Vendor AI due diligence

Most AI an organisation uses is bought, not built. This guide assesses a third-party or vendor AI tool, before adoption and on an ongoing basis, so procurement and risk decisions are structured and defensible.

When to use this

You are evaluating a vendor AI product, or you already use one and need to bring it under proper governance and periodic review.

What you will produce

A registered vendor system with a documented assessment, vendor-supplied evidence captured against controls, and a clear accept/condition/reject position with ongoing review dates.

Steps

1. Register the vendor system. Add it in AI System Records, recording the vendor, deployment type and a model card for the vendor model. Mark it as vendor-provided.
2. Run intake and tier it. Capture the use case, data exposure and oversight in intake, and confirm the risk tier that sets how deep the diligence should go.
3. Route to the right frameworks. Higher-risk vendor systems route to GTSAF and the EU AI Act; for the vendor’s own management system, ISO/IEC 42001 evidence is a strong signal.
4. Request evidence from the vendor. Use evidence requests to ask the vendor (or the internal owner) for specific artefacts against specific controls: validation, security, data handling, model documentation and assurance certifications.
5. Assess and decide. Score the controls with rationale, raise findings for gaps, and reach an accept, accept-with-conditions or reject decision with the gaps tracked on the Remediation Roadmap.
6. Set ongoing review. Record review dates so the vendor is reassessed as the product and your reliance on it change, and report the portfolio via reporting.

Modules and frameworks involved

AI System Records, intake & risk tiering, evidence & findings, GTSAF, EU AI Act, ISO/IEC 42001 and reporting.

Next

• Shadow-AI discovery sprint: find the vendor tools you do not know about yet.
• Board assurance pack: roll the vendor portfolio up for the board.
• Scenario guides: the full set.