← Findings 🕐 13 min read
Findings

When a Customer Sends You an AI Questionnaire: The Response Kit

Brandon Sneider · April 2026

IBM's 2025 data found that 13% of organizations reported breaches involving AI models and 97% of those lacked proper AI access controls.

Executive Summary

  • Enterprise customers are now sending AI-specific security questionnaires to their mid-market vendors. The 2026 SIG questionnaire added a dedicated Artificial Intelligence domain (Shared Assessments). The Cloud Security Alliance published AI-CAIQ v1.0.2 in October 2025. Large buyers are layering 20-40 AI-specific questions on top of their standard SOC 2 / ISO 27001 review before renewing vendor contracts.
  • The problem for mid-market vendors is not the question — it is the answer under pressure. Procurement deadlines push sales leaders to check every “yes” box. Every overstated “yes” becomes a contract representation that the vendor cannot back up in litigation or a breach response.
  • The 10 questions below are the ones that actually appear, the specific traps each one sets, and the honest answer template that keeps the deal alive without creating liability. Three rules apply to every answer: disclose specifically (not generically), qualify with policy (not with promises), and attach documentation (not adjectives).
  • The vendors winning renewals are the ones who can answer “we don’t do that yet, here is what we do, here is the policy, here is the roadmap” — specifically. Buyers’ AI risk teams are trained to detect marketing language. Specificity signals maturity. Vagueness signals risk.
  • If you fill the questionnaire out by copying your competitors’ answers or by letting sales draft it alone, you will either lose the contract or sign yourself into a representation you cannot defend.

Why This Is Happening Now

IBM’s 2025 data found that 13% of organizations reported breaches involving AI models and 97% of those lacked proper AI access controls. 63% of breached organizations had no AI governance policy or were still drafting one. The $4.91 million average cost of a third-party vendor compromise (IBM, 2025) landed on the desks of enterprise CISOs, who responded the only way procurement allows: they pushed the risk down to their suppliers through questionnaires.

Two standard instruments drive most of what mid-market vendors are receiving:

  • SIG 2026 (Shared Assessments): 21 risk domains; added a dedicated AI domain covering AI governance, model reliability, bias, and transparency. The most common questionnaire at Fortune 1000 procurement.
  • AI-CAIQ v1.0.2 (Cloud Security Alliance, Oct 16, 2025): Governance, security and model integrity, privacy, operational resilience. Used as an add-on by cloud-mature buyers.

Large buyers also build custom questionnaires of 20-40 AI-specific questions, often derived from the two above. The questions below are the ones that recur across all three formats.

The 10 Questions You Will See and How to Answer Them

1. “Do you use AI in delivering services to us? Which tools? Which employees? Which processes?”

The trap: Answering “no” is almost always wrong — most vendors have employees using ChatGPT, Claude, Microsoft Copilot, or an embedded AI feature in their SaaS stack. A “no” that is later contradicted by a breach disclosure is a misrepresentation. Answering a generic “yes” without specifics invites 15 follow-up questions.

Honest answer template: “Yes. [Specific tools, e.g., Microsoft 365 Copilot under enterprise license, Anthropic Claude via API] are approved for use in service delivery. [List specific workflows — e.g., internal research, draft generation, code assistance]. Consumer-tier AI products are prohibited by written policy. A list of approved tools is maintained by [role] and updated quarterly.”

2. “Is our data used to train AI models, retained by AI providers, or shared with third parties?”

The trap: This is the question most likely to end a deal. Answering “no” without verifying your configuration is a factual misstatement. Enterprise tiers of OpenAI, Anthropic, Microsoft, and Google do not train on customer data — but consumer tiers do. Many vendors use a mix and have not audited which.

Honest answer template: “Customer data is processed by [specific AI providers] under enterprise agreements that (a) prohibit use of customer data for model training, (b) specify retention of [X days or zero-retention mode], and © bind the provider to confidentiality equivalent to our obligations to you. Written acceptable use policy prohibits employees from entering customer data into any AI tool outside the approved list.” Attach the enterprise DPA or the relevant clause from your provider contract.

3. “How do you test AI models for bias, fairness, and accuracy before deployment?”

