AI Vendor Due Diligence Gap Security Questionnaire 2026

A procurement team sends a vendor security questionnaire. You fill it in confidently. SOC 2 Type II report attached. ISO 27001 certificate current. Cyber Essentials renewed. Everything in order.

Then the buyer's security team comes back with a supplementary section. Questions about model drift monitoring. Training data provenance. Prompt logging and data residency. Agentic permissions and rollback procedures. An AI Bill of Materials listing every sub-processor that touches inference data.

The SOC 2 report says nothing about any of this. It was never designed to.

This is happening more and more across enterprise procurement in the UK, Türkiye and the UAE. Buyers are adding AI-specific sections to vendor questionnaires because regulators are requiring it, insurers are asking about it, and the numbers now have a price tag: IBM's 2025 Cost of a Data Breach Report found that breaches involving shadow AI cost USD 670,000 more on average than those that didn't involve AI. The same research found that 63% of breached organisations had no AI governance policy at all.

Shadow AI is the use of unauthorized or unvetted artificial intelligence tools by employees within an organization.

Scaling businesses feel this in a particular way. The AI tools are already in the building. CRM enrichment, proposal generation, lead scoring, contract analysis, customer support automation. The tools arrived faster than the governance. And the governance question now arrives through the procurement channel, from buyers whose business you want to win.

The practical question is simple: what should you be asking your own AI vendors that your current security questionnaire doesn't cover?

SOC 2's Trust Services Criteria were built for conventional SaaS: availability, confidentiality, processing integrity, privacy, security. Schellman, one of the leading SOC 2 audit firms, says this openly. The criteria don't cover hallucination rates, model behaviour between release cycles, or whether a vendor trains on your data by default. ISO 27001 is a solid information security framework, but it predates generative AI and doesn't get into model-specific risks at the level of detail buyers now need.

This is important because AI isn't a separate purchase any more. It's baked into the tools you already use. Lenovo's Work Reborn research (April 2026, surveying 6,000 enterprise employees) found that over 70% use AI tools weekly, with up to a third operating outside IT oversight. Cisco's State of AI Security 2026 report puts the readiness gap plainly: 83% of organisations plan to deploy agentic AI, where systems take autonomous actions on behalf of users. Only 29% feel prepared to secure those deployments.

1. Model behaviour and drift

A conventional SaaS tool behaves predictably between updates. An AI model's outputs can shift when the underlying model is updated, retrained, or fine-tuned. If the vendor updates the model and your workflow starts producing different results, the SOC 2 report has no mechanism to flag that change.

Real-world example: think of a lead-scoring tool that silently starts ranking a different buyer persona higher because of a backend model refresh. Your sales team sees pipeline shift with no explanation.

Questions to ask: what is the baseline accuracy rate? How is drift detected? How are customers notified before a model change affects their workflows?

2. Training data and IP exposure

Where did the training data come from? Is your data used to improve the model? What IP indemnity covers both the training data and the outputs?

Real-world example: a small architecture firm using an AI visualisation tool needs to know whether its project renders become training material for the next model version.

The ICO's contracts-and-third-parties guidance already expects UK deployers to include accuracy KPIs and audit clauses in AI supplier contracts, but most small business procurement hasn't caught up.

3. Prompt logging and data residency

When an employee pastes client data into an AI tool, where does that prompt go? Who can access it? Where is it stored? What happens to it at contract exit?

Standard security questionnaires ask about data-at-rest and data-in-transit. They rarely ask about inference data: the prompts, completions, and tool calls that flow through AI systems during normal use.

Real-world example: a customer support agent pasting a client's billing dispute into an AI summariser might be sending sensitive data to a server in a jurisdiction nobody checked.

4. Embedded AI and sub-processors

The Salesloft/Drift security incident in August 2025 showed what happens when a vendor's AI component gets compromised. Stolen OAuth tokens from Drift's chatbot infrastructure affected over 700 companies including Cloudflare, Palo Alto Networks and Zscaler. The AI component was embedded in the product. It appeared in no security questionnaire.

The practical takeaway: ask every vendor to disclose every AI feature, every third-party model invoked, and every sub-processor that processes prompts or completions.

5. Agentic permissions

AI agents that take autonomous actions, like scheduling meetings, sending emails, modifying records, or executing transactions, introduce a category of risk that conventional access controls weren't designed for.

Real-world example: imagine a small sales team using an agent that automatically sends a calendar invite and a summary email after a demo. If it misreads the thread and adds a client's competitor to the invite, the damage is immediate and hard to unwind. The same risk applies wherever agents write to systems of record: updating CRM fields, raising purchase orders, changing access permissions, issuing refunds, or escalating support cases.

