← Back to AI Governance Templates

Legal and Compliance

AI Licensing and Third Party Model Vetting Policy

Standardized due diligence for external AI APIs and models.

Owner: Legal Operations Lead

Purpose

Ensure external AI services and APIs comply with contractual, regulatory, and security expectations before they integrate with our products or handle company data.

Scope

Applies to all third-party AI tools, APIs, models, managed services, and open-source packages that process company data or power customer-facing experiences.

  • Cloud-hosted LLM APIs and embeddings services
  • Vendor-provided scoring or recommendation engines
  • Open-source models incorporated into production
  • Professional services delivering fine-tuned models

Definitions

  • License Register: Central record of AI vendor contracts, SLAs, indemnities, and renewal dates.
  • Vetting Checklist: Standardized questions covering security, privacy, compliance, and ethical posture.
  • High-Risk Vendor: Third party whose failure would impact regulated obligations or sensitive workflows.

Policy

All AI vendors must complete the vetting checklist, sign acceptable licensing terms, and provide audit evidence before access is granted. Contracts must include data processing agreements, security SLAs, and indemnity clauses covering AI-specific risks. Renewals repeat the vetting process.

Roles and Responsibilities

Legal Operations leads contract negotiation and maintains the license register. Security performs technical due diligence. Privacy/DPO reviews data processing terms. Business Sponsor attests to business need and budget.

Procedures

Vendor onboarding requires:

  • Completing the AI vetting checklist and risk scoring.
  • Reviewing licensing terms for usage limits, training rights, indemnities.
  • Executing DPAs and cross-border transfer agreements.
  • Conducting security/privacy assessments (SOC 2, ISO 27001, penetration tests).
  • Documenting approval in the license register and linking to the model inventory.
  • Scheduling renewal/terminations reminders 90 days prior to expiration.

Exceptions

Pilot access may be granted with limited data exposure and time-boxed (≤ 30 days) provided Legal and Security approve safeguards.

Review Cadence

Vendor risk and license portfolios are reviewed quarterly to retire unused services, update terms, and track remediation items.

References

  • EU AI Act Articles 24-28 (Obligations of importers, distributors, deployers)
  • ISO/IEC 27036 (Supplier relationships)
  • Internal documents: Vendor Onboarding Checklist, DPA Template, Security Due Diligence Playbook
AI Licensing and Third Party Model Vetting Policy | VerifyWise AI Governance Templates