the provenance and privacy implications?
Documentation and transparency
Ask what the vendor can give you:
- Can the vendor provide the documentation you need to meet your own obligations as a deployer?
- How transparent is the system, and can the vendor explain how it works at the level you need?
- What information is available about the system's performance, accuracy, and limitations?
Oversight, security, and incidents
Ask about operation and resilience:
- What human oversight does the system support, and what are your responsibilities?
- How is the system secured, and how does the vendor handle vulnerabilities?
- How does the vendor handle incidents, and how would you be informed of one affecting you?
Compliance and evidence
Ask for proof:
- How does the vendor support compliance with the laws and frameworks that apply to your use?
- What evidence can the vendor provide, certifications, audit results, assessments, rather than assurances?
- How will the vendor keep you informed as the system, and the regulations around it, change?
Turning answers into governance
The questionnaire's real value comes from what you do with the answers. Keep them connected to the vendor systems in your AI inventory, so that your vendor due diligence feeds directly into your overall governance picture rather than sitting in a procurement file. Done this way, a standard questionnaire both protects you from AI supply-chain risk and builds the evidence that demonstrates your own governance. It also, over time, raises the bar across your suppliers, as vendors learn that clear, evidenced governance is what wins your business.
Key terms
- Due diligence
- Structured assessment of a vendor before and during use.
- Questionnaire
- A standard set of questions used to compare vendors consistently.
- Deployer obligations
- Duties an organisation takes on when it puts a vendor's AI into use.
- Evidence
- Documentation and proof, as opposed to assurances.