EU AI Act Article 50 transparency obligations apply 2 August 2026 — soon days left. Check your exposure →

AI Supplier Due Diligence · Updated 19 June 2026

What is AI supplier due diligence?

AI supplier due diligence is the process of assessing third-party AI vendors before and during a contract, to confirm their systems are safe, lawful and well-governed. Because buying AI in does not transfer your obligations, you must verify a supplier's claims rather than assume them.

By Spencer Welch — founder of AI Act Ready (Immersible Ltd), advising UK and EU businesses on EU AI Act compliance, ISO/IEC 42001 and AI governance.

Key facts

Definition: assessing third-party AI vendors before and during a contract to confirm safe, lawful, well-governed AI.
Key principle: buying AI does not transfer your obligations — as a deployer you remain responsible.
Evidence to request: EU AI Act role and risk class, model and data docs, security and AI certifications, DPIA/FRIA, incident process.
An ISO/IEC 42001 certificate answers many due-diligence questions in one document.
Re-assess at onboarding, then at least annually and on material change.

Why does AI supplier due diligence matter?

Most organisations consume far more AI than they build, embedded in the tools they buy. Under the EU AI Act and data-protection law you keep deployer obligations even when the AI is someone else's, so a weak vendor becomes your exposure.

What evidence should you request from AI suppliers?

Ask for the vendor's EU AI Act role and risk classification; model and training-data documentation with provenance and limitations; security certificates (ISO/IEC 27001) and, ideally, ISO/IEC 42001; a DPIA and, for high-risk uses, a FRIA; evaluation and bias-testing results; human-oversight design; a sub-processor list; and an incident-notification process.

How do you assess and score vendors?

Turn assurances into comparable answers with a scored questionnaire. Map the vendor's role, request evidence against each obligation, verify certificates with the issuing body, and record what you relied on. Our vendor due-diligence checklist structures this.

What are the red flags?

No documentation, vague or undisclosed data sourcing, no human-oversight design, refusal to share evaluations, no incident process, and reluctance to put commitments in the contract. Any of these should pause the purchase until resolved.

How often should suppliers be re-assessed?

At least annually, and on any material change — a new model, a new use, or an incident. See our supplier due diligence guide.

Frequently asked questions

What is AI supplier due diligence?

The process of assessing third-party AI vendors before and during a contract to confirm their systems are safe, lawful and well-governed.

Does buying AI transfer my compliance obligations?

No — as a deployer you remain responsible, so you must verify a supplier's claims rather than assume them.

What evidence should I request from AI suppliers?

EU AI Act role and risk class, model/data documentation, security and AI certifications, DPIA/FRIA, evaluations and an incident process.

How does ISO 42001 help in supplier due diligence?

An accredited ISO/IEC 42001 certificate pre-answers many due-diligence questions in a single document.

What are the red flags when buying AI?

No documentation, vague data sourcing, no human-oversight design, refusal to share evaluations, and no incident process.

How often should AI suppliers be re-assessed?

At least annually, and on any material change such as a new model, a new use or an incident.

Related pages

Sources

Last updated 19 June 2026.