Introduction
AI vendor due diligence is a critical process for organizations procuring AI systems or services. Unlike traditional software procurement, AI due diligence must address unique risks including algorithmic bias, data governance, model explainability, and regulatory compliance under evolving AI laws.
This part provides a comprehensive framework for evaluating AI vendors across technical, security, compliance, and business dimensions.
💡 Why AI-Specific Due Diligence?
AI introduces risks that traditional vendor assessment misses: algorithmic harm (bias, discrimination), opacity (inability to explain decisions), data contamination (training data issues), model drift (degradation over time), and regulatory exposure (EU AI Act, sector-specific rules). Thorough due diligence protects against these AI-specific risks.
Due Diligence Framework
A comprehensive AI vendor due diligence framework covers five key domains. Each must be evaluated before engaging an AI vendor for high-stakes applications.
Technical Assessment
Evaluate AI capabilities, architecture, performance metrics, scalability, and integration requirements.
Security Evaluation
Assess data protection, model security, adversarial robustness, and incident response capabilities.
Compliance Verification
Verify regulatory compliance, certifications, audit capabilities, and alignment with legal requirements.
Business Viability
Evaluate financial stability, market position, support capabilities, and long-term sustainability.
Ethical AI Practices
Review bias testing, fairness metrics, transparency practices, and responsible AI governance.
Exit Planning
Assess data portability, model transferability, transition support, and vendor lock-in risks.
Technical Assessment
Technical due diligence evaluates whether the AI solution meets functional requirements and can be reliably integrated into your environment.
📋 Technical Assessment Checklist
Model Architecture & Performance
- Document model type, architecture, and version
- Review accuracy metrics on relevant benchmarks
- Evaluate performance on your specific use case data
- Assess latency, throughput, and scalability limits
- Verify model update/retraining processes
Data Requirements
- Understand input data requirements and formats
- Assess data preprocessing/preparation needs
- Verify data quality thresholds and handling
- Document training data composition (if disclosed)
- Evaluate data volume and storage requirements
Integration & Deployment
- Review API documentation and stability
- Assess deployment options (cloud, on-premise, hybrid)
- Verify compatibility with existing infrastructure
- Evaluate SDK/library support for your tech stack
- Document dependency requirements
Explainability & Transparency
- Assess explanation capabilities for model outputs
- Review available interpretability tools
- Verify confidence score availability and calibration
- Document model card/datasheet availability
- Evaluate human override mechanisms
| Technical Metric | What to Verify | Red Flags |
|---|---|---|
| Accuracy | Performance on your data, not just benchmarks | Only benchmark results; no custom testing |
| Latency | P50, P95, P99 response times under load | No SLA; only average latency quoted |
| Scalability | Performance degradation under scale | Untested at your expected volume |
| Reliability | Uptime history, failover capabilities | No uptime commitment; single point of failure |
| Versioning | Model version control, rollback capability | No version tracking; forced updates |
Security Evaluation
AI systems introduce unique security considerations beyond traditional software, including adversarial attacks, model theft, and data poisoning risks.
📜 Security Assessment Areas
- Data Protection: Encryption at rest/in transit, access controls, data residency, retention policies
- Model Security: Protection against model extraction, adversarial inputs, prompt injection
- Infrastructure: Cloud security posture, network segmentation, vulnerability management
- Access Management: Authentication, authorization, audit logging, least privilege
- Incident Response: Detection capabilities, response procedures, notification commitments
🔒 Security Due Diligence Questions
Data Security
- Where is customer data stored and processed?
- Is customer data used to train or improve models?
- How is data segregated between customers?
- What encryption standards are used?
- What is the data retention and deletion policy?
AI-Specific Security
- How are adversarial attacks detected and prevented?
- What protections exist against prompt injection?
- How are model weights and architectures protected?
- Is there monitoring for anomalous model behavior?
- What input validation and sanitization is performed?
Certifications & Audits
- SOC 2 Type II certification status
- ISO 27001 certification status
- Penetration testing frequency and findings
- Third-party security audit reports
- Bug bounty program availability
⚠ AI Security Red Flags
- Training Data Use: Customer data used for model training without explicit consent
- No Segregation: Multi-tenant without proper data isolation
- Opaque Security: Unwilling to share security documentation or audit reports
- No AI-Specific Controls: Standard security only; no adversarial robustness testing
- Forced Data Sharing: Model improvement requires sharing sensitive data
Compliance Verification
AI compliance due diligence must address both general regulations (GDPR, sector-specific rules) and emerging AI-specific requirements (EU AI Act, state AI laws).
