Inferensys

Glossary

Vendor Due Diligence Questionnaire

A standardized assessment tool used to evaluate a third-party AI provider's security, privacy, and ethical practices before procurement.
Developer demonstrating multi-agent tool use, agent tool selection interface on laptop, casual tech demo moment.
PROCUREMENT RISK ASSESSMENT

What is a Vendor Due Diligence Questionnaire?

A standardized assessment tool used to evaluate a third-party AI provider's security, privacy, and ethical practices before procurement.

A Vendor Due Diligence Questionnaire is a structured, standardized assessment instrument used to systematically evaluate a third-party AI provider's security posture, data governance protocols, regulatory compliance, and ethical practices prior to procurement or partnership. It serves as the primary evidence-collection mechanism within the broader third-party risk management lifecycle, transforming abstract vendor claims into verifiable, auditable data points for risk committees.

In the context of Enterprise AI Governance, these questionnaires extend beyond standard IT security queries to probe model provenance, training data lineage, bias detection methodologies, and conformity assessment readiness under frameworks like the EU AI Act. The output directly informs inherent risk ratings and residual risk scoring, enabling procurement teams to quantify algorithmic supply chain dependencies and enforce model risk tiering before granting system access.

VENDOR DUE DILIGENCE

Core Components of an AI VDDQ

A robust Vendor Due Diligence Questionnaire for AI systems must probe beyond standard IT security to assess algorithmic integrity, data provenance, and regulatory compliance. The following components represent the critical assessment domains.

01

Model Transparency & Documentation

Evaluates the vendor's commitment to algorithmic openness. This section requests structured artifacts like Model Cards and System Cards to verify intended use, performance benchmarks, and known limitations.

  • Request a complete AI Bill of Materials (AIBOM)
  • Verify the existence of a Foundation Model Transparency Report
  • Assess the granularity of Training Data Lineage documentation
02

Security & Adversarial Robustness

Probes the model's resilience against malicious exploitation. This component requires evidence of testing against Prompt Injection, Jailbreak Susceptibility, and Data Poisoning Vectors.

  • Review the latest Red-Teaming Report
  • Validate defenses against Model Inversion and Membership Inference Attacks
  • Confirm the presence of an Output Moderation API and Guardrail Configuration
03

Data Governance & Privacy

Scrutinizes the provenance and legal standing of training data. This section ensures compliance with Differential Privacy Budgets and intellectual property laws.

  • Audit for Copyright Infringement risks in training data
  • Verify Cross-Border Data Transfer Impact Assessments
  • Assess the implementation of Purpose Limitation Controls
04

Regulatory Compliance & Risk Tiering

Maps the vendor's system to specific regulatory frameworks like the EU AI Act. This component classifies the system based on Inherent Risk Rating and Residual Risk Scoring.

  • Determine if the system meets High-Risk Classification criteria
  • Verify Conformity Assessment documentation
  • Review the Responsible Scaling Policy for frontier models
05

Operational Stability & Lifecycle

Assesses the vendor's operational maturity regarding model deprecation and incident response. This ensures business continuity and prevents Vendor Lock-In Risk.

  • Review the Model Deprecation Policy and Rollback Procedure
  • Validate the API Stability Commitment
  • Confirm the existence of a Kill Switch Mechanism and Escrow Agreement
06

Fairness & Ethical Alignment

Measures the societal impact of the automated decision system. This component requires quantitative evidence of bias testing and value alignment.

  • Analyze the Disparate Impact Ratio across demographics
  • Verify training methodology, specifically Reinforcement Learning from Human Feedback (RLHF)
  • Test for Specification Gaming and Alignment Faking
INTEGRATION POINT

How a VDDQ Fits into the Procurement Lifecycle

The Vendor Due Diligence Questionnaire (VDDQ) is a structured gate within the procurement lifecycle that operationalizes AI risk assessment before contractual commitment.

A Vendor Due Diligence Questionnaire is deployed during the vendor evaluation phase, after initial sourcing but before a proof-of-concept. It serves as a standardized instrument to collect evidence regarding a third-party's model provenance, training data lineage, and safety alignment thresholds. This stage ensures that the algorithmic supply chain is transparent before technical integration begins.

The completed VDDQ feeds directly into the residual risk scoring and model risk tiering processes, informing the final conformity assessment. Procurement teams use the questionnaire's findings to negotiate intellectual property indemnification clauses and define rollback procedures in the master service agreement, embedding governance into the legal architecture of the vendor relationship.

VENDOR AI DUE DILIGENCE

Frequently Asked Questions

Essential questions procurement and risk management teams must ask to evaluate third-party AI providers against security, privacy, and ethical standards before integration.

A Vendor Due Diligence Questionnaire (VDDQ) for AI is a standardized assessment instrument designed to systematically evaluate a third-party provider's algorithmic practices, data governance posture, and security controls before procurement. Unlike generic IT questionnaires, an AI-specific VDDQ probes the unique risks of machine learning supply chains, including training data lineage, model provenance, hallucination rate benchmarks, and adversarial robustness. The questionnaire typically maps to regulatory frameworks such as the EU AI Act, requiring vendors to disclose their high-risk classification status, conformity assessment results, and human oversight mechanisms. Effective VDDQs produce quantifiable outputs like a residual risk score that informs the model risk tiering decision, ensuring the procurement team understands whether the vendor's system requires enhanced monitoring, an escrow agreement, or a kill switch mechanism.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.