How to answer the AI section of a security questionnaire — the method, start to finish
Your buyer sent a vendor assessment. Somewhere around page four, the AI section starts: which models do you use, does customer data train them, are you compliant with the EU AI Act. Nobody on your team has answered one before, the deal is waiting, and every wrong answer is discoverable later. This is the method we use on every engagement — it works whether the questionnaire is an AI-CAIQ, a SIG 2026, or a buyer's custom spreadsheet.
Step 1 — Build the inventory before answering anything
A third to half of any AI section derives from one artifact: the AI systems inventory. One page, one row per AI capability:
- What the capability does (e.g. "draft generation from customer documents")
- Model and provider (OpenAI / Anthropic / Google / self-hosted), and whether you fine-tune
- What customer data reaches the model, and in which region it's processed
- Human oversight (who reviews output, when it's mandatory)
- Logging and retention of prompts/outputs
- User-facing disclosure (labels, notices)
- Whether the provider appears on your public subprocessor list, and the DPA you hold with them
Answer the questionnaire from the inventory and every response stays consistent — inconsistency across answers is the #1 thing that triggers buyer follow-up rounds.
Step 2 — Handle the training-data question with two layers
"Is customer data used to train or fine-tune AI models?" needs a two-layer answer: your own practice (you don't fine-tune) and your provider's contractual terms. Enterprise APIs from the major providers don't train on API data by default — but check the version of the DPA you actually signed before asserting it in writing. Citing the specific agreement is the difference between an answer that closes the question and one that spawns three follow-ups.
Step 3 — Survive "Are you compliant with the EU AI Act?"
Never a blanket "yes" — legal reviewers treat it as a red flag. Four parts:
- Classification: most B2B SaaS is limited/minimal risk — outside the high-risk use cases of Annex III of Regulation (EU) 2024/1689. Say so explicitly.
- Applicable obligations: typically Art. 50 transparency (from 2 August 2026 — not postponed by the Digital Omnibus) and Art. 4 AI literacy (since 2 February 2025). Beware the provider-vs-deployer trap: a SaaS shipping a model under its own brand owes the provider duties of Art. 50(1) — our Article 50 guide covers the full map.
- Measures in place: the controls you actually run, stated factually.
- Ongoing work: the real gaps, each with a plan.
Step 4 — State gaps with the formula procurement accepts
Current state + compensating control + "in progress" + realistic target. Example: "A formal AI risk policy is not yet documented. Interim control: mandatory human review of all AI output and 90-day logging. Policy adoption is in progress, targeted before [date your leadership actually approved]." Never invent a control. Never commit a date nobody approved. A defensible "not yet, here's the plan" wins deals; a hopeful "yes" collapses in due diligence — and by contract stage you may be asked to warrant your answers.
Step 5 — Flag what only a lawyer can answer
Questions about regulated sectors, biometrics, employment decisions or credit scoring can change your legal classification. Guessing is how vendors end up with questionnaire answers that contradict their own contracts. Mark those items "under legal review" — one flagged question reads as diligence, ten wrong ones read as negligence.
The time math (and the shortcut)
Done in-house for the first time, this is realistically one to two weeks of a founder's or engineer's attention — mid-deal, when momentum matters most. That's the trade we exist for: we deliver the complete draft — every answer, the gap summary, the inventory — in 48 hours for $490 flat, paid after delivery, everything marked for your review before submission. And if you want proof before committing: send the questionnaire and we answer the first 3 questions free, so you judge the work itself. See a full sample deliverable here.
- Regulation (EU) 2024/1689 — Art. 4, Art. 50, Art. 113, Annex III
- Digital Omnibus, adopted 16/29 June 2026 (high-risk dates moved; Art. 50 unchanged)
- CSA AI-CAIQ (Oct 2025); Shared Assessments SIG 2026; EU MCC-AI clauses (Mar 2025)