Marketplace Pricing Download
Marketplace/ GENERAL/ regulatory/ AI Governance Reviewer Skill/ scenarios-vendor.md

scenarios-vendor.md

Bundled with AI Governance Reviewer Skill · references/scenarios-vendor.md

← Back to skill Source on GitHub

Third-Party AI Vendor Scenario

Read this file for procurement, diligence, or review of vendors that provide AI capabilities, AI infrastructure, models, embedded AI features, or AI-enabled services.

Typical Examples

  • SaaS vendors with AI features
  • Foundation-model or API providers
  • Legal, HR, support, or analytics vendors using AI
  • Vendors that process company or customer data with AI

Typical Risk Areas

  • Vendor prompt or data reuse
  • Unclear subprocessors or data-transfer paths
  • Unclear allocation of responsibilities
  • Model or feature changes without notice
  • Weak audit rights or weak incident notice commitments
  • No continuous improvement

Required Questions

  • What data will the vendor receive, store, or process?
  • Does the vendor claim rights to retain prompts, outputs, or training data?
  • What subprocessors, hosting regions, and transfer mechanisms are involved?
  • What documentation exists for security, privacy, testing, and model governance?
  • What notice is given for model updates, incidents, or material control changes?
  • What contractual owners inside the company must review or approve the arrangement?
  • Is there a DPA, privacy addendum, or equivalent contract language?
  • Is there a current subprocessor list?
  • What audit rights, audit reports, certifications, or control attestations exist?
  • What testing, red-team, monitoring, and incident response documentation has the vendor provided?
  • What disclosures or instructions will end users receive if the vendor AI is embedded in a workflow or product?
  • Has an AI impact assessment or vendor risk assessment been completed?

First Intake Set

Use this grouped intake set first when facts are missing:

  • What vendor and AI capability are being reviewed?
  • What data will the vendor receive, retain, or use for training?
  • Is there a DPA, subprocessor list, and transfer or hosting information?
  • What audit rights, certifications, or control materials exist?
  • What incident, model-change, and notification commitments exist?
  • What internal owners, approvals, and assessments exist today?

Review Focus

  • Data-use rights and retention
  • Security, privacy, and transfer controls
  • Vendor testing and monitoring representations
  • Contract allocation of responsibilities
  • Incident, audit, and change-notification rights