Vendor AI security assessment — without access to the vendor's source.

Procurement is moving faster than security review. A line-of-business team buys a SaaS product that quietly added an AI feature. A new vendor pitches an AI-first workflow. An existing vendor announces that they will be sending customer data to a third-party model. In each case, the security review that was performed at original procurement either did not cover the AI surface or did not exist. The system has changed; the disposition record has not.

Vendor AI assessment is the structured review you can run when you cannot see the source code, cannot inspect the model weights, cannot audit the training data, and cannot access the runtime configuration. What you can review is documented architecture, declared data handling, contractual control claims, and the evidence the vendor will provide that those claims are operating.

The output is the same shape as any other Drel assessment — a threat model specific to the vendor deployment, a control plan, an evidence gaps report, and a clearance decision. The difference is that the controls split into two columns: controls implemented by the vendor (where evidence comes from vendor disclosures) and controls implemented by your organisation (where evidence comes from your own records).

Without source-level access, six categories of evidence are available, and each one is something you can demand in writing as part of procurement:

• Documented architecture.A system description that names the model, the prompt structure, the tools the model has access to, the data flows between user input and the model, and any retrieval or memory layer. “We use AI” is not a system description. A system description names specifics — provider, hosting region, version, and configuration.
• Data handling policy. What customer data enters the model context. What is retained, where it is retained, for how long, who can access it. Whether prompts and outputs are used for model training. What happens to data if you terminate the contract.
• Contractual control claims. A list of the security controls the vendor commits to maintain. These belong in the contract or in a referenced security addendum, not in marketing pages. A control claim that is not in a contract is not an enforceable control.
• Evidence of control claims. SOC 2 report (preferably Type II), ISO 27001 certificate, penetration test summary, recent third-party AI assessment if available. Each document covers different controls; none alone covers AI-specific risk.
• Sub-processor list and accountability. Which third parties the vendor relies on to deliver the AI feature. Model providers, hosting infrastructure, observability platforms. A sub-processor list with a date and a notification policy when it changes.
• Incident history and disclosure policy. Has the vendor disclosed any AI-related incidents? What is their disclosure policy if an incident affects your data? What is the notification window? What evidence will they provide to support post-incident response?

Vendors often offer standard documents that imply broad assurance. Each of those documents covers a specific scope, and most do not cover AI-specific concerns. Reading them honestly:

• SOC 2 Type II — covers operational controls over availability, security, confidentiality, and (sometimes) privacy. It does not typically cover AI-specific risks like training data provenance, model behavior under adversarial input, prompt injection handling, or retention of model context. Ask whether the SOC 2 scope explicitly includes the AI features you are buying.
• ISO 27001 certificate — covers an information security management system. Useful evidence of organisational security maturity. Does not address AI-specific risk management. If the vendor also claims ISO 42001, ask for the certificate and the scope statement.
• Penetration test report — covers application-level vulnerabilities. Penetration tests on AI surfaces (prompt injection, indirect injection via retrieved content, tool abuse) require specialised testers. Ask whether AI-specific testing was in scope and which threats were tested.
• Data processing agreement (DPA) — the legal instrument that governs personal data handling. Required under GDPR if personal data is processed. Should explicitly cover AI use of the data, training data exclusion, and sub-processor commitments.
• Model card or system card — vendor-provided documentation of the AI system. Quality varies. A useful model card names the base model, training data sources, known limitations, evaluation results, and intended use cases. Generic marketing pages are not model cards.

Each gap in this evidence list is itself recordable evidence. A vendor that declines to provide a SOC 2 report has provided you with an evidence gap, which becomes a control gap in your assessment, which informs the disposition.

A useful vendor AI questionnaire is adversarial in structure, not extractive. Extractive questionnaires ask the vendor to describe their AI feature. Adversarial questionnaires assume the description and then ask follow-up questions that test the description against documented evidence.

The questionnaire should produce a record covering at least seven sections: system description (what the AI feature does and how), data flows (what enters the model, what is returned, what is retained, where), model governance (who provides the model, how it is updated, how the vendor evaluates model changes),access controls (who at the vendor can see customer data and prompts),incident response (notification policy, disclosure commitments, evidence provided post-incident), sub-processor accountability (list with dates, notification on change, contractual flow-down), and re-assessment triggers (what vendor changes require you to re-review).

Each question is paired with an evidence requirement. “Does the vendor train on customer data?” is paired with “Provide the contractual clause that prohibits this.” A yes/no answer with no supporting evidence is recorded as an evidence gap.

Under the EU AI Act, the obligations attach to two roles: providers (who develop and place AI systems on the market) and deployers (who use AI systems in their operations). When you procure a vendor AI feature and use it in your workflow, you are a deployer. If the AI feature qualifies as a high-risk AI system under Annex III, you have deployer obligations even though you did not build the system.

Deployer obligations include: ensuring the system is used in accordance with the provider's instructions, monitoring the system in operation, maintaining logs where the provider has provided log functionality, and informing affected persons that they are subject to a high-risk AI system. None of these are satisfied by “the vendor is responsible”. They are your obligations.

For high-risk vendor systems, the deployer should retain a documented risk record (your own, separate from the provider's Article 9 risk management). The Drel vendor assessment record supports this — it documents your assessment of the system, the conditions under which you authorised its use, and the re-assessment triggers you have committed to.

A vendor system rarely receives an unconditional proceed disposition on first assessment. The typical outcome is a conditional clearance with explicit contractual requirements that must be met before production use. Examples of conditions that appear regularly:

• Vendor must execute an updated DPA naming the AI feature explicitly and confirming the training data exclusion clause.
• Vendor must commit in writing to a sub-processor change notification window of at least 30 days.
• Vendor must provide a model card or system card before deployment. Generic FAQ pages are not acceptable.
• Customer data classified as “restricted” under your data classification policy is excluded from the AI feature pending further assessment.
• Re-assessment triggers: vendor changes the underlying model, adds a new sub-processor, changes the data retention period, or publicly discloses an AI-related incident.

These conditions belong in the disposition record, alongside an owner for each condition and a deadline. They convert “we did a security review” into “we authorised this vendor under these specific conditions, and here is the evidence”.