| Regulation | Key Requirements | Vendor Evidence Needed |
|---|---|---|
| EU AI Act | Risk classification, high-risk requirements, transparency | Conformity assessment, technical documentation, CE marking (if applicable) |
| GDPR | Lawful basis, data subject rights, DPIAs | DPA, Article 28 compliance, DPIA documentation |
| Sector Rules | Healthcare (HIPAA), Financial (fair lending), Employment | Sector certifications, compliance attestations |
| Anti-Discrimination | Fair treatment across protected characteristics | Bias testing results, fairness metrics, audit reports |
| Transparency Laws | Disclosure of AI use to affected individuals | Disclosure templates, explanation capabilities |
⚖ Compliance Documentation Request List
General Compliance
- Privacy policy and data processing addendum
- Data processing agreement (GDPR Article 28)
- Standard contractual clauses (for international transfers)
- Sub-processor list and notification process
- Data breach notification procedures
AI-Specific Compliance
- EU AI Act risk classification documentation
- Technical documentation (high-risk systems)
- Conformity assessment documentation
- Human oversight mechanism documentation
- Model card or AI system documentation
Bias & Fairness
- Bias testing methodology and results
- Fairness metrics and thresholds used
- Protected characteristic handling
- Third-party algorithmic audit reports
- Remediation processes for identified bias
Business Viability Assessment
AI vendor stability is critical given the investment required to integrate AI systems. Vendor failure can strand organizations with unsupported systems and inaccessible data.
📈 Financial & Business Health Indicators
- Financial Stability: Revenue, funding, burn rate, profitability, debt levels
- Market Position: Customer base size, retention rates, competitive position
- Team Strength: Key personnel, AI expertise depth, turnover rates
- Product Roadmap: Development plans, innovation trajectory, R&D investment
- Support Capability: Support tiers, response times, escalation procedures
Financial:
• What is your current funding status and runway?
• What is your revenue growth trajectory?
• Are you profitable or when do you expect profitability?
Operations:
• How many customers use this specific AI product?
• What is your customer retention rate?
• Can you provide customer references in our industry?
Support:
• What support tiers are available?
• What are guaranteed response times for critical issues?
• Is dedicated support available for enterprise customers?
Exit Planning & Data Portability
Exit planning is essential to avoid vendor lock-in and ensure business continuity if the relationship ends or the vendor fails.
⚠ Vendor Lock-In Risks in AI
- Data Lock-In: Customer data trapped in vendor systems, difficult to extract
- Model Lock-In: Fine-tuned models that cannot be exported or replicated
- Integration Lock-In: Deep integration requiring significant rework to change vendors
- Knowledge Lock-In: Institutional knowledge embedded in vendor-specific approaches
- Format Lock-In: Proprietary data formats not easily converted
🚪 Exit Planning Checklist
Data Portability
- Can all customer data be exported in standard formats?
- What is the process and timeline for data extraction?
- Are there costs associated with data export?
- Is training data used for our model exportable?
- What data will be deleted after termination?
Model Portability
- Can fine-tuned or custom models be exported?
- In what format are models exportable?
- What dependencies exist for model operation?
- Can model weights be transferred to on-premise?
- What licensing restrictions apply to exported models?
Transition Support
- What transition assistance is provided?
- What is the notice period for termination?
- Is continued access available during transition?
- What documentation is provided for migration?
- Are there escrow arrangements for source code/models?
Contractual Protections:
• Data Export Right: Right to export all data in machine-readable format within 30 days of termination
• Transition Period: 90-180 day transition period with continued service at current rates
• Model Export: Right to export fine-tuned models or receive assistance to replicate performance
• Source Code Escrow: Escrow agreement triggered by bankruptcy, acquisition, or service discontinuation
• API Continuity: Commitment to maintain API compatibility or provide migration path
• Documentation: Right to full technical documentation upon exit
Ethical AI Assessment
Evaluating a vendor's responsible AI practices protects against reputational, legal, and ethical risks associated with AI deployment.
✔ Responsible AI Indicators
- AI Ethics Policy: Published principles and governance framework
- Bias Testing: Regular testing across protected characteristics
- Transparency: Model cards, datasheets, documentation of limitations
- Human Oversight: Mechanisms for human review and override
- External Audit: Third-party algorithmic audits
- Incident Response: Process for addressing harmful outputs
| Ethical AI Practice | Questions to Ask | Evidence to Request |
|---|---|---|
| Fairness | How do you test for and mitigate bias? | Bias testing methodology, results, fairness metrics |
| Transparency | What documentation do you provide on model behavior? | Model cards, system cards, limitation documentation |
| Accountability | Who is responsible for AI harms? | Governance structure, accountability matrix |
| Human Control | What human oversight mechanisms exist? | Override capabilities, review processes |
| Safety | How do you prevent harmful outputs? | Safety testing, content filters, red teaming results |
Key Takeaways
- Comprehensive Assessment: Cover technical, security, compliance, business, and ethical dimensions
- AI-Specific Risks: Address bias, explainability, data governance, and adversarial robustness
- Documentation Requests: Obtain security certifications, bias reports, compliance attestations
- Business Viability: Assess financial stability, especially for AI startups
- Exit Planning: Ensure data and model portability from day one
- Ethical Practices: Verify responsible AI commitments with evidence
- Ongoing Monitoring: Due diligence is not one-time; establish ongoing vendor assessment