dealrescueGuides › AI-CAIQ

Guide · Standard questionnaires

The AI-CAIQ: what it is, why your buyer just sent you one, and how to answer it

In October 2025 the Cloud Security Alliance published the AI-CAIQ — the AI extension of the CAIQ (Consensus Assessments Initiative Questionnaire), the self-assessment that enterprise security teams have used for a decade to vet cloud vendors. If your product "uses AI" anywhere in its marketing, expect the AI-CAIQ, or questions copied from it, in your next vendor assessment.

The questionnaire itself is free to download from the CSA (cloudsecurityalliance.org — AI-CAIQ). What's not free is knowing how to answer it when you're a 10–50 person company with no compliance team.

What buyers actually look for in AI-CAIQ responses

Across AI-CAIQ, SIG 2026 and custom buyer questionnaires, the recurring asks are remarkably consistent:

The training-data trap

Do not answer "customer data is never used for training" by reflex. The correct answer cites two layers: (1) your own practice (you don't train or fine-tune), and (2) your model provider's data processing agreement. Enterprise APIs from major providers do not train on API inputs by default — but verify the current version of the DPA you actually signed before asserting it in writing. A response that cites the specific agreement survives due diligence; a bare "never" invites the follow-up that stalls your deal.

How a small vendor answers well — the method

  1. Build the inventory first. Half the questionnaire derives from it. One page: capabilities, models, providers, data, regions, oversight, logging. (This is why we include a One-page AI Inventory in every engagement — buyers ask for it next anyway.)
  2. Answer from documents, not from memory. Every claim about your company should trace to something written — a DPA, a policy, a screenshot of the disclosure label. If it isn't written down, it's a gap, not an answer.
  3. State gaps with the procurement-tested formula: current state + compensating control + "in progress" + a target only if it's real. Buyers accept honest gaps with a plan; they punish vague yeses discovered later.
  4. Cite the law precisely where relevant — e.g. transparency obligations under Regulation (EU) 2024/1689, Art. 50, applicable from 2 August 2026 (not postponed by the Digital Omnibus). Precision here is what separates a credible vendor from one that pasted ChatGPT output. See our Article 50 guide for the provider-vs-deployer distinction that most responses get wrong.

What not to do

Sources
  • Cloud Security Alliance, AI-CAIQ (published 16 October 2025)
  • Regulation (EU) 2024/1689 (EU AI Act), Art. 50, Art. 113
  • Shared Assessments, SIG 2026 (AI risk domain)

Got an AI-CAIQ on your desk?

We answer it completely, with citations, in 48 hours — $490 flat, paid after delivery. Want proof first? The first 3 answers are free.

Send your questionnaire →