Buy AI With Confidence
AI Vendor Due Diligence
Structured AI procurement governance with TCI scoring
Download Free GuideFeatures List
30
Day End-to-End Process
6
Auto-Disqualifiers
3-Score
TCI Formula
Why Procurement and Risk Teams Use This Playbook
Score Every Vendor the Same Way
The TCI formula — 50% Documentation Completeness, 30% Transparency Score, 20% Regulatory Alignment — gives every vendor assessment a consistent, defensible number. Buy at 0.75 or above. Hold between 0.50 and 0.74. No-Buy below 0.50. No more gut-feel procurement decisions.
Six Instant No-Buys
Some vendors fail before scoring starts. If a vendor has no security certification, refuses to provide a DPA, uses your customer data for training without opt-out, or has active regulatory enforcement, they're out. Six automatic disqualifiers stop bad vendors before they reach your AI stack.
Know Exactly What to Request
Green tier vendors need 3 documents. Amber needs 8. Red needs 12 or more. The documentation requirements matrix tells your team exactly what to request at each tier — model card, DPA, security certification, bias and fairness report, penetration test, business continuity plan, and more.
Assessment Template Included
Part B is a fully structured, fillable assessment template — 6 sections covering vendor identification, documentation checklist, TCI calculation with computation worksheet, findings and gaps, domain expert sign-offs, and next steps. Complete one per vendor and file it as your audit record.
Reassessment Triggers Built In
Vendor approval isn't permanent. Five triggers kick off reassessment: scheduled reviews by tier, vendor model version changes (within 30 days), security certification expiry (60 days notice), vendor security incidents (immediate), and regulatory changes (within 90 days). Your vendor list stays current.
What You Get
-
Part A: Due Diligence Procedures
The full procedural framework — purpose and scope, regulatory alignment (EU AI Act, GDPR/PDPA/CCPA, PCI-DSS), roles and responsibilities, 6-stage process with timelines, documentation requirements by tier, TCI methodology, decision framework, and ongoing monitoring schedule.
-
6-Stage Due Diligence Process
End-to-end process from initiation to approval: Stage 1 Initiation (Day 1), Stage 2 Scoping (Days 2-3), Stage 3 Information Gathering (Days 4-14), Stage 4 Assessment (Days 15-21), Stage 5 Recommendation (Days 22-25), Stage 6 Approval (Days 26-30). Each stage has a defined output document.
-
Assessment Depth Matrix by Risk Tier
Side-by-side comparison of Green, Amber, and Red tier requirements across 5 assessment elements: documentation review (3 / 8 / 12+ docs), security assessment, privacy assessment, bias/fairness review, and approval authority. Reassessment frequency: Annual / Semi-annual / Quarterly.
-
10-Document Vendor Requirements Checklist
Required vendor documents mapped to tier applicability: model card, data privacy statement, and security certification (all tiers); bias and fairness report, subprocessor list, DPA, training opt-out (Amber and Red); penetration test report, business continuity plan, EU AI Act compliance (Red only).
-
TCI Formula and Scoring Rubrics
The complete Third-Party Comfort Index methodology: formula (0.50 x DC + 0.30 x TS + 0.20 x RA), component definitions, and 5-level scoring rubrics for each component. Documentation Completeness scores from 0 (critical docs missing) to 1.00 (all current and complete).
-
6 Automatic Disqualifiers with Rationale
Vendors that trigger an automatic No-Buy regardless of TCI score: no security certification, refuses DPA, uses customer data for training without opt-out, known regulatory enforcement action, refuses bias testing disclosure, data residency in prohibited jurisdiction. Each disqualifier maps to a specific policy reference.
-
Approval Authority Matrix
Approval requirements by TCI classification and risk tier. BUY decisions: AI Risk Officer (Green), MRM Team (Amber), Committee (Red). HOLD: requires remediation plans. NO-BUY: Committee exception only for Green — not permitted for Amber or Red tiers.
