Definition

AI vendor due diligence is a structured procurement-phase assessment that evaluates a third-party AI provider's model risk, data-handling practices, evaluation methodology and incident-response capability before contract award. The 22-question questionnaire framework maps to ISO 42001 Annex A, NIST AI RMF GOVERN function, and CBUAE Outsourcing Regulation requirements, producing a scored risk profile that informs contractual protections and ongoing monitoring cadence.

Why it matters

The pressure on AI Governance (ISO 42001) programmes is shifting in specific, observable ways:

• CBUAE Outsourcing Regulation (Notice 3020/2021) requires UAE banks to conduct pre-engagement due diligence on all material third-party service providers, including those delivering AI-enabled services — failure to document this attracts supervisory findings.
• SAMA Cybersecurity Framework control 3.3.5 (third-party cybersecurity) mandates that CSF domains are verified in vendors processing sensitive data; AI vendors with model outputs feeding credit decisions are explicitly in scope.
• Undisclosed sub-processors training on client data represent a PDPL Article 17 (UAE) and PDPL Article 19 (KSA) violation; the questionnaire surfaces sub-processor chains before data flows are established.
• Enterprise AI SaaS contracts typically carry AED 1–10M annual value; a vendor failure (data breach, model error, regulatory sanction) without contractual protections leaves buyers bearing full remediation cost.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Completed vendor questionnaire — 22 scored questions, vendor responses, supporting evidence files, reviewer score and recommendation.
• Vendor ISO 42001 / ISO 27001 certificate — issuing CB, scope, expiry date, surveillance audit status.
• Penetration test summary (vendor-provided) — scope, date, critical/high finding count, remediation status.
• Model evaluation report — accuracy, bias metrics, red-team outcomes, rollback procedure documented.
• Incident-response SLA documentation — notification timeframe, escalation contacts, breach-notification commitment aligned to UAE PDPL Article 17 72-hour window.
• Sub-processor register — name, country, processing activity, data-transfer mechanism (SCC / adequacy decision).

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: Procurement and Information Security teams customise the 22-question questionnaire to include CBUAE Outsourcing Regulation and ISO 42001 Annex A control references; load into vendor portal (Ariba or equivalent).
• Day 31–60: Vendor Risk Analyst scores returned questionnaires; vendors scoring <70% are escalated to enhanced review, including a virtual interview with the vendor's CISO and AI lead.
• Day 61–90: Legal drafts AI-specific contract schedule covering data-handling, evaluation frequency, incident notification (72-hour PDPL window), model change notification and audit rights.
• Day 90+: Third-Party Risk Manager uploads approved vendors to GRC platform (ServiceNow VRM); sets annual reassessment trigger and contract-renewal review 90 days ahead of expiry.
• Ongoing: Monitor vendor security advisories and certification renewals; re-trigger questionnaire on material product change or regulatory incident involving the vendor.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Questionnaire response rate: 100% of material AI vendors complete assessment before contract signature.
• Scoring pass threshold: vendors scoring ≥75/100 cleared for standard contract; 60–74 require compensating controls schedule; <60 escalated to CISO for risk-acceptance or disqualification.
• Enhanced review rate: ≤15% of vendors require enhanced review (indicating well-scoped initial screening).
• Contractual AI schedule coverage: 100% of production AI vendor contracts include model-change notification clause (≥30 days' notice) and audit-right provision.
• Annual reassessment completion: 100% of material AI vendors reassessed within 12 months of previous assessment.

The working checklist

Use this list during your next AI Governance (ISO 42001) review cycle. The phrasing is intentionally observable — every item is something a reviewer can sample for, not an aspiration.

• Verify: incident log for AI failures and near-misses.
• Verify: shadow AI use cases that never reached the intake.
• Verify: model cards that document the model but not the deployed system.
• Verify: no human-oversight design for high-risk use cases.
• Verify: data lineage that breaks at the embedding store.
• Verify: AI policy.

Pitfalls we keep seeing

Across MAST Consulting Group's AI Governance (ISO 42001) portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: shadow AI use cases that never reached the intake. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: model cards that document the model but not the deployed system. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: no human-oversight design for high-risk use cases. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: data lineage that breaks at the embedding store. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on AI Governance (ISO 42001) engagements because the integrations are cheap and the evidence is defensible:

• ticketing for use-case intake — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• model registries (MLflow, SageMaker Model Registry, Vertex) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• evaluation harnesses (Ragas, DeepEval) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs AI Governance (ISO 42001) programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this checklist is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for AI Governance (ISO 42001) programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.