Purpose
Embed AI-specific due diligence into procurement processes to ensure vendors meet security, privacy, responsible AI, and compliance expectations before contracts are executed.
Scope
Covers all procurement activities involving AI functionality, data sharing for AI purposes, or vendors supplying AI development resources.
- RFIs/RFPs for AI SaaS platforms
- Professional services providing custom models
- Data acquisition deals enabling AI training
Definitions
- AI RFP Addendum: Standard set of questions evaluating AI capabilities, risk controls, and responsible AI practices.
- Supplier Attestation: Vendor-signed statement confirming compliance with policies (privacy, security, bias mitigation).
Policy
Procurement must include AI-specific evaluation criteria in every sourcing event involving AI. Contracts must incorporate responsible AI obligations, data usage limits, and termination rights for non-compliance. Supplier attestations must be stored with vendor records.
Roles and Responsibilities
Procurement Director ensures sourcing teams use the AI RFP addendum. Legal embeds contractual clauses. Responsible AI reviews supplier responses for ethics/safety coverage. Vendor Risk Manager aligns outputs with the AI vendor inventory.
Procedures
During procurement:
- Include AI risk questionnaire in RFPs/RFIs.
- Require suppliers to submit responsible AI policies, model cards, or transparency reports.
- Evaluate data flow diagrams and ensure DPAs are in place.
- Score vendors on AI controls alongside cost/quality metrics.
- Collect supplier attestations and store in vendor record.
- Coordinate with Legal and Vendor Risk for final approval.
Exceptions
Emergency purchases may proceed with abbreviated questionnaires but must complete full evaluation within 30 days post-contract.
Review Cadence
Procurement templates updated annually to reflect new regulatory requirements and lessons learned. Adoption metrics reported to the AI governance council.
References
- ISO/IEC 27036 (Information security for supplier relationships)
- NIST AI RMF Govern/Manage functions
- Internal documents: AI RFP Addendum, Supplier Attestation Template, Procurement Playbook