§ AI Vendor Due Diligence Questionnaire·client-side form · no sign-up

Send an AI vendor the questionnaire its answers can't dodge.

Answer three questions and get a tailored DDQ your institution can send an AI vendor: grouped questions on governance, model validation, data and security, third and fourth parties, incident response, contract rights, and ongoing monitoring, with the framework drivers that apply to you.

This is a starting-point questionnaire to organize vendor AI oversight, not a finished program. Tailor it to your institution's risk profile and policies.

This runs entirely in your browser. Nothing you select is sent to a server.
§ Read this first

This generator produces a starting-point due-diligence questionnaire to organize vendor AI oversight. It is not legal advice, not a complete compliance program, and not a certification. Tailor it to your institution's risk profile and policies. SR 26-2 is non-binding guidance; the interagency third-party guidance is principles-based. DSE prepares programs for audit and does not certify or guarantee any examination outcome. No data leaves the browser.

§ The form·three questions, then your DDQ
Q1What does the vendor AI do?

The function decides which sections attach, including whether the fair-lending section is added.

Q2What data does the vendor touch?

Consumer nonpublic personal information and credit data raise the stakes on data handling, privacy, and security.

Q3What is your regulatory context?

Select all that apply. Each one adds the framework driver that governs how you oversee a third-party AI vendor.

Answer Q1 and Q2 and select at least one regulatory context to assemble the DDQ.
·

Your AI vendor due-diligence questionnaire

Scope of this DDQ

    § Frameworks driving this DDQ·the authority behind the questions

      The questionnaire

      § The fine print

      This generator produces a starting-point due-diligence questionnaire to organize vendor AI oversight. It is not legal advice, not a complete compliance program, and not a certification. Tailor it to your institution's risk profile and policies. SR 26-2 is non-binding guidance; the interagency third-party guidance is principles-based. DSE prepares programs for audit and does not certify or guarantee any examination outcome.

      No data leaves the browser.

      Copied to clipboard.

      Last reviewed: 2026-06-27 · Initial release. Tied to the June 2023 Interagency Guidance on Third-Party Relationships: Risk Management, 23 NYCRR 500.11, Regulation S-P service-provider oversight, the NAIC AI Model Bulletin, NCUA Letters 07-CU-13 and 01-CU-20, and SR 26-2 model risk. Framework references are date-stamped and re-checked quarterly. Accuracy is the point.

      § When the answers come back thin·fixed-fee, senior-only

      Turn a questionnaire into a defensible vendor AI oversight file.

      A DDQ opens the conversation. When a vendor's answers raise real questions, a principal pressure-tests the responses, maps the controls and contract rights to the frameworks that govern you, and scopes the readiness work in a 30-minute call.

      AI Governance Readiness AI Security Assessment
      § What this is·and what it isn't

      A questionnaire to organize oversight. Not a program.

      This generator assembles a starting-point due-diligence questionnaire for vendor AI oversight under the frameworks you select. It does not deliver a finished third-party risk program, does not provide legal or regulatory advice, and does not certify compliance. SR 26-2 is non-binding guidance and the interagency third-party guidance is principles-based; the questionnaire organizes a conversation, it does not settle one.

      DSE provides AI governance and compliance readiness consulting. We are not an accredited certification body and do not issue ISO/IEC 42001 certificates or certify EU AI Act or NIST AI RMF compliance. We cannot guarantee passing an audit or avoiding enforcement, and we do not provide legal advice. We work alongside your counsel.