Vendor & Foundation Model Due Diligence Policy

Vendor & Foundation Model Due Diligence Policy

Zen AI Governance — Knowledge Base Supplier & Model Governance Updated 16 Nov 2025 www.zenaigovernance.com ↗

Vendor & Foundation Model Due Diligence Policy

Governance & Policies EU/UK Aligned
+ On this page
Key takeaways
  • Every external AI vendor or foundation model must undergo a structured due-diligence assessment before use.
  • Each vendor receives a risk classification (Low/Medium/High) with evidence-linked approval records (EV-IDs).
  • Ongoing performance and compliance monitoring are mandatory throughout the contract term.

Purpose & scope

This policy ensures that any third-party supplier or foundation model used in Zen AI Governance systems is technically, ethically, and legally compliant before integration. It covers vendors providing:

  • AI models (e.g., LLMs, image generators, NLP engines)
  • Training datasets or synthetic data providers
  • API services (model inference or embedding APIs)
  • Third-party tools embedded in client solutions

Due-diligence workflow

Supplier identification → Pre-screening → Ethical & technical assessment → Risk rating → Approval → Contract execution → Ongoing monitoring

Risk classification matrix

Risk LevelExample ScenariosRequired Actions
LowNon-AI vendors (e.g., hosting or utility APIs)Basic security check + contractual T&Cs.
MediumAI tools with limited data access (e.g., classification models)Ethical checklist + model documentation review.
HighFoundation models or vendors processing sensitive dataFull due-diligence pack + legal sign-off + Board review.

Evaluation criteria

  • Technical robustness: accuracy, resilience, fail-safe modes.
  • Security controls: data encryption, API hardening, RBAC policies.
  • Privacy compliance: GDPR/DPA certification, data minimisation practices.
  • Ethical compliance: bias testing, fairness metrics, model documentation.
  • Regulatory status: CE marking (for EU use), provider declarations, risk category mapping.
  • Financial stability & business continuity: vendor viability and support capacity.

Approval & sign-off

StageReviewerOutput Document
Technical EvaluationAI Engineering LeadModel Test Report (MTR-ID)
Compliance ReviewRisk & Compliance OfficerDue-Diligence Checklist (DDC-ID)
Ethical ApprovalOversight Board MemberEthics Waiver or Approval (EV-ID)
Contract ExecutionProcurement + LegalVendor Agreement (VA-ID)

Ongoing monitoring & renewals

  • Annual re-assessment of vendor risk rating and ethical performance.
  • Quarterly check of API availability, security posture, and incident history.
  • Trigger immediate review after reported breaches or compliance changes.
  • Maintain Vendor Register with version-controlled records and expiry alerts.

Templates & registers

A) Vendor Assessment Checklist (Excerpt)
Control AreaYes/NoNotes / Evidence
Data protection agreement signed (DPA)
ISO 27001 or SOC 2 certification verified
Bias & fairness report received
Model documentation includes training data summary
Regulatory classification (High/Medium/Low)
Ethical oversight approval logged (EV-ID)
B) Vendor Register Fields (CSV Export)
Vendor_ID,Vendor_Name,Service_Type,Risk_Level,Last_Assessed,Next_Review,Status,EV_ID,Reviewer,Notes

Framework alignment

FrameworkReferenceRelevance
ISO/IEC 42001§8.4Control of externally provided AI services & vendors.
EU AI ActArt. 28–30Obligations of providers and importers of AI systems.
NIST AI RMFGovern & MapSupply chain risk identification & evaluation.
UK NCSCSupply Chain Principles (2024)Cyber and operational resilience requirements.

Implementation checklist

  • Due-diligence process formally approved by Governance Board.
  • Vendor Assessment Checklist applied to all new suppliers.
  • Risk matrix embedded into Procurement portal or Zoho CRM workflow.
  • Annual re-assessment triggered automatically through calendar alerts.
  • Vendor Register exportable for ISO/NIST/EU audit evidence.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 16 Nov 2025 • This page is general guidance, not legal advice.

    • Related Articles

    • AI Model Lifecycle Management Policy

      Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 10 Nov 2025 www.zenaigovernance.com ↗ AI Model Lifecycle Management Policy Governance & Policies Lifecycle Management EU/UK aligned + On this page On this page Overview & purpose ...

    • AI Supplier Governance & Third-Party Assurance Policy

      Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 10 Nov 2025 www.zenaigovernance.com ↗ AI Supplier Governance & Third-Party Assurance Policy Governance & Policies Supplier Management EU/UK aligned + On this page On this page Overview & ...

    • AI Governance Operating Model – Roles, Committees & Decision Rights

      Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 09 Nov 2025 www.zenaigovernance.com ↗ AI Governance Operating Model – Roles, Committees & Decision Rights Governance & Policies ISO/IEC 42001 Leadership EU/UK aligned + On this page On ...

    • Human Oversight & Escalation Policy

      Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 10 Nov 2025 www.zenaigovernance.com ↗ Human Oversight & Escalation Policy Governance & Policies Oversight & Escalation EU/UK aligned + On this page On this page Overview & objectives ...

    • 2 Incident Response & CAPA Policy — Triage, Investigation, Corrective/Preventive Actions

      Zen AI Governance — Knowledge Base • Incident & CAPA Governance • Updated 15 Nov 2025 www.zenaigovernance.com ↗ Incident Response & CAPA Policy — Triage, Investigation, Corrective/Preventive Actions Governance & Policies EU/UK Aligned + On this page ...