ModelCharter

AI Vendor Risk Assessment: A Practical Checklist

Business contract signing for AI vendor risk assessment checklist

Photo: Ketut Subiyanto / Pexels

Most vendor risk assessments were built before AI tools existed, and they miss the specific risks AI creates: training on your data, generating errors treated as facts, or processing regulated data without the right contractual cover. A good AI vendor risk assessment adds AI-specific questions to your standard vendor management checks. Here is what those questions are, and why they matter.

Does it train on your data?

This is the first question for any AI tool. Consumer tiers of most major AI products train on your inputs by default unless you opt out, and most users never do. Business and enterprise tiers typically do not. Check the specific tier you are evaluating, not the default consumer terms. Ask the vendor directly: for this plan, is our data used to train or improve your models? Get the answer confirmed in the plan documentation before approval.

What are the data retention periods?

Even if a vendor does not train on your data, they may retain it for 30, 60, or 90 days for safety, audit, or operational reasons. Understand those periods before you approve sensitive use cases. For highly sensitive data, shorter retention is better. Some enterprise tiers offer zero retention, prompts and responses are not stored after the session ends. Worth asking about if your team regularly handles sensitive material.

Do they have a DPA or BAA?

If any personal data flows into the tool, you need a Data Processing Agreement with the vendor as a GDPR requirement. If any protected health information flows into it, you need a Business Associate Agreement as a HIPAA requirement. Check the tier: most enterprise plans include these agreements; most consumer and standard business plans do not. Absence of a DPA or BAA is a hard blocker for regulated data, not a risk to manage, a condition to meet before approval.

What are their certifications and can you verify them?

SOC 2 Type II is the minimum baseline for a business AI tool. ISO 27001 is stronger. For EU operations, check the vendor's GDPR compliance documentation and Standard Contractual Clauses status. For healthcare, confirm HIPAA eligibility. Ask for the most recent SOC 2 report, the abstract is usually publicly available, rather than just taking the vendor's word for it. Certifications do not guarantee safety, but their absence is a meaningful risk indicator.

Are there proper access controls?

Can the tool be scoped to your organisation only? Does it support SSO, so individual employee accounts are tied to your identity provider and can be revoked centrally? Does it have role-based permissions so you can limit who in your organisation can use it for what? A tool with robust access controls limits your exposure if an employee account is compromised or an employee leaves. ModelCharter's tool directory includes access control details for the most common AI tools so you are not researching each from scratch.

Put this into practice

Generate a free AI usage policy for your team, then see which of your tools are safe to use.

Open the generator