Key facts
- Format: one-page PDF checklist, sequenced from pre-contract through ongoing monitoring.
- Covers AI use, certifications, contract terms and reassessment cadence.
- Complements the detailed vendor DDQ rather than replacing it.
- Written for procurement, security and legal teams running vendor assessments.
- Free to download, no sign-up required.
What is the AI vendor due diligence checklist?
It is a short, sequenced checklist covering the full lifecycle of assessing an AI vendor: what to establish before you engage them, what to verify before signing, what to put in the contract, and how to keep monitoring them afterwards.
Who is it for?
Procurement, security and legal teams assessing any AI vendor, and business owners bringing a new AI tool into the organisation who need a lightweight first pass before escalating to full due diligence.
What the checklist covers
Before you engage. Confirm the vendor's role (provider, deployer, importer or distributor) and what data your use case involves.
Before you sign. Certifications (ISO 27001, ISO 42001 where relevant), evaluation and bias-testing evidence, sub-processor list, incident process.
Contract terms. Audit rights, transparency commitments, incident notification, allocation of EU AI Act roles.
Ongoing monitoring. Reassess at least annually and on any material change or incident.
How to use it
Run it before any new AI vendor is signed, and keep a copy against each vendor in your inventory for the annual reassessment. If a vendor cannot answer the certification and evidence items, treat that as a red flag rather than a formality — see the full DDQ template for deeper questions.
Frequently asked questions
What is AI supplier due diligence?
Assessing an AI vendor's compliance, security and risk posture before and during the relationship.
What certifications should AI vendors hold?
ISO 27001 for security and, increasingly, ISO 42001 for AI management; SOC 2 where relevant.
How often should you reassess AI suppliers?
At least annually, and on any material change or incident.
What's a red flag in AI vendor due diligence?
Refusal to share documentation, vague data sourcing, or no human-oversight design.
What contract terms protect AI buyers?
Audit rights, transparency, incident notice, sub-processor controls and allocation of EU AI Act roles.
Related pages
Sources
Last updated 19 June 2026.