-
5-Trigger Reassessment Schedule
Ongoing monitoring triggers with timelines: scheduled reviews by tier (Annual/Semi-annual/Quarterly), vendor model version change (within 30 days), security certification expiry (60 days before expiry), vendor security incident (immediate full reassessment), regulatory change (within 90 days).
-
Part B: Fillable Assessment Template
Six-section working template: vendor identification (10 fields including Assessment ID in TPA-[YYYY]-[NNN] format), documentation checklist with Y/N fields and notes column, TCI component score worksheet with computation formula, key strengths and gaps sections, domain expert sign-off table, and next steps with reassessment scheduling.
-
Regulatory Alignment Reference Table
Key requirements to verify per regulation: EU AI Act (high-risk classification, conformity assessment, transparency), GDPR/PDPA/CCPA (DPAs, adequacy decisions, data subject rights, cross-border transfers), and PCI-DSS (cardholder data handling, security controls, attestation).
When to Use This Playbook
Evaluating a new AI vendor or LLM provider
Your business unit wants to sign up for an AI platform — ChatGPT Enterprise, Claude for Work, Gemini, or a specialist AI tool. Use this playbook to run a structured 30-day assessment, score the vendor against the TCI formula, and produce a documented Buy/Hold/No-Buy recommendation before any contract is signed.
Standardizing procurement across business units
Different teams are buying AI tools with different levels of scrutiny. This playbook gives every team the same process, the same document checklist, and the same scoring methodology. Procurement, Risk, Legal, and IT all review the same template. You get consistency and a central vendor registry.
Presenting vendor risk to an audit committee
Your audit committee wants to know how third-party AI tools are evaluated and approved. The TCI methodology, automatic disqualifiers, approval authority matrix, and fillable template give you a documented, defensible process you can walk auditors through with specific evidence for each vendor approved.
Reassessing an existing approved vendor
A vendor you've already approved has updated their model, had a security incident, or is approaching certification expiry. Section 7's reassessment schedule tells you exactly what to review and within what timeframe. The same assessment template applies to reassessments, keeping your vendor records consistent.
Responding to a regulatory requirement on AI procurement
Regulators are asking how your organization governs third-party AI vendors. This playbook implements GenAI Governance Policy v3.0 Section 7 and aligns to EU AI Act, GDPR, PDPA, CCPA, and PCI-DSS requirements. You have documented procedures and a completed assessment template for every approved vendor.
The 6-Stage Due Diligence Process
| Stage | Activities | Output | Timeline |
|---|---|---|---|
| 1. Initiation | Business unit submits request; determine preliminary risk tier | DD Request Form with initial tier classification | Day 1 |
| 2. Scoping | Set assessment depth based on risk tier and data classification | Scope Document confirming required documents and review team | Days 2-3 |
| 3. Information | Collect vendor documentation; send questionnaire; chase missing items | Vendor Package with all submitted documentation | Days 4-14 |
| 4. Assessment | Domain experts review; calculate TCI score across 3 components; identify gaps | Completed Assessment Template (Part B) with TCI score and findings | Days 15-21 |
| 5. Recommendation | AI Risk Officer makes Buy/Hold/No-Buy recommendation with written rationale | Recommendation Report with TCI classification and conditions | Days 22-25 |
| 6. Approval | Tier-appropriate approval authority signs off; contract finalization proceeds | Approval Record filed in vendor registry; next reassessment date set | Days 26-30 |
Common Questions
What is the TCI and how does it work?What is the TCI and how does it work?
Which AI vendors does this cover?
What makes a vendor an automatic No-Buy?
How long does a full vendor assessment take?
How does this connect to the GenAI Governance Policy and MRM Standards?
Does the template work for reassessments as well as initial assessments?
Before You Sign with Any AI Vendor — Run This Process.
A complete AI procurement framework with TCI scoring and a fillable assessment template. Free. Updated for 2026.