The trap: Most mid-market vendors do not train or fine-tune models — they consume third-party AI. Answering “we test for bias” when you do not will not survive a follow-up. Answering “we don’t” without context implies negligence.

Honest answer template: “We are a consumer, not a developer, of third-party foundation models from [providers]. Bias, fairness, and accuracy testing at the model level is performed by the providers and published in their model cards and system evaluations. Our internal controls focus on: (a) human review of AI-generated outputs before they reach the customer, (b) documented acceptable use cases, and © monitoring of error and complaint rates. We do not fine-tune models or produce novel model outputs without human judgment.” If you do fine-tune, describe what and how.

4. “Can you provide documentation on how your AI models make decisions?”

The trap: The question assumes the vendor is making automated decisions with AI. Most mid-market services do not — AI generates a draft and a human decides. Answering “yes” here without qualification implies the AI is making the decision, which triggers Colorado AI Act and EU AI Act high-risk obligations.

Honest answer template: “AI outputs in our workflow are decision support, not automated decisions. A human professional reviews and approves every AI-generated output before delivery. We maintain documentation of: which workflow steps use AI, the review process applied, and the credentials of the reviewer. For any workflow where AI would make a decision directly affecting a consumer [identify if applicable — hiring, credit, healthcare], that workflow is flagged for additional governance review before deployment.”

5. “How do you prevent prompt injection, data poisoning, and adversarial attacks on your AI systems?”

The trap: This is a technical security question that presumes the vendor is running AI infrastructure. If you are consuming API-based AI, most of these controls belong to the provider. Copying a generic answer from a security template creates representations you cannot verify.

Honest answer template: “Prompt injection and adversarial input defense is the responsibility of [provider], whose controls are described in [reference provider’s security documentation — e.g., Anthropic’s trust center, OpenAI’s enterprise security]. Our controls focus on: (a) input validation before prompts are sent to provider APIs, (b) output validation before AI responses are surfaced in customer-facing workflows, © monitoring for anomalous usage patterns, and (d) an incident response process that includes AI-specific scenarios.” If you do host models yourself, describe your actual controls — do not invent them.

6. “What happens if your AI system produces incorrect output that harms us?”

The trap: This question is asking for a liability commitment. Sales will want to say “we take full responsibility.” That representation exceeds what most professional liability and E&O policies currently cover for AI-generated work. 33% of AI vendors provide IP indemnification to their own customers (TermScout, 2025) — you cannot pass through protection you did not receive.

Honest answer template: “AI-generated outputs are reviewed by our professional staff before delivery and are subject to the warranty and limitation of liability terms in our master services agreement. We do not warrant the accuracy of AI outputs independently of professional review. If an AI-assisted deliverable is later found to contain an error, our response follows the standard professional remediation process in [Section X of MSA]. Indemnification obligations extend to the deliverable as a whole, not to AI-generated components used without human modification.” Reference your AI contract addendum if you have one.

7. “Which AI-specific regulations do you comply with?”

The trap: A blanket “yes” to EU AI Act, Colorado AI Act, California SB 942, NYC Local Law 144, and Illinois AIVIA is almost never accurate for a mid-market vendor. Each law has specific triggers — most vendors are not covered by most of them. Over-claiming compliance is more dangerous than under-claiming.

Honest answer template: “We monitor AI regulation applicable to our business and our customers’ deployment of our services. Currently applicable obligations: [specific list — e.g., GDPR Article 22 for any automated decision-making affecting EU data subjects, Colorado AI Act deployer obligations if you deploy high-risk AI systems, California SB 942 pass-through if your AI provider is covered]. We do not represent compliance with regulations that do not apply to our business. We will provide written notice if a regulatory change materially affects our AI use in services to you.”

8. “Do you have an AI governance policy, an acceptable use policy, and an incident response plan that covers AI?”

The trap: Answering “yes” when the policy is a paragraph on the intranet does not survive document review. Procurement will ask for the policy. If the document is incoherent or unsigned, the “yes” becomes a finding.

Honest answer template: “Yes — attached. [AI Acceptable Use Policy] specifies approved tools, prohibited uses, and employee acknowledgment requirements. [AI Governance Policy] defines approval process for new AI tools, ownership roles, and review frequency. [Incident Response Plan] includes specific AI scenarios: provider breach notification, unauthorized AI use discovery, AI-generated output error affecting a customer deliverable. Employee AI policy acknowledgment is tracked in [HR system] and current signature rate is [X%].” If any of these do not exist, answer “in development, expected [date]” — it is safer than a false “yes.”

