AI Posture Check Take the Check
Dimension · 5 questions

Vendor.

Due diligence, contracts, attestations, onboarding, continuous monitoring.

Why this dimension matters

Vendor is the AI security dimension regulators and procurement teams care about most. Five questions cover due diligence, contractual terms, attestation review, vendor approval, and continuous monitoring. The dimension maps to OWASP LLM03 (Supply Chain) and ISO 42001 Annex A.10 (Third-party and customer relationships). Most enterprise AI risk now flows through vendors: Microsoft, OpenAI, Anthropic, Google, plus the long tail of AI-enabled SaaS. The defining vendor risk is not malice but velocity: AI vendors ship breaking changes faster than enterprise procurement can review them. Strong vendor scores require process maturity, not just contract review. CWS engages vendor risk through structured due-diligence templates, continuous attestation review, and ISO 42001-aligned vendor onboarding.

Posture Check questions for vendor

  1. Have you completed security due diligence on the AI vendors you use (Microsoft, OpenAI, Anthropic, Google, others)?
    • 0 No due diligence
    • 1 Identified the need
    • 2 Partial due diligence
    • 3 Comprehensive due diligence per vendor with documented evidence
  2. Do your contracts with AI vendors include explicit terms on data handling, breach notification, and audit rights?
    • 0 No specific AI terms
    • 1 Reviewing vendor contracts
    • 2 Partial coverage
    • 3 Comprehensive AI-specific contractual terms
  3. Have you confirmed your AI vendor's compliance posture (SOC 2, ISO 27001, ISO 42001, others) and reviewed the most recent attestation?
    • 0 No confirmation
    • 1 Aware of the need
    • 2 Partial review
    • 3 Comprehensive review of vendor attestations
  4. Do you have a process to assess and approve new AI vendors before they are used in your environment?
    • 0 No process
    • 1 Identified the gap
    • 2 Process in development
    • 3 Operational vendor-onboarding process for AI
  5. Do you continuously monitor your AI vendors for security incidents, model changes, and policy updates?
    • 0 No monitoring
    • 1 Reactive only
    • 2 Periodic monitoring
    • 3 Continuous monitoring with documented response

Score yourself on vendor.

The free 30-question Posture Check measures all six dimensions. Get a per-dimension breakdown plus prioritized recommendations.

Take the AI Posture Check
Need help here?

Get a Standard Audit on your vendor controls.

A senior CWS engineer reviews your specific deployments, runs adversarial tests where applicable, and produces a remediation roadmap.

Schedule a Discovery Call