Free guide

AI vendor risk review checklist

If a team uses AI in client work, buyers may ask which tools are used, what data goes in, who reviews outputs, and where the vendors fit in the subprocessor story.

Review fields to track

AI vendor name, owner, approved use cases, and users.
Data allowed, data prohibited, and project-specific restrictions.
Whether customer, client, confidential, or regulated data may be processed.
Human review requirements for outputs that reach clients or buyers.
Disclosure wording and client exception process.

Separate internal rules from client disclosure

The internal review decides what the team should do. The client disclosure explains what the team actually does. Keep both aligned so buyers do not see one answer in a policy and another in a proposal.

Do not use a checklist as permission to process sensitive, regulated, privileged, financial, medical, child, or secret data in AI tools.

Connect AI vendors to subprocessors

If an AI tool can touch customer or client data, buyers may expect it to appear in a vendor register, subprocessor list, or AI vendor register. Keep the naming consistent across all three.

Need the full packet?

The Growth Procurement Stack includes AI vendor register, acceptable-use, client disclosure, and security questionnaire templates.

See Growth Stack Open the AI preview

Scope limit

This guide and the related templates are not legal advice, privacy advice, cybersecurity advice, employment advice, compliance certification, or permission to use client confidential or regulated data in AI tools.