Who should use this checklist?

Procurement, legal, risk, data protection and the business owner before an AI supplier is approved or renewed.

Is this a contract review?

No. It gives the questions and evidence requests to take into contract review. Legal terms still need qualified review.

Why does vendor due diligence belong at board level?

Accountability stays with the organisation deploying the AI. A vendor can support the control, but cannot own the board's duty to govern the outcome.

Free procurement tool

Generate an AI vendor due diligence checklist before procurement signs

Most boards buy AI before they govern it. This generator turns the supplier, model, data and contract risks into a checklist procurement, legal and risk teams can use before approving an AI tool.

Your sector

Governance maturity

Organisation size (optional)

What vendor or use case is being assessed?

Which vendor risks need the most attention? (choose at least one)

Model provenance and training data claimsData retention, prompts and customer data useSecurity testing and access controlSubprocessors, hosting and cross-border transferHuman oversight and customer-facing outputsAudit logs, explainability and evidenceIncident notification and model-change noticesContract terms, liability and exit rights

What data is involved? (optional)

Personal data of staff or customersSpecial-category data (health, beliefs, biometrics)Data about childrenFinancial or payment data

Choose at least one area to continue.

What the board needs to decide

What data will the vendor process, retain or use to improve its systems?
What evidence will prove human oversight, security and change control?
What rights does the organisation keep if the model changes or the supplier fails?

Frequently asked questions

Who should use this checklist?: Procurement, legal, risk, data protection and the business owner before an AI supplier is approved or renewed.
Is this a contract review?: No. It gives the questions and evidence requests to take into contract review. Legal terms still need qualified review.
Why does vendor due diligence belong at board level?: Accountability stays with the organisation deploying the AI. A vendor can support the control, but cannot own the board's duty to govern the outcome.

Find out where your AI exposure sits.

We'll tell you plainly what's worth doing, what isn't, and what a board or regulator will expect to see. No pitch deck.

Book a 15-minute call See what we've built

No obligation · no pitch.