AI-Specific Vendor Security Questionnaires: The New Gate That Stalls Every AI Procurement

See also (wiki): wiki/vendor-security-questionnaires.md, wiki/ai-vendor-contracts.md, wiki/ai-cybersecurity.md

Executive Summary

• Three major security questionnaire frameworks now include AI-specific sections: SIG (Shared Assessments, ISO 42001-aligned), AI-CAIQ (Cloud Security Alliance, v1.0.2 released Oct 2025), and HECVAT 4 (EDUCAUSE, 32 AI questions for higher education). Each adds 30–80+ questions that did not exist 18 months ago.
• Manual completion takes 20–40 hours per questionnaire on the vendor side, adding 4–8 weeks to deal timelines. Most AI vendors cannot answer the questions that matter most: training data provenance, prompt injection defenses, and model version control documentation.
• The gap between what buyers now ask and what vendors can answer is the single largest source of procurement friction in enterprise AI deals — ahead of pricing, ahead of integration complexity.
• Organizations that pre-build an AI-specific questionnaire aligned to their risk profile cut vendor onboarding from 45 days to under two weeks.

The Three Questionnaires Enterprise Buyers Actually Use

SIG (Standardized Information Gathering) — Shared Assessments

The SIG is the dominant third-party risk management questionnaire across financial services, healthcare, and large enterprise. The 2026 edition (released September 2025) adds a dedicated AI Governance domain aligned with ISO 42001 and NIST AI RMF.

The AI domain examines governance and ethical use of AI and machine learning systems — transparency, fairness, accountability, and regulatory compliance. The 2024 edition first introduced the AI risk domain based on NIST AI RMF; the 2026 edition deepens it with ISO 42001 lifecycle controls.

AI-CAIQ (AI Consensus Assessments Initiative Questionnaire) — Cloud Security Alliance

CSA released AI-CAIQ v1.0.2 in October 2025 as a standalone AI extension to its widely adopted CAIQ cloud security questionnaire. It is the foundation for CSA’s upcoming STAR Level 1 Self-Assessment for AI.

The AI-CAIQ classifies AI lifecycle stages (development, deployment, monitoring) and asset categories (data, models, infrastructure), requiring vendors to demonstrate controls at each stage. Organizations already using CSA STAR for cloud vendor assessments are adding AI-CAIQ as a mandatory supplement.

HECVAT 4 — EDUCAUSE / Internet2

HECVAT 4 added 32 AI-specific questions within a total of 321 questions across seven sections. While designed for higher education, its AI section is increasingly adopted by other sectors as a reference template.

What Vendors Cannot Answer

The consistent pattern across all three frameworks is the same: vendors fail the questions that matter most to regulated buyers.

Training data provenance. “Where did your training data come from? What PII/PHI does it contain? Can you provide data lineage documentation?” Most AI vendors — including well-funded startups and major platform providers — cannot produce complete training data documentation. The response is typically a reference to upstream model providers (OpenAI, Anthropic, Google) without application-layer specifics.

Prompt injection defenses. “What controls prevent prompt injection attacks? How do you test for jailbreaking? What output filtering is in place?” Glacis research identifies prompt injection defense documentation as a consistent trip point. Vendors that build on top of foundation models frequently claim inherited security without demonstrating application-layer controls — a red flag that 87% of organizations escalate (Glacis, 2024).

Model version control. “How are model updates verified and tested before deployment? What is your rollback procedure? How do you notify customers of model changes?” This question exposes the gap between traditional software change management (well-documented, version-controlled, tested) and AI model updates (often silent, opaque, and without customer notification).

Bias testing evidence. “What fairness metrics do you apply? How frequently do you test for bias? Can you provide audit results?” The Bias & Fairness category (7 questions in the Glacis template, embedded across SIG and HECVAT) requires documentation that most vendors have not produced — or have produced only for marketing purposes without independent verification.

The Time Tax

A mid-market company evaluating three AI vendors faces a minimum of 60–120 hours of vendor-side completion time across the three questionnaires, plus internal review cycles. When the AI-specific questions trigger follow-up (and they almost always do), add another 2–4 weeks of back-and-forth.

The compounding effect: the same procurement team is simultaneously running DPA negotiations (4–8 weeks per the DPA friction research), model risk questionnaires for regulated industries (3–12 months per the SR 11-7 analysis), and now AI-specific security questionnaires. These run in parallel but each can independently block the deal.

Key Data Points

What Actually Trips Vendors: The Five Failure Modes

1. “We inherit security from our model provider.” The most common deflection. Building on GPT-4 or Claude does not mean the application inherits the provider’s SOC 2 scope. Buyers who accept this answer are accepting unvalidated risk.

2. “We use industry-standard security.” Without specifics — which standards, which controls, which audit evidence — this is a non-answer that 87% of organizations escalate.

3. No training data documentation. The vendor cannot describe what data trained the model, whether it contains PII/PHI, or what data governance applies. This is a hard stop for HIPAA-covered entities and financial institutions.

4. No model update notification process. The vendor cannot describe how customers are notified of model changes, what testing precedes deployment, or what rollback procedures exist. Traditional software vendors have solved this; AI vendors largely have not.

5. Marketing-grade bias documentation. The vendor produces a “Responsible AI” page or blog post but cannot provide audit methodology, fairness metrics, testing frequency, or independent verification.

What This Means for Your Organization

The AI security questionnaire is no longer optional — it is the gate. If your procurement team is still using a standard SIG or CAIQ without the AI extensions, you are evaluating AI vendors with a checklist designed for traditional SaaS. The risk exposure is not hypothetical: 77% of organizations identified AI-related breaches in the past year.

Three actions for the next 30 days:

First, adopt or build an AI-specific questionnaire section. The HECVAT 4 AI questions (32 questions) are the fastest starting point for organizations outside higher education. The Glacis 80-question template offers deeper coverage for regulated industries. The SIG AI domain is mandatory if your third-party risk program already runs on SIG.

Second, pre-screen vendors before sending the full questionnaire. Ask three questions upfront: (1) Can you document training data provenance? (2) Do you have a model update notification process? (3) Can you provide independent bias audit results? Vendors who cannot answer these three will not pass the full questionnaire — and you save 4–8 weeks of dead time by screening early.

Third, budget for the time tax. AI vendor onboarding takes 45 days on average. With AI-specific questionnaires layered on top of DPA negotiations and any regulatory model-risk requirements, plan for 60–90 days from shortlist to signed contract for your first AI vendor — and build that into your project timeline.

If the questionnaire gap between what you need to ask and what your current process covers is wider than expected, that is a conversation worth having — brandon@brandonsneider.com.

Sources

Brandon Sneider | brandon@brandonsneider.com April 2026