Purpose
Six questions that get appended to your existing vendor security review for any vendor whose product uses AI / LLMs / ML. This is what catches the largest source of shadow AI: SaaS tools that already exist in the company, suddenly enabling AI features via auto-update.
The questions are designed to produce machine-comparable answers so you can risk-classify vendor AI the same way you classify internal agents. The same 3 risk drivers from framework.md §10.2 apply.
- When you use it: At every new vendor onboarding. At every annual renewal. When an existing vendor announces a new AI feature.
- Who sends it: Procurement, as part of standard vendor security review.
- Who reviews responses: AI CoE Lead, in coordination with Security and Legal.
- Format: Plain-text / form / spreadsheet — whatever your existing vendor process uses. Pasteable directly.
Worked example (Anthropic Claude API onboarding)
"ACME Procurement is onboarding Anthropic as an LLM provider for the AI program. The questionnaire was sent 2026-03-01 and returned 2026-03-08."
Vendor AI Questionnaire — Anthropic, Inc.
Vendor: Anthropic, Inc. Product: Claude API (Sonnet 4.6, Haiku 4.5) Date sent: 2026-03-01 Date returned: 2026-03-08 Reviewed by: Morteza Moradi (CoE Lead) + Pat Lee (CISO) + John Smith (General Counsel)
Q1. Does your product use AI / LLMs / ML? If yes, what kinds, and where do they sit in the product?
Vendor answer:
Yes. Anthropic provides large language model APIs. Customers send prompts; the model returns completions. The product is itself the AI — there is no non-AI mode.
CoE assessment: Direct AI provider. Highest scrutiny. Note: this is a "primary" AI vendor, not vendor-embedded AI in a SaaS tool — Q-by-Q assessment still applies.
Q2. Which underlying models do you use? Where are they hosted? Can the customer pin a specific model version?
Vendor answer:
We host our own models on infrastructure across multiple cloud providers. Model versions are pinned by the customer at the API call layer (e.g.,
claude-sonnet-4-6). We provide deprecation notices ≥ 6 months in advance for any model retirement. Snapshot versions are available for customers requiring stable behavior across periods.
CoE assessment: ✅ Pass. Model pinning enables reproducibility. 6-month deprecation notice is reasonable. We will pin claude-sonnet-4-6 initially.
Q3. Is customer data used to train, fine-tune, or otherwise improve your models? What is the opt-out path? Where is data stored, and for how long?
Vendor answer:
Customer API data is not used for training by default. Customers may explicitly opt in to provide feedback that improves the service. Data is processed in the region specified by the customer (US, EU, or other supported regions). Standard retention for API calls is 30 days for abuse monitoring; this is configurable. Zero Data Retention (ZDR) is available for qualified customers — Anthropic stores no prompt or completion data at all in this mode.
CoE assessment: ✅ Pass. Default no-training is the correct posture. We will enable ZDR for customer-PII workflows; standard 30-day for internal workflows. Regional processing confirmed (we'll use EU endpoint for EU vendor data per Agent Card §6).
Q4. What is your policy for notifying customers of material changes to AI model behavior or capabilities?
Vendor answer:
Material changes (model deprecation, behavioral shifts, new model versions) are announced via the developer changelog and email to the contracted technical contact. Deprecation: ≥ 6 months notice. Behavioral changes: documented at the time of any release. Customers using pinned snapshot versions are unaffected by changes outside their pinned version.
CoE assessment: ⚠️ Conditional pass. We require contractual notification (not just changelog email) per template 13 §2.2. Procurement to negotiate this clause as a contract addendum.
Q5. What audit trail does your product provide to the customer? Specifically: full per-call logs, model used, tokens consumed, content of prompts and completions, latency?
Vendor answer:
Customers receive: per-call billing detail (tokens in/out, cost, model used, timestamp). Prompt and completion content are not surfaced in vendor dashboards; customers retain those in their own systems. API metadata logs are available via export.
CoE assessment: ✅ Pass. We will retain prompts + completions in LangSmith on our side, not depend on Anthropic. Tokens + cost + model version from Anthropic is sufficient for cross-validation.
Q6. What human-in-the-loop controls does your product expose to the customer? For example: confidence scores, refusal patterns, content-policy hooks, configurable safety thresholds.
Vendor answer:
Models return token log-probabilities (for confidence inference). Built-in safety classifiers refuse certain content categories — customers can review the refusal reason via API response metadata. Customers can layer their own HITL via system prompts and orchestration. We do not expose configurable safety-threshold tuning at the model layer.
CoE assessment: ✅ Pass. Token logprobs sufficient for our confidence-threshold-per-process pattern (framework §20). Built-in refusal classifiers are a backstop, not the primary control — primary HITL is in our orchestrator.
Overall risk classification (vendor AI tier)
| Driver | Assessment |
|---|---|
| Personal data processed by vendor? | Yes — we send vendor invoice content (mild PII) to the API |
| Consequential decisions made by vendor's AI? | No — Anthropic returns text. Our orchestrator decides what to do with it. |
| Autonomous behavior? | No — vendor model does not act; it returns completions for our agent to use. |
Vendor AI tier: Medium (matches the agents that consume it; if any future High-tier agent uses Anthropic, the higher tier dominates).
Open items before contract signature
- Contract addendum with material-change notification clause (template 13 §2.2) — Procurement / Legal
- Confirm ZDR availability for our account tier
- Pin model version in Agent Cards (
claude-sonnet-4-6); subscribe to deprecation notices
Decision
✅ Approved as AI vendor. Subject to closure of items 1–3 above. Annual recertification due 2027-03-01.
