Why enterprises now send AI governance questionnaires before contract
- EU AI Act deployer duties, model-risk frameworks, and board oversight all land at procurement.
- The reviewer is building a defensible file: inventory, tier, diligence, evidence, re-review trigger.
- Your answers enter the buyer's vendor file and often the contract as representations.
- A fast, cited, consistent return makes the reviewer's own job easier, and is quietly decisive.
- The file you build for one review is most of the file the next enterprise will ask for.
The accountability moved, and procurement is where it lands
For years, an enterprise buying software checked security and privacy and stopped there. What changed is that the enterprise is now answerable for the behaviour of AI it deploys, whoever built it. EU AI Act obligations attach to deployers, not only developers. Financial regulators treat vendor models inside model-risk frameworks. Boards have added AI to their risk agendas and expect management to evidence oversight of third-party AI specifically. Auditors and, increasingly, insurers ask how AI vendors were assessed. The buyer cannot discharge any of that after the contract is signed; procurement review is the only moment of leverage, so that is where the demand concentrates. Recent procurement surveys consistently put the share of large enterprises requiring AI governance evidence from vendors at a substantial and rising majority.
What the reviewer must prove internally
The person sending you the spreadsheet is building their own file. They typically must show: an inventory of AI vendors in use; a risk tier per vendor with rationale; diligence proportionate to the tier; evidence retained for audit; and a re-review trigger when the vendor's AI changes. Read their questions through that lens and the strange ones make sense: they are not curious about your prompt templates, they need a defensible record that they asked.
What this means for how you answer
Three consequences follow. First, your answers outlive the review: they enter the buyer's vendor file and often the contract as representations, so they must stay true, not just read well on submission day. Second, speed is a feature the buyer feels: their reviewer is measured partly on cycle time, and a vendor whose answers arrive complete, cited, and consistent makes the reviewer's own job easier, which is quietly decisive. Third, the demand is portable: the file you build to pass one enterprise's review is most of the file the next enterprise will ask for, so the first thorough response is an asset, not a cost.
The reframe that matters
Vendors who treat the questionnaire as friction produce late, defensive, inconsistent answers and stall in review. Vendors who understand that the questionnaire is the deal, the actual gate between signature and no signature, resource it accordingly and clear reviews in days. Nothing about the questions changes; everything about the outcome does.
Key terms
- Deployer accountability
- The buyer's own regulatory and governance duty for AI they put into use, whoever built it — the reason procurement now asks vendors so much.
- Vendor risk tier
- The reviewer's classification of a vendor's AI by risk, which sets the depth of diligence they must evidence.
- Representation
- A statement of fact from vendor to buyer; questionnaire answers are frequently attached to the contract in this form.
- Cycle time
- The elapsed time from questionnaire issued to review closed — a metric the buyer's reviewer is measured on and a vendor can shorten.
- Procurement gate
- The point at which the buyer can enforce AI accountability on a vendor; after signature the leverage is largely gone.