SIG 2026 added an AI risk domain. Here's what your buyer's TPRM team now expects from you
The SIG (Standardized Information Gathering questionnaire, by Shared Assessments) is the workhorse of third-party risk management: banks, insurers and large enterprises use it to assess thousands of vendors a year. The 2026 edition added AI as a standard risk domain, mapped to ISO/IEC 42001 — which means AI questions stopped being an exotic annex and became part of the default checklist a TPRM analyst runs on every software vendor.
Why this matters more than the AI Act itself (for your pipeline)
A regulator might never look at a 20-person SaaS vendor. A TPRM analyst at your prospect will — because the SIG is how their employer decides whether to sign you. When the AI domain came into the standard, every vendor with "AI" in the product acquired a new sales gate overnight. The blocked deal, not the fine, is the 2026 risk. (On the actual penalty framework and dates, see our Article 50 guide.)
What the AI domain asks about
- Governance — do you have an AI policy? Who owns AI risk? Is there training for staff using AI systems? (Under Regulation (EU) 2024/1689, Art. 4, "supporting the development" of AI literacy has applied since 2 February 2025.)
- Inventory and provenance — which AI systems and models, from which providers, doing what, on which data.
- Data governance — what customer data reaches models, where it's processed, whether it trains anything, retention of prompts/outputs.
- Human oversight and output controls — review workflows, disclosure of AI-generated content, incident handling.
- ISO/IEC 42001 alignment — the mapping target. Buyers ask "are you certified?"; increasingly RFPs list 42001 as preferred or required.
Answering the ISO 42001 question when you're not certified
Most 10–50 person vendors are not ISO 42001 certified, and pretending otherwise is fatal. The response that works: state you are not currently certified, describe the AI governance controls you genuinely operate (inventory, transparency labelling, human oversight, logging), note the 42001 themes those controls map to, and say certification is evaluated as customer demand requires. Buyers score honesty with substance far above unverifiable claims.
Also on the horizon: the EU's model contractual clauses
Beyond questionnaires, buyers have begun importing the EU AI model contractual clauses (MCC-AI, updated March 2025, available in 24 languages) from public procurement into private contracts as a de-facto standard. If your enterprise deal reaches contract stage, expect AI-specific warranties drawn from them — one more reason your questionnaire answers must describe only controls you actually run, because you may be asked to warrant them contractually two weeks later.
The efficient path for a small vendor
- Build the one-page AI inventory (it answers a third of the domain).
- Adopt a lightweight AI use policy (2–3 pages) and record staff completion of a short training — the two items TPRM analysts score first.
- Answer the questionnaire from documents, flag true gaps with a remediation step, and never claim what you can't evidence.
- Shared Assessments, SIG 2026 — AI risk domain, ISO/IEC 42001 mapping
- Regulation (EU) 2024/1689, Art. 4 (AI literacy), Art. 50 (transparency)
- EU AI model contractual clauses, updated March 2025 (public-buyers-community.ec.europa.eu)