Questions to ask: how are agent identities provisioned and scoped? Is every agent mapped to an accountable human owner? Can the agent be limited to read-only actions until a human approves?

These are new questions, and many vendors won't have polished answers yet. But asking them tells you whether the vendor has considered the risk at all. Standard vendor security questionnaires don't contain them because the questionnaires predate agentic AI in production.

The regulatory picture across three markets

Regulators have moved. Vendor questionnaires are catching up.

United Kingdom. The DSIT Cyber Security Breaches Survey 2025/2026 (published 30 April 2026) found that only 15% of UK businesses formally review their immediate suppliers' cyber posture. Six percent look at the wider supply chain. These numbers predate the explosion of AI vendors. NCSC's Guidelines for Secure AI System Development (co-authored with CISA and 16 other agencies) set expectations around drift monitoring, dataset governance and supply-chain disclosure that vendor questionnaires are still absorbing. Cyber Essentials v3.3 (live from 27 April 2026) introduced mandatory MFA on every cloud service, an automatic fail criterion that catches AI tools previously left out of scope.

Türkiye. KVKK issued dedicated Agentic AI guidance on 15 April 2026, building on its November 2025 Generative AI guideline. The April guidance treats derived and inferred data as personal data, requires written allocation of accountability among developer, provider and deployer, and treats AI output accuracy as a substantive obligation under KVKK Article 4(1)(d). For Turkish companies selling internationally, this means erroneous AI-generated outputs used in individual assessments may constitute unlawful processing.

United Arab Emirates. The Information Assurance Standard V2.1 (November 2025) adds explicit AI, Cloud and Third-Party security control families. For businesses selling into UAE government and semi-government, this is a procurement gate. DIFC Regulation 10 requires mandatory data protection impact assessments, bias assessments and audit evidence for any system processing personal data through autonomous or semi-autonomous means. The ADGM FSRA Cyber Risk Management Framework (29 July 2025) explicitly requires pre-contractual due diligence on AI-driven service providers.

EU AI Act. The Digital Omnibus provisional agreement on 7 May 2026 moved Annex III high-risk obligations to December 2027. That eases the immediate legal deadline but doesn't relieve the commercial pressure: buyers asking AI-specific questions in procurement are asking them now, regardless of enforcement timelines.

The supplementary questionnaire is a good starting point: it forces the conversation. But on its own it's not enough. It works best as part of a wider approach.

Layer 1: Inventory first. Before assessing vendors, know what you already have. List every SaaS tool in use across the business. For each, identify whether it contains an AI feature, when that feature shipped, and what data it touches. This is harder than it sounds. In a 50-person business, someone probably installed a free AI note-taker extension last month. Marketing might be using a Canva AI feature nobody in IT knows about. The exercise surfaces surprises, and it's a moving target, not a one-off. But even an imperfect list gets you ahead of where you were yesterday.

Layer 2: Supplement the questionnaire, then follow through. SOC 2, ISO 27001 and Cyber Essentials remain foundational. They cover infrastructure, access controls, incident response and operational security. The supplement covers the five areas they weren't built for. But getting written answers is only step one. Use those answers to shape the contract: ask for notification obligations when the vendor changes its underlying model, seek audit rights around training data usage, and demand clear data processing terms that explicitly cover inference data.

If the vendor is large and you're small, you might not get everything you ask for. That's fine. Document what you couldn't verify, decide if you can accept the residual risk, and consider a shorter contract term or a break clause tied to material model changes.

A supplementary questionnaire template covering all five gap areas, with questions mapped to UK, Türkiye and UAE regulatory requirements, is available to download.

Layer 3: Align governance to a framework. NIST AI RMF gives you a shared vocabulary. ISO 42001 is becoming the recognised standard, with KPMG International becoming the first Big Four entity to achieve certification in December 2025. Full certification is a heavy lift for most scaling businesses. Alignment, mapping your controls to the framework, is a proportionate first step. It helps you tell a coherent story to buyers and regulators without committing to an audit cycle you're not ready for.

A sense of proportion matters. A copywriting tool with no access to customer data and no decision-making authority needs a lighter assessment than an AI system scoring credit applications or generating regulatory reports. The depth of your questions should match the value of the contract, the sensitivity of the data, and the consequences if the AI gets it wrong.

AI vendor deployments are accelerating across scaling businesses because the commercial case is clear. The governance needs to keep pace. The organisations that build this into procurement now will be the ones ready when the buyer asks the question, because the question is already landing in their inbox.