A practical evidence guide for reviewing AI vendors before procurement, renewal, or audit preparation.

AI vendor risk is not a questionnaire problem. It is an evidence conversion problem.

Most teams already have vendor questionnaires. They ask about security, data protection, subprocessors, incident response, SOC 2, business continuity, privacy terms, and access control.

That is useful.

But AI vendors create a harder review problem.

A vendor answer may sound polished and still not be reviewable evidence.

The question is not only:

Did the vendor answer?

The harder question is:

Can the buyer rely on this answer later?

Problem

A vendor may say:

We do not train on your data.

That may be true.

But the review should not stop there.

The buyer still needs to ask what “training” means. Does it include fine-tuning? Evaluation? Abuse monitoring? Support review? Retained logs? Subprocessors? Can the customer export evidence later?

The problem is not that every vendor answer is false.

The problem is that many vendor answers remain narrative claims.

They sound reassuring, but they do not become evidence requests, weak-answer patterns, red flags, review notes, or residual risk language.

That creates a gap in the review file.

If the vendor is approved or renewed, the buyer may still be unable to explain why the answer was accepted.

What this pack does

AI Vendor Risk Pack helps teams convert AI vendor claims into evidence-aware review language.

It starts with common vendor claims and asks:

What evidence should be requested?

What would make the answer weak?

What should be treated as a red flag?

What review note should be preserved?

This is not a longer questionnaire.

A questionnaire collects answers.

This pack helps review whether those answers are evidence-complete.

Example

Vendor claim:

We do not train on your data.

Evidence to request:

DPA clause. Data retention table. Admin opt-out setting. Subprocessor statement. Support access policy. Logging scope. Exception handling language.

Weak answer:

The vendor repeats that it does not train on customer data, but does not define training, retention, evaluation, support access, logging, or subprocessors.

Red flag:

The vendor cannot explain whether customer data is used for evaluation, fine-tuning, abuse monitoring, support review, or retained logs.

Review note:

The claim is directionally useful but not evidence-complete. Additional evidence is needed before relying on it in procurement, renewal, or audit preparation.

This is the basic structure of the pack.

The point is not to accuse the vendor. The point is to avoid accepting a vendor claim before it becomes reviewable evidence.

Who it is for

This pack is for people involved in AI vendor review:

compliance, technology risk, security review, procurement risk, internal audit support, and founders preparing enterprise AI vendor evidence.

The first version focuses on five review domains:

1. Data use.

2. Model change and governance.

3. Security and logging.

4. Human approval and agent permission.

5. Auditability and evidence export.

What it is not

AI Vendor Risk Pack is not certification, vendor rating, legal advice, regulatory advice, audit opinion, procurement approval, model benchmarking, or a generic AI governance checklist.

It does not approve or reject vendors.

It is a practical evidence-structuring aid for review preparation.

Reading path

This series starts with one claim:

Vendor claim is not evidence.

The first articles will cover:

1. AI Vendor Risk Is Not a Questionnaire Problem

2. “We Don’t Train on Your Data” Is Not Enough

3. Why SOC 2 Does Not Answer AI-Specific Vendor Risk

4. Turning AI Vendor Claims into Evidence

The first sample pack will include 15 AI vendor evidence questions across five review domains.

Get the sample questions

I am preparing:

AI Vendor Risk Pack — 15 Sample Evidence Questions

It is meant for people who review AI vendors, sell AI tools into enterprise buyers, or support procurement, risk, security, compliance, or audit conversations.

For now:

Reply if you want the draft sample questions.

Boundary

This material is for evidence structuring and review preparation.

It does not provide legal, regulatory, audit, procurement, certification, or implementation advice.

Examples are illustrative unless separately validated for a specific organization and use case.