Key facts
- Start by confirming the vendor's role: provider, deployer, or both for different features.
- Request technical documentation and risk assessment evidence before signing, not after.
- Check data sourcing, retention and sub-processor arrangements explicitly.
- Confirm the system supports meaningful human oversight, not oversight in name only.
- Use the free vendor due diligence checklist to structure the evaluation.
Step 1: confirm the vendor's role
Ask directly whether the vendor considers itself a provider or deployer for the AI features in your product or use case, and get this in writing. A vendor unable to answer this clearly is a warning sign, not a technicality.
Step 2: request documentation
Ask for technical documentation, risk assessment or evaluation evidence, and — where relevant — conformity assessment records. Genuine compliance work leaves a paper trail; if none exists, that tells you something important about how seriously the vendor takes its obligations.
Step 3: assess data practices
Confirm what data the AI system uses, where it is sourced, how long it is retained, and who the sub-processors are. This matters both for EU AI Act compliance and for your own data protection obligations.
Step 4: confirm oversight design
Ask how the system supports human oversight in practice — can a human meaningfully review, override or stop the system's output before it causes harm? "Oversight" that amounts to a dashboard nobody actually checks does not meet the bar.
Red flags to watch for
No documentation available on request, vague or evasive answers about data sourcing, no clear answer on provider/deployer role, and no meaningful human oversight design in the product.
Frequently asked questions
How do you evaluate an AI vendor's compliance?
Confirm their role under the EU AI Act, request documentation, assess data practices, and confirm the system supports meaningful human oversight.
What documentation should an AI vendor provide?
Technical documentation, risk assessment or evaluation evidence, and conformity assessment records where relevant.
What data questions should you ask an AI vendor?
What data the system uses, where it's sourced, how long it's retained, and who the sub-processors are.
What counts as a red flag when evaluating an AI vendor?
No available documentation, vague answers on data sourcing, unclear role allocation, or no meaningful human oversight design.
What tool can help structure vendor evaluation?
The free AI vendor due diligence checklist provides a sequenced structure for the whole process.
Related pages
Sources
Last updated 19 June 2026.