← All assessments
AI Governance Assessment

How Exposed Are You to Your Vendors’ AI?

Eighteen scored questions across six risk dimensions for AI-enabled SaaS — the questions every CISO and GC should be asking before signing or renewing.

  • A scored profile across 6 dimensions — see exactly where you're strong and where the gaps are.
  • Your biggest opportunities, mapped to specific next moves.
  • A personalized video walkthrough from Shawn (optional) — a real read on your results.
18 questions 6 min Instant results Free

Most AI vendor risk doesn't surface during procurement — it surfaces eighteen months later, when a quietly enabled feature inside a SaaS your team already uses turns out to be sending prompts to a model provider you never approved, governed by a DPA that predates the AI era. The procurement, legal, and security workflows that vetted these vendors weren't built for this, and the gap opens fastest at renewal: the contract auto-renews, the AI capability is bigger than it was on day one, and no one re-asked the questions that would have stopped a sign-off.

This free scorecard scores your AI vendor risk posture across six dimensions in about six minutes. It's built from 27 years of technology leadership across Fortune 500 and growth-stage companies — the same lens a fractional Chief AI Officer would bring to your first conversation about inventory, contracts, data boundaries, security review, ongoing monitoring, and exit.

What the AI vendor risk scorecard measures

Risk posture is a profile, not a single number. The scorecard scores six dimensions independently so you can see where you're defensible and where the gaps are: AI Vendor Inventory (do you know which vendors use AI on your data), Contracts & Liability (do your MSAs, DPAs, and AI addenda cover training, IP, and indemnification), Data Boundaries (where your prompts and outputs actually go), Vendor Security Posture (have you reviewed the model layer not just the general SOC 2), Ongoing AI Monitoring (will you detect quietly enabled features), and Exit & Data Deletion (can you get out cleanly, with proof). The final question maps the specific AI vendor risks — training use, IP claims, shadow AI, change blindness, exit lock-in — that you're actively worried about.

Why AI vendor risk matters before the next renewal

Organizations that treat AI vendor risk as a one-time procurement question end up signing renewal after renewal on paper that no longer reflects what the vendor is doing with their data. The teams that hold a defensible posture do three things others skip: they keep a live inventory of which SaaS vendors are doing AI on company data, they standardize an AI addendum that covers training opt-outs, IP indemnification, residency, and deletion of derived artifacts, and they put a named owner across legal, security, and procurement on the surface so DPA and sub-processor changes don't slip past renewal. A scorecard turns a vague concern into a sequenced plan, and it tells you whether your constraint is visibility, contract language, security review, or simply the renewal cycle.

What you get at the end

You'll see an overall AI vendor risk score, a band that describes where you stand (from Pre-Foundation through Strong AI Vendor Governance), a per-dimension breakdown, and a map of the AI vendor risks you most need to harden first across data use, IP, security, discovery, monitoring, and exit. From there you can request a personalized video walkthrough — a short, recorded read on your specific results and what a fractional Chief AI Officer engagement would do for your AI vendor governance program. No generic sales deck.

Frequently asked questions

What is an AI vendor risk scorecard?

It's a structured evaluation of whether your organization has the inventory, contracts, data boundaries, security review, monitoring, and exit posture to defensibly govern the AI-enabled SaaS vendors you already work with. Rather than measuring AI knowledge, it measures the controls — like training opt-outs, AI addenda, and deletion proof — that determine whether a vendor incident becomes your incident.

How long does the scorecard take?

About six minutes. It's 18 scored questions across six dimensions plus a final risk-mapping question covering data use and training, IP and liability, security and posture, discovery and inventory, monitoring and change, and exit and continuity. Your progress auto-saves, so you can leave and resume without losing answers.

Is the scorecard free?

Yes. The scorecard and your scored results are completely free. You can optionally request a personalized video walkthrough of your results, which is also free.

Who is this scorecard for?

It's built for CISOs, general counsel, heads of procurement, and CIOs who need a clear-eyed read on the AI risk sitting inside their existing SaaS stack — and a sequenced plan for what to fix before the next renewal cycle.

What AI vendor risks should I actually be worried about?

The most common high-impact areas are silent AI feature enablement inside existing SaaS, missing model training opt-outs, IP indemnification gaps on generated outputs, unverified residency and sub-processor routing, audit-log blind spots at the prompt and output layer, and exit clauses that don't address deletion of embeddings or fine-tuned model artifacts. The scorecard's final question maps these so you can see which deserve the next renewal cycle's attention.