AI vendor security questionnaire template
Review AI vendors, model providers, OAuth scopes, MCP tools, retention, training, audit logs, and customer-safe evidence before approving use or answering customer questionnaires.
Review outputAI vendor evidence row
Customer question: Do your AI providers train on our data?
Approved answer: Use only after verifying vendor terms, tenant settings, and contract controls.
Evidence link: DPA, AI data-use documentation, admin setting, subprocessor list.
Owner: Security / Legal / Product
Claim level: Supported, partial, exception, roadmap, or not applicable.
Direct answer
Use this template to convert AI risk into reviewable evidence, not vague yes/no promises.
AI vendor review questions, answers, evidence, and red flags
Copy these into a vendor risk review, AI intake, customer security questionnaire, or answer-library row.
| Area | Question | Acceptable answer | Evidence to request | Red flag |
|---|---|---|---|---|
| AI data use | What customer data, prompts, outputs, embeddings, files, or metadata does the AI vendor process? | The vendor identifies data categories, processing purpose, storage location, retention period, deletion process, and whether humans review content. | DPA, data-processing documentation, retention settings, admin screenshots, subprocessor list. | The answer says data is secure but does not separate inference, training, logging, evaluation, or support access. |
| Training and opt-out | Can customer data be used for model training, fine-tuning, evaluation, or product improvement? | The vendor states the default training position, opt-out path, contract controls, tenant settings, and scope boundaries. | Terms, enterprise data controls, DPA language, admin configuration, vendor security page. | The vendor treats opt-out, retention, human review, and training as one vague promise. |
| Model providers | Which model providers, subprocessors, or fourth parties can process prompts, outputs, embeddings, or logs? | The vendor names providers, regions, subprocessors, notification process, and data types sent to each party. | Subprocessor list, model-provider terms, data-flow diagram, region statement. | The vendor only names the AI brand but not the actual model provider, hosting path, or support vendors. |
| OAuth and integrations | Which integrations and OAuth scopes does the AI vendor request? | The vendor lists each integration, minimum scopes, token custody, refresh-token storage, approval owner, and revocation path. | OAuth scope sheet, admin consent record, token revocation runbook, integration documentation. | The vendor asks for broad read/write scopes without explaining why they are required. |
| MCP and tool calls | Can agents call MCP tools, browser actions, APIs, code execution, or production systems? | The vendor explains allowed tools, denied actions, approval rules, tenant boundaries, logging, and emergency disablement. | MCP security checklist, tool permission map, audit log sample, gateway policy, approval workflow. | The vendor lists available tools but not tool permissions, policy enforcement, logging, or rollback. |
| Human review | Which AI outputs require human review before customer-facing, security, legal, or high-impact use? | The vendor separates drafting from approval and shows owner, workflow, exception handling, and auditability. | Workflow screenshots, reviewer policy, audit trail, escalation rules. | The product implies automation can send sensitive answers without owner approval. |
| Incident and evidence | How can the vendor investigate, notify, and preserve evidence after AI misuse or data exposure? | The vendor can identify impacted tenants, preserve logs, disable features, revoke tokens, notify customers, and provide incident evidence. | Incident response policy, log retention policy, customer notification process, disable runbook. | The vendor has no way to connect a problematic output or tool call back to user, tenant, data, or policy decision. |
Example and counterexample
A useful AI questionnaire answer must name evidence and boundaries.
FAQ
Short answers for AI vendor security review and customer questionnaire workflows.
What should an AI vendor security questionnaire include?
It should include AI data use, training and opt-out controls, model providers, subprocessors, retention, deletion, OAuth scopes, MCP or tool access, human review, audit logs, incident response, and evidence links.
Is SOC 2 enough for AI vendor risk assessment?
No. SOC 2 can support general controls, but AI vendor review also needs data-flow, training, retention, model-provider, tool-permission, and audit evidence.
How do you answer AI security questionnaire questions safely?
Normalize the question, verify the current vendor evidence, mark claim level, add caveats, route legal or security review, and store the approved language in an answer library.
When should MCP security questions be added?
Add MCP questions when the vendor or internal AI workflow can call tools, connect to systems, use delegated OAuth scopes, execute actions, or operate through an agent gateway.
Need a shortlist for your workflow?
Send the formats you receive, your current answer-library setup, and whether you need portal support. We will use those signals to prioritize the next comparison updates.