What evidence should procurement request from AI vendors?

Key facts

EU AI Act role (provider, deployer, importer or distributor) and the system's risk classification.
Model and training-data documentation, including data provenance and known limitations.
Security certifications such as ISO/IEC 27001, and ISO/IEC 42001 for AI management.
A DPIA, and a Fundamental Rights Impact Assessment (FRIA) for high-risk uses.
Evaluation and bias-testing results, human-oversight design, sub-processor lists and an incident-notification process.

Why ask for evidence rather than assurances?

You retain deployer obligations even when you buy AI in, so you cannot simply rely on a vendor's claims. Verify, document, and keep the evidence. A scored questionnaire turns vague assurances into comparable, auditable answers.

The core evidence checklist

Ask for: (1) the vendor's EU AI Act role and risk classification; (2) model and data documentation with provenance and limitations; (3) security certificates (ISO/IEC 27001) and, ideally, ISO/IEC 42001; (4) a DPIA, plus a FRIA for high-risk uses; (5) evaluation and bias-testing results; (6) human-oversight design; (7) a sub-processor list; and (8) an incident-notification process.

Red flags when buying AI

No documentation, vague data sourcing, no human-oversight design, refusal to share evaluations, and no incident process. Any of these should pause the purchase until resolved.

How to score and verify vendor responses

Map the vendor's role, request evidence against each obligation, verify certificates with the issuing body, and test claims with a scored questionnaire. Record what you relied on. Our vendor due-diligence checklist structures this.

How often should vendors be re-assessed?

At least annually, and on any material change — a new model, a new use, or an incident.

Frequently asked questions