What should an AI due diligence questionnaire include?

At minimum include the named vendor, downstream providers, workflow reviewed, data categories touched, customer scope, training or retention stance, approval owner, proof links, unresolved questions, and any framework references the reviewer expects.

How is this different from a generic security questionnaire answer?

A due diligence questionnaire usually asks for operating detail, ownership, and evidence behind the answer, not only a short policy statement. It should make the reviewer trust the workflow, not just the wording.

Does this replace legal review?

No. This is operational scaffolding for procurement, security, privacy, or counsel review. Contracts and legal advice still need human review.

AI due diligence

AI due diligence questionnaire template for SaaS teams

When the buyer thread shifts from "answer this one AI question" to "show us how this workflow is governed," a generic response block stops working. Use this template when procurement, security, privacy, or counsel wants the named vendor chain, workflow scope, customer-data boundary, approval owner, proof links, and framework notes in one review-ready packet.

Open due diligence scorecard Build due diligence packet Open framework map Compare due diligence routes Open evidence map Request AI audit Preview audit sample Request free teardown

Receiver-side review template, not legal advice.

This page is for the SaaS team answering the buyer's AI due diligence request. It helps package the facts, owner path, and proof trail before the final approval language goes through procurement, privacy, security, or counsel review.

Use this when the buyer has moved beyond a single answer block

The reviewer wants the named vendor chain

List the visible AI vendor plus hosts, databases, analytics tools, support systems, and any other downstream providers tied to the workflow.

The reviewer wants governance, not marketing copy

State the workflow reviewed, data categories touched, training or retention stance, approval owner, and unresolved questions instead of repeating broad trust language.

The reviewer wants proof behind each claim

Attach public links, internal notes, screenshots, review dates, and framework references so the thread can be checked quickly without another round trip.

Fastest working copy

Start with the browser-side scorecard, then branch only if needed

The scorecard already captures the named vendor, workflow, customer scope, stance, notice impact, approval owner, proof, and open questions. Use it as the working draft for an AI due diligence questionnaire before you write a final answer or buy a broader packet.

Open due diligence scorecard Build due diligence packet Open framework map Compare due diligence routes Open due diligence risk checklist Open evidence map Open due diligence starter pack Open due diligence answer bank

Core template fields

Field	What to capture	Why it matters
Named AI vendor and workflow	The primary vendor plus the exact product or internal workflow under review.	Prevents vague answers that hide the real system being assessed.
Downstream provider chain	Hosting, storage, analytics, support, model, or observability providers touched by the workflow.	Buyers increasingly want the chain behind the top-level vendor.
Data categories and customer scope	What data is touched, whether customer content is involved, and which accounts, regions, or products are affected.	Reviewers care about scope more than slogans.
Training or retention stance	Your current operating position plus the link or internal note supporting it.	This is one of the fastest ways a thread turns into follow-up if the proof is missing.
Approval owner and next review gate	Who owns the answer, what still needs approval, and what event triggers the next recheck.	Makes the packet actionable instead of descriptive only.
Proof links and framework notes	Public pages, screenshots, tracker rows, and optional notes for frameworks such as NIST AI RMF, ISO/IEC 42001, or customer-specific diligence requirements.	Lets security, procurement, or counsel verify the answer without rebuilding the file themselves.

Copy-ready structure

1. Workflow reviewed: Name the AI-assisted workflow, where it appears, and whether it is planned, active, or replacing another process.

2. Vendor chain: Name the primary AI vendor and the downstream providers involved in hosting, storage, analytics, support, or logging.

3. Data and customer scope: State the categories of data touched and which customers, agreements, or regions are affected.

4. Governance stance: State the current training, retention, approval, and escalation position with the supporting proof source.

5. Open issues: State what is still under review, who owns it, and what recheck or approval event closes it.

Route the template into the right next asset

Still gathering facts

Use the due diligence scorecard

If the vendor chain, customer scope, stance, or proof is still fuzzy, keep working in the scorecard before you draft the final answer.

Open scorecard Build due diligence packet Open framework map

Proof is the blocker

Use the evidence map

If the answer is close but the reviewer wants proof assets, owner, review date, or framework-reference notes behind one claim, package that separately.

Open evidence map

Need an outside read

Use teardown or audit

If a live deal is blocked on the due diligence packet shape itself, use the teardown for a short read or the paid audit for a tighter async review.

Request teardown Request AI audit

What to do if the buyer really only needs one answer

Do not overbuild a broad packet if the live blocker is still one questionnaire row. Once the due diligence fields above are clean, move into the due diligence starter pack or answer builder so the current thread gets a usable response instead of another internal artifact.

Open due diligence starter pack Build answer + bundle Open due diligence answer bank