Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI vendor assessments: what questions should security teams ask?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI in vendor and internal software needs explicit procurement scrutiny around opt-in use, data training, documentation, retention, monitoring, and downstream cost exposure, according to Delinea. Procurement teams cannot treat AI as a feature toggle; they need governance gates that surface hidden data, control, and accountability risks before renewal or expansion.

NHIMG editorial — based on content published by Delinea: Essential AI questions for a comprehensive vendor security assessment

Questions worth separating out

Q: How should security teams assess AI features in vendor software before buying?

A: Start with data access, activation controls, retention, training use, and integration scope.

Q: Why do AI vendor assessments need more than a standard security questionnaire?

A: AI changes how data moves, how long it is retained, and whether it may be used to improve a model.

Q: What do security teams get wrong about AI in procurement?

A: They often focus on model capability and ignore governance boundaries.

Practitioner guidance

  • Require explicit AI enablement approvals Do not accept AI features that activate by default or through vague product banners.
  • Classify AI prompt and output handling as a data-flow review Map where prompts, inputs, outputs, logs, and telemetry are stored, shared, or reused.
  • Make training and fine-tuning terms contract-critical Require clear answers on whether customer data is used to train or fine-tune models, whether the instance is dedicated, and whether data can be excluded from training.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

  • The complete questionnaire language Delinea uses for AI vendor due diligence across procurement and renewal cycles.
  • The vendor-specific distinctions Delinea draws between internal AI use and customer-facing AI features.
  • The full list of assessment prompts on training, retention, third-party sharing, and output monitoring.
  • The context behind Delinea's own governance approach to AI use in its products and internal functions.

👉 Read Delinea's full AI vendor security assessment questions →

AI vendor assessments: what questions should security teams ask?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI procurement has become an identity governance problem, not just a vendor due-diligence problem. Once a vendor's AI can ingest customer data, retain prompts, or trigger downstream workflow effects, the organisation is making an access and lifecycle decision as much as a commercial one. That decision spans human reviewers, service integrations, and emerging agentic workflows, so the governance model must cover all three where they intersect. Practitioners should treat AI review as part of identity governance, not as a separate checklist.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, which is a useful benchmark for understanding how quickly unmanaged access debt accumulates.

A question worth separating out:

Q: Who should own accountability for AI risk in vendor management?

A: Accountability should sit with procurement, security, privacy, legal, and the business owner together. AI risk is cross-functional because it affects data protection, contractual terms, audit evidence, and operational access, so no single team can approve it safely in isolation.

👉 Read our full editorial: AI vendor security assessments need explicit governance questions



   
ReplyQuote
Share: