In this guide
- What is AI supplier due diligence?Definition, the evidence to request and how to assess vendors.
Key facts
| Definition | Assessing third-party AI vendors before and during a contract to confirm safe, lawful, well-governed AI |
|---|---|
| Key principle | Buying AI does not transfer your obligations — verify, do not assume |
| Evidence to request | EU AI Act role and risk class, model and data docs, security and AI certs, DPIA/FRIA, incident process |
| Accelerator | An ISO/IEC 42001 certificate answers many questions in one document |
| Owners | Procurement, legal, security and the business owner of the use case |
| Cadence | At onboarding, then re-assessed at least annually and on material change |
Why supplier due diligence matters for AI
Most organisations consume far more AI than they build, embedded in the tools they buy. Under the EU AI Act and data protection law you keep deployer obligations even when the AI is someone else's, so a weak vendor becomes your exposure. Due diligence is how you manage that risk before it reaches your customers. See what is AI supplier due diligence?
What evidence to request from AI suppliers
Ask for the vendor's EU AI Act role and risk classification; model and training-data documentation with provenance and known limitations; security certifications such as ISO/IEC 27001 and, ideally, ISO/IEC 42001; a DPIA and, for high-risk uses, a Fundamental Rights Impact Assessment; evaluation and bias-testing results; human-oversight design; a sub-processor list; and an incident-notification process.
How to assess and score vendors
Turn assurances into comparable answers with a scored questionnaire. Map the vendor's role, request evidence against each obligation, verify certificates with the issuing body, and record what you relied on. Our vendor due-diligence checklist and procurement evidence guide structure this.
Red flags to watch for
No documentation, vague or undisclosed data sourcing, no human-oversight design, refusal to share evaluations, no incident process, and reluctance to put commitments in the contract. Any of these should pause a purchase until resolved.
Putting it in the contract and keeping it live
Reflect the findings in the contract: warranties, audit rights, transparency and incident-notification clauses, and a clear allocation of AI Act roles. Then re-assess at least annually and whenever something material changes — a new model, a new use, or an incident.
Frequently asked questions
What is AI supplier due diligence?
The process of assessing third-party AI vendors before and during a contract to confirm their systems are safe, lawful and well-governed.
Does buying AI transfer my compliance obligations?
No — as a deployer you remain responsible, so you must verify a supplier's claims rather than assume them.
What evidence should I request from AI suppliers?
EU AI Act role and risk class, model/data documentation, security and AI certifications, DPIA/FRIA, evaluations and an incident process.
How does ISO 42001 help in supplier due diligence?
An accredited ISO/IEC 42001 certificate pre-answers many due-diligence questions in a single document.
How often should AI suppliers be re-assessed?
At least annually, and on any material change such as a new model, a new use or an incident.
Related guides
Sources
Last updated 19 June 2026.