What should be assessed during the initial onboarding of AI vendors?

During initial onboarding of AI vendors, the focus should be on how the vendor’s AI strategy and governance align with your organization’s risk tolerance and objectives, with strong emphasis on ethics and data security. This matters because the decisions a vendor makes about how their models are trained, evaluated, and deployed directly shape risk exposure for your organization. First, alignment of AI strategies and values ensures the vendor’s approach to AI—such as prioritizing safety, reliability, and responsible use—fits your governance framework and business goals. If their philosophy clashes with your policies on accountability or transparency, you’ll face conflicting practices down the line. Second, adherence to ethical considerations matters because it covers fairness, bias mitigation, explainability, and human oversight. You want to know how they address potential harms, monitor model behavior, and provide mechanisms for accountability when issues arise. Third, data security and privacy protection are crucial since data used by AI systems can be sensitive and subject to regulations. Assess how data is handled end-to-end, including data minimization, access controls, encryption, retention, data provenance for training data, third-party data use, subprocessor management, and incident response and breach notification capabilities. Also verify governance documents, certifications, and privacy impact assessments where applicable. Other aspects like marketing claims or hardware procurement and language support may be relevant to smooth operation, but they do not establish the foundational risk controls and governance needed at onboarding.