Key facts
- Format: editable XLSX questionnaire with a built-in weighted scoring model.
- Covers AI use, model and data provenance, evaluations, security and sub-processors.
- Flags the vendor's likely EU AI Act role (provider, deployer, importer or distributor).
- Produces a pass, escalate or fail-style output per vendor.
- Free to download — pairs with the AI supplier due diligence guide.
What is the AI vendor due diligence questionnaire?
It is a structured questionnaire (DDQ) you send to any AI vendor before you sign or renew. It covers what the vendor's AI does, where its training data comes from, what evaluations and bias testing it has undergone, its security certifications, its sub-processors, and which role it holds under the EU AI Act. A weighted scoring model turns the answers into a clear pass, escalate or fail outcome.
Who is it for?
Procurement, security and legal teams running due diligence on AI vendors, and vendors who want to pre-empt the questions by preparing answers in advance.
What the questionnaire covers
AI use and model provenance. What the system does, and where the underlying model and training data come from.
Evaluations. Bias testing, safety evaluations and how issues found are remediated.
Certifications. ISO 27001 for security and, increasingly, ISO 42001 for AI management.
EU AI Act role. Whether the vendor is acting as provider, deployer, importer or distributor, which sets their obligations.
Ongoing monitoring. How the vendor notifies you of material changes or incidents.
How to use it
Send it as part of onboarding for any new AI vendor, and re-send at least annually or after a material change or incident. Score consistently rather than case by case, and treat any refusal to answer the model-provenance or evaluation questions as a red flag rather than an oversight.
Frequently asked questions
What is AI supplier due diligence?
Assessing an AI vendor's compliance, security and risk posture before and during the relationship.
What goes in an AI due-diligence questionnaire (DDQ)?
AI use, model and data provenance, evaluations and bias testing, security, sub-processors, EU AI Act role and certifications.
How do you assess a GPAI provider?
Check model documentation, training-data summaries, acceptable-use terms, safety evaluations and Code of Practice adherence.
What certifications should AI vendors hold?
ISO 27001 for security and, increasingly, ISO 42001 for AI management; SOC 2 where relevant.
How often should you reassess AI suppliers?
At least annually, and on any material change or incident.
What's a red flag in AI vendor due diligence?
Refusal to share documentation, vague data sourcing, or no human-oversight design.
Can I rely on a vendor's self-attestation?
Treat it as a starting point; verify with evidence and contractual rights, not on trust alone.
Related pages
Sources
Last updated 19 June 2026.