The 47-question AI Vendor Security Questionnaire covers seven failure surfaces (model lineage, training/inference data handling, non-human identity, audit/observability, kill-switch, EU AI Act + GDPR posture, contract/indemnification) that CAIQ v4 and SIG do not address; vendors that cannot answer score sections binary-unanswered, and the questionnaire is the addendum (not replacement) to existing cloud/SaaS procurement frameworks.
Premise: standard cloud-procurement questionnaires (CAIQ v4, October 2024; SIG) predate the model-as-product reality of 2026 and do not surface AI-specific failure modes. The 47 questions are anchored to NIST AI RMF 1.0, EU AI Act Annex IV, GDPR Articles 22 + 35, and the operational risk surface documented in AM-127 (EU AI Act enforcement), AM-121 (IT operations reality), and the non-human-identity body of work. Review cycle 90 days because regulatory enforcement patterns + foundation-model release cadence change the question set on roughly that interval.
/holding/RES-001/Embed this claimiframe + oEmbed
The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.
About this register
The Resources register tracks claims attached to long-lived tools, checklists, and templates. Each claim carries its own review cadence tied to the tool it accompanies, and corrections are appended whenever the underlying tool changes.
Reviews coming up in Resources
- RES-005 · Holding · next +50d (3 Jul 2026)
The 38-item AI MSA red-team checklist organises the contractual review around seven clause families (training-data carv…
- RES-003 · Holding · next +50d (3 Jul 2026)
The four-phase agent incident runbook (detect within 4h, contain within 30s, roll back per action class, post-mortem wi…
- RES-004 · Holding · next +80d (2 Aug 2026)
The Works Council AI Notification Packet covers three EU jurisdictions (German BetrVG §87(1) point 6, Dutch WOR Article…