Anthropic added to registry as vendor: anthropic-claude-api with Source = Vendor (LLM provider).
Sign-off
| Role | Name | Date |
|---|---|---|
| Procurement | (rotating) | 2026-03-08 |
| CoE Lead | Morteza Moradi | 2026-03-09 |
| Security | Pat Lee | 2026-03-09 |
| Legal | John Smith | 2026-03-10 |
Blank template (copy below for your vendor)
# Vendor AI Questionnaire — [Vendor Name]
**Vendor:** [Vendor name + legal entity]
**Product:** [Product name + version / SKU]
**Date sent:** [YYYY-MM-DD]
**Date returned:** [YYYY-MM-DD]
**Reviewed by:** [Names + roles]
---
### Q1. Does your product use AI / LLMs / ML? If yes, what kinds, and where do they sit in the product?
**Vendor answer:**
> [vendor text]
**CoE assessment:** [Pass / Conditional / Fail — reasoning]
---
### Q2. Which underlying models do you use? Where are they hosted? Can the customer pin a specific model version?
**Vendor answer:**
> [vendor text]
**CoE assessment:**
---
### Q3. Is customer data used to train, fine-tune, or otherwise improve your models? What is the opt-out path? Where is data stored, and for how long?
**Vendor answer:**
> [vendor text]
**CoE assessment:**
---
### Q4. What is your policy for notifying customers of material changes to AI model behavior or capabilities?
**Vendor answer:**
> [vendor text]
**CoE assessment:**
---
### Q5. What audit trail does your product provide to the customer? Specifically: full per-call logs, model used, tokens consumed, content of prompts and completions, latency?
**Vendor answer:**
> [vendor text]
**CoE assessment:**
---
### Q6. What human-in-the-loop controls does your product expose to the customer? For example: confidence scores, refusal patterns, content-policy hooks, configurable safety thresholds.
**Vendor answer:**
> [vendor text]
**CoE assessment:**
---
## Overall risk classification (vendor AI tier)
| Driver | Assessment |
|---|---|
| Personal data processed by vendor? | |
| Consequential decisions made by vendor's AI? | |
| Autonomous behavior? | |
**Vendor AI tier:** [Low / Medium / High]
## Open items before contract signature
1. [Item + owner + due date]
## Decision
[✅ Approved / ⚠️ Conditional / ❌ Rejected]
[If approved: registry entry + recertification date]
### Sign-off
| Role | Name | Date |
|---|---|---|
| Procurement | | |
| CoE Lead | | |
| Security | | |
| Legal | | |
Plain-text version (drop into your existing vendor review form)
If your existing vendor security review is a form rather than a doc, paste these six questions as additions:
AI Governance Questions (required if your product uses AI/ML/LLMs)
1. Does your product use AI / LLMs / ML? If yes, what kinds, and where do they sit in the product?
2. Which underlying models do you use? Where are they hosted? Can the customer pin a specific model version?
3. Is customer data used to train, fine-tune, or otherwise improve your models? What is the opt-out path? Where is data stored, and for how long?
4. What is your policy for notifying customers of material changes to AI model behavior or capabilities?
5. What audit trail does your product provide to the customer? Specifically: full per-call logs, model used, tokens consumed, content of prompts and completions, latency?
6. What human-in-the-loop controls does your product expose to the customer? For example: confidence scores, refusal patterns, content-policy hooks, configurable safety thresholds.
Usage notes
- Vendor-embedded AI counts too. Notion AI inside Notion, Einstein inside Salesforce, Copilot inside Outlook — these all need the same six questions. The questions are written generically.
- Q3 (training-data use) is the question that filters most vendors. Free-tier products often use customer data for training. Enterprise tiers usually don't. Confirm in writing, not just on the marketing site.
- Q4 (material-change notification) is what prevents the auto-update problem. Vendors flipping on new AI features without notice is
framework.md§15.2's biggest concern. Get a contractual commitment via template 13. - The questions don't replace your normal security review. Standard SOC 2 / DPA / data-residency checks still apply. These six questions are additions for the AI dimension.
- Annual recertification. Vendor AI changes constantly. Re-run this questionnaire at every annual renewal.
Common pitfalls
| Pitfall | What it looks like | Fix |
|---|---|---|
| Skip the questionnaire because "the vendor isn't an AI vendor" | Notion procurement skipped — but Notion AI is on by default | Apply to every vendor with any AI feature, not just AI-as-product vendors |
| Accept marketing-page answers | "We don't train on your data" cited from website | Get it in writing from the vendor's CSM or in the contract |
| Q4 left vague | "We'll notify you of major changes" with no SLA | Demand specific terms in template 13: ≥30 days notice, "material" defined |
| Q5 not verified | Vendor claims full audit trail; actual exports are incomplete | Test it during evaluation, not after signing |
| No annual recertification | Questionnaire run at onboarding, never again | Calendar event for every contract anniversary |
| Vendor AI tier never assigned | Open items listed but no overall tier | Force a tier conclusion — Low / Medium / High |
Framework cross-references
framework.md§26 (Procurement integration — questionnaire is the operational mechanism)framework.md§15.2 (vendor-embedded AI inventory — feeds from this)framework.md§10 (risk classification — applied to vendor AI)framework.md§22.1 EU AI Act Article 25 (deployer obligations)framework.md§22.1 EU AI Act Article 50 (transparency)framework.md§22.2 NIST AI RMF MAP — external dependenciesworkflows.mdStep A8 (Procurement integration sub-steps)workflows.html→ In Action view → side branch from M12 (Build) → "Procurement: vendor approvals"