← auditaisdk.com
AI Vendor Security Questionnaire: How CTOs Answer Compliance Sections in 2026
By Marc Dubois · May 2026 · 11 min read
TL;DR: Enterprise procurement now sends AI-specific questionnaires alongside the standard SIG / CAIQ. The compliance section is where most B2B AI startups stall — and lose deals. This article gives you 14 real questions from 2026 vendor assessments, model answers that close deals, and the audit evidence procurement teams ask for next.
I've reviewed seventeen enterprise AI vendor questionnaires in 2026 — Fortune 500 banks, German insurers, UK NHS trusts, French logistics groups. Same pattern every time: the security section is fine (most AI startups have SOC 2 or ISO 27001 in flight). The AI compliance section is where things break.
Most CTOs answer it with marketing language. "We take compliance seriously." "Our system is secure by design." Procurement marks it as insufficient and the deal moves to legal review — which adds 4–6 weeks. Sometimes the deal dies there.
This is what the questions actually look like in 2026, what good answers sound like, and what evidence you need ready before procurement asks.
Why the AI section exists separately now
Three things changed in late 2025 and early 2026:
- EU AI Act GPAI rules became enforceable on August 2, 2025. Every European enterprise compliance team now has internal guidance to ask AI-specific questions.
- NIST AI RMF 1.1 shipped in October 2025 with a procurement-mapped control set. US enterprises adopted it fast.
- SOC 2 Trust Services Criteria draft 2026 added explicit AI control points (CC7.5 expanded) — auditors now expect AI-specific evidence in vendor reports.
The result: even buyers who don't fall under the EU AI Act are sending you AI-specific questions. Their auditors require it.
The 14 questions you'll see in 2026
I grouped them by what evidence they want. Most questionnaires pick 6–10 of these. The model answers below assume you're a deployer (you build on Claude, GPT, Gemini, Mistral, or open models you self-host) — which covers ~90% of B2B AI startups.
Block A · System inventory and risk classification
Q1. List all AI/ML models used to provide the service, including third-party APIs, with version identifiers.
Model answer: "We use the following models in production as of [date]: (a) Anthropic Claude claude-sonnet-4-6 via Anthropic API for primary reasoning; (b) OpenAI text-embedding-3-large for retrieval; (c) [your-finetuned-model-id] hosted on [provider] for [task]. A complete inventory with version pinning and last-validated date is maintained in our internal AI registry; a redacted export is available on request under NDA."
Evidence to attach: AI model registry export (JSON or CSV with name, version, provider, purpose, risk tier).
Q2. Have you classified each AI system under the EU AI Act risk tiers (Unacceptable / High / Limited / Minimal)?
Model answer: "Yes. Each production AI system has a documented risk classification reviewed quarterly by our [DPO / compliance officer / CTO]. Our current classifications: [system A] — Limited Risk (transparency obligations only); [system B] — Minimal Risk. We have evaluated all Annex III categories and none of our use cases trigger High-Risk classification. Classification rationale is documented and available under NDA."
Evidence to attach: One-page risk classification summary per system. If you have not done the classification yet, the
EU AI Act high-risk classification decision tree walks through Article 6, every Annex III sub-paragraph and the Article 6(3) carve-out with SaaS-specific examples. For the per-sub-paragraph analysis and a defensible memo template procurement accepts, see the
Article 6(3) exemption deep dive.
Q3. Are you a "provider" or "deployer" under the EU AI Act, and have you mapped the resulting obligations?
Model answer: "We are a deployer. The AI models are provided by [Anthropic / OpenAI / etc.] who hold provider obligations including Annex IV technical documentation. Our obligations under Article 26 (deployer record, human oversight, log retention, incident reporting) are documented in our Article 26 Deployer Record, which is updated automatically against our production logs."
Block B · Audit logging and traceability
Q4. What is logged for every AI inference made during service delivery, and for how long are logs retained?
Model answer: "Each model invocation is logged with: tenant / user identifier (pseudonymized), timestamp (UTC, millisecond precision), model name and version, prompt input hash, output hash, token usage, latency, and risk classification. Logs are retained for a minimum of 12 months in tamper-evident append-only storage; sector-specific retention overrides (e.g. financial services: 5 years) are configurable per tenant. A sample log line is provided in Appendix B."
Evidence to attach: One-page logging architecture diagram + redacted sample log line.
Q5. Can you reconstruct, on demand, the full input/output history for a specific user or tenant?
Model answer: "Yes. Reconstruction is available within 24 business hours through our internal audit query interface. Output is provided as a signed CSV with cryptographic hash chain to demonstrate integrity. Customer-initiated audit pulls are billed under our DPA Schedule 4."
Evidence to attach: Sample reconstruction report (anonymized).
Q6. How do you ensure audit logs cannot be tampered with by internal staff?
