Why Due Diligence Matters
A July 2025 Bitsight advisory notes that assessing a vendor’s AI governance posture is now a top criterion in third‑party risk management. Bitsight
The Magnificent Seven Questions
What data trains your model—and who owns it?
Can you show current SOC 2 or ISO 27001 certificates?
How often do you retrain, and who audits drift?
Is there a kill switch or rollback plan?
Do we keep IP rights on outputs?
What’s your price after year one?
Will you sign our AI‑use addendum?
2‑Page Scorecard Template
| Dimension | Weight | Pass Threshold |
|---|---|---|
| Security & Privacy | 30 % | All certs current |
| Transparency | 20 % | Written audit log |
| TCO Predictability | 20 % | ≤ 5 % price escalator |
| Support SLAs | 15 % | < 2 hr P1 response |
| Cultural Fit | 15 % | Named success manager |
Red‑Flag Signals
“Black‑box” answers on training data.
Non‑standard pricing escalators.
No human contact for critical support.
Executive Cheat‑Sheet
Governance questions belong in the first call, not the contract addendum.
Continuous monitoring beats annual questionnaires.
Legal IP clauses should mirror your data‑privacy policy.