9. “Who at your organization owns AI risk, and how often is it reviewed at the executive level?”

The trap: “Everyone and no one” is the true answer at most mid-market vendors. Naming a role that does not meet would be discovered in a follow-up call with that person.

Honest answer template: “AI risk ownership sits with [specific role — General Counsel, CISO, COO depending on structure]. AI governance is reviewed by [executive committee / risk committee] on a [quarterly / monthly] cadence. Material changes — new AI tools, new AI-touched workflows, regulatory changes, incidents — are escalated to [executive] within [timeframe]. Reporting to the board occurs [annually / at a scheduled cadence].” If AI is not yet on an executive agenda, answer honestly with the date you are standing up governance — buyers prefer a credible plan to a fake committee.

The trap: Notification clauses are reasonable and standard — but an overbroad commitment (“notify within 24 hours of any AI change”) is unworkable. Tighter notification commitments than your employment and vendor contracts can support will be breached and create disclosure obligations you cannot meet.

Honest answer template: “Yes — we commit to written notification in the following scenarios: (a) addition of a new AI tool to the approved list that will process your data, with [30-day / 60-day] advance notice, (b) AI-related security incident affecting your data within the notification timeline specified in our MSA (typically 72 hours from confirmation), © material change to AI governance policy or approved tool list. Routine operational changes within existing approved tools (model version updates, feature releases) are not subject to individual notification but are logged in our internal change management.”

The Three Rules Behind Every Answer

  1. Disclose specifically, not generically. “We use Microsoft 365 Copilot and Anthropic Claude under enterprise agreements” beats “we use AI responsibly.” Specificity signals maturity. Vague language signals that the vendor has not actually thought about the question.

  2. Qualify with policy, not with promises. “Employees are prohibited by written policy from entering customer data into consumer-tier AI tools, with tracked acknowledgment” beats “our employees would never do that.” The policy and the acknowledgment are evidence. The promise is not.

  3. Attach documentation, not adjectives. “Our AI acceptable use policy is attached” beats “we have a comprehensive AI program.” If the documentation does not exist yet, the honest answer is “in development, expected [date].” A credible plan earns more trust than a fake committee.

Key Data Points

Metric Finding Source
SIG 2026 AI domain introduced 2026 edition adds dedicated AI risk domain covering governance, model reliability, bias, transparency Shared Assessments (SIG 2026)
AI-CAIQ v1.0.2 release October 16, 2025 — CSA AI Consensus Assessment framework (governance, security, privacy, operational resilience) Cloud Security Alliance (2025)
Breached orgs without AI governance policy 63% IBM (2025)
Organizations reporting AI-model breach 13%; 97% of those lacked proper AI access controls IBM (2025)
Supply chain attack share of data breach impact 47% of affected individuals in first half 2025 IBM / industry breach data (2025)
Avg cost of third-party vendor compromise $4.91M IBM (2025)
AI vendors providing IP indemnification to customers 33% TermScout (2025)
AI vendors warranting regulatory compliance 17% TermScout (2025)
Written AI acceptable use policies adopted 37% IBM/Ponemon (n=600, 2025)
SIG auto-answer rate via AI-assisted response 70-90% Shared Assessments (2026)

The Questionnaires That Actually Show Up

SIG (Standardized Information Gathering) — Shared Assessments. The most widely deployed vendor risk questionnaire in enterprise procurement. SIG Core covers all 21 risk domains; SIG Lite is a subset. The 2026 edition includes a dedicated AI domain. If your biggest customer is Fortune 1000, expect SIG.

AI-CAIQ (AI Consensus Assessment Initiative Questionnaire) — Cloud Security Alliance. Released October 2025. Focuses on cloud-delivered AI. Used as a supplement by cloud-mature buyers — rarely the primary questionnaire but common as an add-on.

Custom buyer questionnaires. Large buyers build 20-40-question AI addenda derived from SIG, AI-CAIQ, and their own risk framework. These are the hardest to respond to because the questions are interpreted differently by each buyer’s legal and security team. Answering them benefits most from the question-by-question honest template approach above.

