AI vendor risk assessment
Also: AI vendor risk, AI vendor risk review
An AI vendor risk assessment is the structured process of checking an AI tool's data handling, certifications and contract terms before it touches company or customer data, plus the written record a reviewer can point to later.
An AI vendor risk assessment answers one question with evidence: is this tool safe for the data we plan to put through it? That means checking, tool by tool: does it train on your inputs, will the vendor sign a Business Associate Agreement (BAA) or Data Processing Agreement (DPA), does it hold SOC 2 or ISO 27001, where is data stored and processed, who are its subprocessors, and what plan tier is actually required to get those protections (the free tier of a tool is frequently a different risk profile than its business tier).
How it differs from a normal vendor review
It is a variant of the vendor risk assessments security teams already run for any SaaS purchase, adapted for what is specific to AI: model training on your inputs, prompt and output retention, and whether a human reviewer might ever see what you submit. General vendor-risk questionnaires often miss these because they were written before generative AI existed.
The output is a document, not a verdict in someone's head
The output should be a document, not a verdict in someone's head: a short write-up of what was checked, what the vendor's own trust center or DPA says (with a source link for each claim), and a plan-tier recommendation ('Business tier only, never the free consumer plan'). That document is what an auditor, a customer's security questionnaire, or your own future self needs when the same question comes up again in six months.
Treat it as a living record
Because vendor policies change (a training default shifts, a new subprocessor is added, a BAA becomes available), a one-time assessment goes stale. Treat it as a living record with a re-check cadence, not a form you fill in once and file away. ModelCharter's free AI vendor risk assessment tool walks through exactly these checks, and the AI Tool Risk Directory has already sourced the answers for the most common tools.