The 47-question AI Vendor Security Questionnaire covers seven failure surfaces (model lineage, training/inference data handling, non-human identity, audit/observability, kill-switch, EU AI Act + GDPR posture, contract/indemnification) that CAIQ v4 and SIG do not address; vendors that cannot answer score sections binary-unanswered, and the questionnaire is the addendum (not replacement) to existing cloud/SaaS procurement frameworks.

Premise: standard cloud-procurement questionnaires (CAIQ v4, October 2024; SIG) predate the model-as-product reality of 2026 and do not surface AI-specific failure modes. The 47 questions are anchored to NIST AI RMF 1.0, EU AI Act Annex IV, GDPR Articles 22 + 35, and the operational risk surface documented in AM-127 (EU AI Act enforcement), AM-121 (IT operations reality), and the non-human-identity body of work. Review cycle 90 days because regulatory enforcement patterns + foundation-model release cadence change the question set on roughly that interval.