CAIQ (not AI-specific). Still widely used for cloud vendor assessment. Does not have AI-specific questions but some buyers will reissue it with AI-related follow-ups in a cover letter.

What This Means for Your Organization

The questionnaire is not the event. The event is what your customer’s AI risk team does with the answers. Vendors that answer specifically, attach documentation, and qualify honestly are retained. Vendors that overpromise are flagged for escalated review, additional diligence, or non-renewal.

Three things are worth doing before the next questionnaire arrives:

  • Name the person who owns AI risk at your company — with a job title, not a committee name.
  • Write the AI acceptable use policy and get employee acknowledgments. This alone answers three or four of the ten questions above.
  • Confirm, in writing, that every AI tool your employees use on customer data is on an enterprise agreement with no-training configuration. Verify it; do not assume.

The goal is not to pass the questionnaire by saying yes to everything. The goal is to pass it by having defensible answers. The customers sending these questionnaires have been burned by vendors who answered yes to things they could not back up. The vendors winning renewals are the ones who can say “we don’t do that yet, here is what we do, here is the policy, here is the roadmap” — specifically.

If you have a questionnaire in front of you right now and the stakes on the contract are significant, I am glad to walk through the specific questions and draft defensible answer language — brandon@brandonsneider.com

Sources

  1. Shared Assessments — SIG Questionnaire 2026 edition. 21 risk domains including a dedicated Artificial Intelligence domain covering AI governance, model reliability, bias, and transparency. Credibility: HIGH — industry-standard vendor risk questionnaire used across Fortune 1000 procurement.

  2. Cloud Security Alliance — AI Consensus Assessment Initiative Questionnaire (AI-CAIQ) v1.0.2, published October 16, 2025. Covers governance, security and model integrity, privacy, and operational resilience with taxonomy of AI lifecycle stages and asset types. URL: https://cloudsecurityalliance.org/artifacts/ai-consensus-assessments-initiative-questionnaire-ai-caiq. Credibility: HIGH — industry consortium framework with broad adoption in cloud vendor assessments.

  3. Atlas Systems — “AI Vendor Risk Assessment Questionnaire for Compliance (2026),” updated March 26, 2026. Structured question library across usage scope, data handling, model governance, security, compliance, operational resilience, and third-party dependencies. Credibility: MEDIUM — vendor-published practitioner guide; cross-referenced against SIG/CAIQ for content accuracy.

  4. IBM / Ponemon Institute — Cost of a Data Breach Report (2025, n=600 organizations). 13% AI-model breach rate, 97% access control gap, 63% governance policy gap, 37% AI AUP adoption, $4.91M average third-party vendor compromise cost. Credibility: HIGH — annual longitudinal study, independent research methodology.

  5. TermScout — AI vendor contract certification analysis (2025). 33% IP indemnification, 17% regulatory compliance warranty. Credibility: HIGH — independent contract analysis platform with primary data from vendor agreements.

  6. Colorado General Assembly — SB 24-205 (Colorado Artificial Intelligence Act), effective June 30, 2026. High-risk AI deployer obligations relevant to questions on automated decision-making. Credibility: HIGH — primary legal source.

  7. California Legislature — SB 942 (California AI Transparency Act), effective January 2026. Content provenance pass-through implications for vendors. Credibility: HIGH — primary legal source.

  8. Targhee Security — “Security Questionnaire: The 2026 Guide for Vendors & Buyers.” Overview of SIG Lite vs. SIG Core structure and AI-assisted response workflows (70-90% auto-answer rate). Credibility: MEDIUM — practitioner-oriented vendor content.

  9. Bitsight — “CAIQ vs. SIG Questionnaires: What’s the Difference?” and “Vendor Risk Management Security Questionnaires” (2025-2026). Comparative overview of enterprise vendor risk questionnaires. Credibility: MEDIUM-HIGH — third-party risk management platform with primary market data.

  10. Gartner — prediction that 40%+ of AI data breaches will arise from cross-border GenAI misuse by 2027. Referenced in Atlas Systems 2026 compilation. Credibility: MEDIUM — forward-looking analyst projection, directional use only.

Brandon Sneider | brandon@brandonsneider.com April 2026