Model answer: "Logs are written to append-only object storage with versioning and object lock enabled. Write access is restricted to the application service account (no human IAM role has write access to the log bucket). Daily Merkle root hashes are committed to a separate audit ledger reviewed monthly. Any anomaly is flagged in our incident pipeline."
Evidence to attach: Reference to SOC 2 control map (CC7.2 or equivalent).
Block C · Human oversight
Q7. Is there a named human responsible for AI oversight in your organisation?
Model answer: "Yes. [Full name], [Title], serves as our designated AI Oversight Officer under Article 26(2) EU AI Act. Contact: [email]. The role has authority to suspend production AI systems and is independent of revenue targets."
Evidence to attach: One-line org chart entry; appointment letter on request.
Q8. How are AI-generated decisions reviewed before they affect end users?
Model answer: "For our use case [describe], AI outputs are [advisory / human-in-the-loop / fully automated with override]. The review procedure is: [describe in 3 steps]. Override and escalation paths are logged and audited weekly. We do not deploy any AI in fully autonomous decision-making for outcomes affecting natural persons in legal, employment, credit, or healthcare contexts."
Evidence to attach: Human oversight procedure document (1–2 pages).
Block D · Data handling and training
Q9. Do you train or fine-tune models on customer data?
Model answer: "No customer data is used to train or fine-tune any model — neither models we operate nor third-party models. Our agreements with Anthropic, OpenAI, and other model providers include zero-retention clauses where available; for OpenAI we use the API tier with a 30-day retention policy and zero training. A copy of the relevant DPAs is in our Trust Centre."
Evidence to attach: Provider DPA references (Anthropic Zero Data Retention; OpenAI Enterprise; etc.).
Q10. How do you prevent prompt injection and data exfiltration through model outputs?
Model answer: "We apply layered controls: (1) input sanitisation against known prompt injection patterns; (2) output filters that strip patterns matching credentials, internal URLs, or PII the system should not surface; (3) tenant isolation at the prompt level so cross-tenant data cannot appear in retrieval context; (4) red-team testing against OWASP LLM Top 10 quarterly. Findings and remediations are documented in our internal AI security log."
Evidence to attach: OWASP LLM Top 10 control mapping (one-page).
Block E · Incident response and reporting
Q11. What constitutes an AI-specific incident in your organisation, and how are these reported?
Model answer: "AI-specific incidents include: model malfunction producing unsafe outputs; prompt injection leading to data exposure; significant model drift affecting accuracy; or any event requiring notification under EU AI Act Article 26(5) (deployer-to-provider chain) and Article 73 (provider-to-authority filing). The Article 73 timing thresholds — 2 days for widespread fundamental-rights infringement or critical infrastructure disruption, 10 days for death, 15 days residual default — run from awareness, not incident occurrence. These are tracked in our incident management system with a documented triage decision tree, named accountable contact, and the Annex IX-aligned eight-block report template ready to populate. Full walkthrough in our
Article 73 reporting guide."
Evidence to attach: AI incident classification rubric (one-page); Article 73 triage decision tree; named accountable contact card.
Q12. Have you experienced any AI-related incidents in the last 12 months? If yes, summarise.
Model answer: "[If none:] No reportable AI incidents in the last 12 months. Our incident pipeline tracked [N] internal events that did not meet the reporting threshold, all resolved within SLA. [If incidents:] Be specific, factual, and include remediation. Hiding minor incidents and being caught later is fatal to the deal."
Evidence to attach: Incident summary memo (if applicable).
Block F · Sub-processor transparency
Q13. List all AI sub-processors with the data category they receive and the location of processing.
Model answer: "(a) Anthropic PBC — prompt content and metadata; processing region: EU (Frankfurt) where available, US fallback. (b) OpenAI L.L.C. — embedding inputs; processing region: EU. (c) [Vector DB provider] — embeddings; processing region: [region]. Our sub-processor list is published at [trust.yourdomain.com] and customers receive 30-day notice of changes."
Evidence to attach: Trust Centre URL or sub-processor list PDF.
Q14. Where can the buyer's auditors request live evidence of AI controls?
Model answer: "On request, we grant time-limited read-only access to our compliance dashboard which exposes: live model inventory, recent inference samples (with PII redacted), audit log integrity check, and the current Article 26 Deployer Report. Access is provisioned through our DPA Annex 5 procedure, typically within 5 business days of a signed audit request."
Evidence to attach: Sample compliance dashboard screenshot.
