AI review worksheet

AI vendor risk assessment worksheet

Use this worksheet when a buyer, procurement lead, security reviewer, or counsel wants operating facts instead of another policy link. It keeps the named vendor, downstream providers, customer scope, retention stance, notice timing, and proof in one handoff.

Download Markdown worksheet See filled packet Open packet guide Request free teardown

Operational worksheet, not legal advice.

Use the worksheet to organize the review cleanly. Your agreements, privacy team, procurement process, and counsel still decide the final disclosure and notice path.

Working copy

What belongs in the worksheet

Capture only the facts that move the review forward: who is in the chain, what data they touch, which customers are affected, what changed, who owns the answer, and what proof exists already.

Download worksheet Open checklist Open AI stack guide See paid paths

Use this structure before the thread sprawls

# AI vendor risk assessment

## 1. Vendor and workflow
- Named vendor:
- Product workflow:
- Customer-facing, internal, or both:
- New vendor, replacement, or expanded use:

## 2. Downstream chain
- Model provider:
- Cloud host:
- Observability / logging vendors:
- Other subprocessors in the path:

## 3. Data and customer scope
- Data categories touched:
- Product area affected:
- Customer segment affected:
- Regions or contract cohorts affected:

## 4. Retention and training stance
- Current retention position:
- Training / model-improvement stance:
- Supporting link, contract fact, or vendor statement:
- Open exceptions or unresolved questions:

## 5. Notice and reviewer path
- Does the change trigger notice review:
- Proposed notice date:
- Effective date:
- Accountable owner:
- Procurement / privacy / counsel reviewers:

## 6. Proof links
- Public subprocessor page:
- Internal packet or review brief:
- Draft customer notice:
- Screenshot or archived proof:
- Open reviewer questions:

When to branch out of the worksheet

Use the sample packet

Best when the blank worksheet is still too abstract and the team needs to see a finished review artifact first.

See filled packet

Use the packet guide

Best when the worksheet is complete but the buyer still needs the packet sections in a cleaner review order.

Open packet guide

Use the AI stack guide

Best when the public vendor list is still too generic and hides the model, host, analytics, or support vendors reviewers care about.

Open AI stack guide

Three signs the worksheet is enough

You can name the full vendor chain

The surface vendor, model provider, cloud host, and any supporting vendors are all explicit.

You can isolate the customer scope

The worksheet says which product area, agreements, accounts, or regions are actually affected.

You can point to proof

The reviewer can open the public page, internal packet, draft notice, or archived evidence without chasing people in Slack.

Need the shortest next step after the worksheet?

Use the teardown if you already have one live page and one live vendor change. Use the paid path when you need the finished operating files instead of another explanation.

Request free teardown See paid paths Download worksheet