AI Vendor Due-Diligence Checklist 2026: 6 Domains, 30+ Questions, Buyer-Side Playbook

Six-domain AI vendor diligence: financial, security, privacy, operational, legal, ethics. Plus 30+ specific questions, SOC 2 / ISO 27001 baselines, and review cadence.

What happened

The 6-domain framework crystallized in 2026 as the de facto AI vendor diligence standard. Aggregated from BotsCrew, Atlas Systems, TrustArc, Sirion, Peony, and Resultsense:

The 6 domains:

1. Business and financial stability — runway, ARR, customer concentration, audited financials.
2. Information security — SOC 2 Type II or ISO 27001, pen test summaries, incident response plans, subprocessor list.
3. Privacy and compliance — GDPR, CCPA, HIPAA where applicable; data processing agreements; privacy policy.
4. Operational resilience — business continuity plan, uptime SLA, RPO/RTO targets, cyber insurance.
5. Legal and contract risk — IP ownership of prompts/outputs, data portability on exit, indemnification.
6. Ethics and ESG — model training data sourcing, bias auditing, AI ethics committee posture.

Critical questions to ask every vendor:

• "Will our data be used to train your AI models?"
• "Where is our data processed and stored — region, provider, encryption at rest and in transit?"
• "What third-party AI services do you use? Provide the subprocessor list."
• "Provide proof of data isolation between tenants."
• "What is your hallucination rate on representative tasks? Show eval methodology."
• "What is your incident response timeline and notification SLA?"

Review cadence: Critical vendors annually at minimum with continuous monitoring; high-risk vendors semi-annually; standard vendors biennially.

flowchart TB
  Buyer[Enterprise buyer]
  Buyer --> D1[1 Financial · runway · ARR · concentration]
  Buyer --> D2[2 Security · SOC 2 · pen test · subprocessors]
  Buyer --> D3[3 Privacy · GDPR · HIPAA · DPA]
  Buyer --> D4[4 Operational · BCP · uptime · insurance]
  Buyer --> D5[5 Legal · IP · portability · indemnity]
  Buyer --> D6[6 Ethics · training data · bias · ESG]
  D1 --> Score[Risk score]
  D2 --> Score
  D3 --> Score
  D4 --> Score
  D5 --> Score
  D6 --> Score
  Score --> Cadence[Annual / semiannual / biennial]

Why it matters

40% of 2024-cohort AI startups closed in under 24 months. Buyers who didn't ask financial-stability questions in 2024 are stuck migrating off shut-down vendors in 2026. The cost of a bad vendor choice — sunk integration spend, data extraction risk, retraining users on a replacement — typically runs 3–10x the original contract value.

The 6-domain framework adds AI-specific gates to traditional vendor diligence: training data provenance, hallucination rate disclosure, model isolation, and tenant data segregation. These didn't exist in pre-2023 vendor diligence and are now non-negotiable for AI vendors.

CallSphere context

CallSphere ships an enterprise diligence packet on request. Every domain has a documented answer:

• Financial: 50+ live customers across 6 verticals, transparent $149/$499/$1,499 pricing, no per-token surprise billing, 4.8/5 rating, 14-day no-card trial proves trial-to-paid conversion.
• Security: tenant-isolated data, audit logs on every tool call across 90+ tools, configurable encryption, security review documentation.
• Privacy: per-tenant data residency, healthcare vertical built BAA-aligned for HIPAA, subprocessor list available under NDA.
• Operational: 99.9% uptime target, structured incident response, named CSM on enterprise tier.
• Legal: standard MSA with explicit data portability clauses; customer owns prompts and configurations.
• Ethics: documented model selection criteria across our 37 agents and 115+ DB tables; per-task model routing transparency.

The 22% recurring affiliate program is also itself a diligence signal: vendors with healthy retention can sustain 22% recurring payouts; vendors with churning customers cannot.

Implications

1. By Q4 2026, RFPs without a 6-domain section will be rare in enterprise AI procurement.
2. Vendors that publish a diligence-ready packet pre-emptively will close 20–30% faster than vendors that don't.
3. The most-asked question of 2026 will be "will you train on our data?" — vendors that say "no by default, opt-in only" win.
4. Quarterly material-change disclosures will become contractual, not optional.

FAQ

Q: What if a vendor refuses to answer financial-stability questions? A: That's a hard no. Either they have something to hide or they don't take procurement seriously. Both are disqualifying.

Q: Should we accept SOC 2 Type I or only Type II? A: Type II for production deployments. Type I is acceptable for pilot phases under 90 days.

Q: How often should we re-run diligence? A: Annually for critical vendors, semi-annually for high-risk, biennially for standard. CallSphere's enterprise tier ships this cadence.

Q: What's the most overlooked diligence area? A: Subprocessor lists. Many AI vendors use 3–6 third-party AI services without disclosing them. Always ask.

Request enterprise diligence pack · 14-day trial · Pricing.

Sources

• BotsCrew: AI Vendor Due Diligence Checklist
• Atlas Systems: AI Vendor Risk Assessment Questionnaire 2026
• TrustArc: AI Supply Chain Risk Vendor Due Diligence
• Peony: Vendor Due Diligence Checklist 6-Domain Framework
• Security Boulevard: AI Due Diligence Checklist 2026