The three documents you should have ready before procurement asks
If you don't have these on a shared drive ready to send within an hour of receiving the questionnaire, you're already losing time the deal can't afford:
| Document | Length | Purpose |
|---|
| AI Risk Classification Summary | 1 page per system | Answers Q2 and Q3 with no follow-up needed |
| Article 26 Deployer Record | 4–6 pages | Answers the entire Block A and Block B with cross-references |
| AI Sub-processor List + DPA references | 1–2 pages | Answers Block F instantly; required by GDPR auditors anyway |
| Article 4 AI Literacy programme | 3 documents (policy + matrix + log) | Pre-answers the literacy question procurement asks before any other AI Act item — see the Article 4 walkthrough |
Assemble those three documents once and 80% of the AI compliance section is pre-answered for every future questionnaire. The remaining 20% is system-specific narrative that takes maybe 2 hours per deal.
Need these documents in 48 hours?
The Managed Audit produces all three documents from your real production data — risk classification, Article 26 Deployer Record, and sub-processor map — manually reviewed and ready to send to procurement.
Get the Managed Audit — €199
How auditai automates the evidence layer
The harder part of every answer above is the evidence — Q4 wants a real log line, Q5 wants reconstruction within hours, Q6 wants tamper-evident storage. Marketing copy doesn't pass these.
auditai is a Python SDK that wraps your model calls and produces the evidence layer automatically:
from auditai import wrap_client
import anthropic
client = wrap_client(
anthropic.Anthropic(),
project="enterprise-app",
retention_days=365,
tenant_id_resolver=lambda req: req.user.org_id,
)
# Every call now logged with model version, hashes, tenant, timestamp,
# token usage, and EU AI Act risk classification.
Then on questionnaire day:
auditai report --project enterprise-app \
--company "Acme GmbH" \
--include risk-classification,deployer-record,sample-logs
Output: a buyer-ready PDF that pre-answers Q1, Q2, Q3, Q4, Q5, Q11, Q13.
What enterprises actually look for between the lines
Procurement teams in 2026 have learned to read AI questionnaire answers like security questionnaires. Three signals separate "ready vendor" from "we'll get back to you":
- Specific names and titles. "Our Head of Engineering" is weaker than "Marc Dubois, CTO". A name shows the role exists.
- Concrete numbers. "12 months" beats "appropriate retention period". "72 hours" beats "timely notification".
- Reference to existing documents. "Documented in our Article 26 Deployer Record (PDF available on request)" beats "we have a process". Procurement is happy to receive the document; they just need to know it exists before they ask.
The fastest improvement most B2B AI startups can make to their compliance answers is rewriting them to include named people, exact numbers, and named documents. No new controls — just a better surface.
Frequently asked questions
Is the AI section now standard in every vendor security questionnaire?
Yes, since 2025. Enterprise procurement frameworks — SIG, CAIQ, custom — have absorbed AI-specific blocks covering system inventory, risk classification, audit logging, human oversight, data handling, incident response, and sub-processor transparency. Expect 10–20 AI-specific questions per RFP if you sell into European enterprise.
What is the difference between the AI section and the SOC 2 or ISO 27001 sections?
SOC 2 and ISO 27001 cover general security and process controls. The AI section adds EU AI Act classification (provider vs deployer), Article 26 deployer record, FRIA where applicable, per-inference audit logs, model version tracking, and sub-processor disclosure for hosted LLMs. The same incident response plan does not cover both — you typically need an AI-specific addendum.
How fast does procurement expect us to return the questionnaire?
Median in 2026 is 5–10 business days for the first pass; some buyers ask for 48 hours. The deal slows materially after 2 weeks. The fastest improvement is having three documents pre-built — risk classification, Article 26 deployer record, sub-processor list — so 80% of the AI section is pre-answered before the questionnaire arrives.
We use a third-party LLM (OpenAI, Anthropic). Do we still need to answer the AI block?
Yes. Using an upstream LLM makes you a deployer of that LLM and a provider of the system you build around it. You answer both rows: the upstream model details, and your own application's controls. Procurement explicitly looks for whether you understand the dual role.
What is the single highest-leverage thing we can do this quarter?
Assemble the three documents — one-page risk classification, Article 26 deployer record, sub-processor list with DPA references — and store them on a shared drive ready to send within one hour of receiving any questionnaire. That removes the longest single bottleneck in B2B enterprise AI procurement.
Bottom line
Enterprise AI procurement in 2026 is not a legal exercise — it's a documentation race. The vendor with the cleaner PDF wins the deal. The vendor whose CTO writes "we take this seriously" loses to a competitor who writes "12-month tamper-evident logs, sample line in Appendix B".
The 14 questions above are now standard. The three documents are the minimum kit. The auditai SDK automates the evidence; the Managed Audit packages it for buyers when you're already in a deal.
Questions or a questionnaire you want a second pair of eyes on? Reply to marc@auditaisdk.com.
— Marc Dubois, auditaisdk.com
Related: EU AI Act Annex IV Template (Article 26 Deployer Guide) ·
EU AI Act Compliance Tools — 2026 Buyer's Guide ·
Managed EU AI Act Audit — €199 ·
pip install auditai-sdk