AI Vendor Security Questionnaire 2026: 35 Questions Every LLM Vendor Should Answer Before You Sign — Plus CAIQ, SIG, ISO 27001, NIST AI RMF Templates Compared

**CAIQ v4** is the Cloud Security Alliance's Consensus Assessments Initiative Questionnaire, published at https://cloudsecurityalliance.org/research/caiq, and it is the most widely used cloud security questionnaire because it is free and because the CSA STAR Registry pre-publishes vendor responses for hundreds of major SaaS companies. The 261 questions cover 17 control domains. The miss for AI buyers: CAIQ was not rewritten for generative AI. There are no questions on training opt-out, fine-tune data treatment, abuse-monitoring retention, or zero data retention. You can send CAIQ and learn whether the vendor has SOC 2 — you cannot learn whether they train on your prompts.

**SIG Lite and SIG Core** from Shared Assessments at https://sharedassessments.org/sig/ are the paid industry standard. SIG Lite at roughly 330 questions is the version most mid-market buyers send. SIG Core at 1,400-plus questions is what large financial-services and healthcare buyers send when they actually mean it. The 2025 release added an expanded AI section covering model governance and training data lineage, but it is still a general supplier-risk questionnaire with an AI module bolted on. Membership runs $5,000 to $25,000 per year per https://sharedassessments.org/membership/.

**ISO 27001 Annex A** at https://www.iso.org/standard/27001 is the international standard for information security management systems. The 2022 revision consolidated 114 controls into 93 across four themes. A current certificate means a vendor has been audited by a recognized body — typically BSI, Schellman, or A-LIGN. The miss: there is no AI-specific control in 27001:2022. ISO 42001 — the new AI Management System standard at https://www.iso.org/standard/81230.html — fills that gap, but adoption is early and most LLM vendors do not yet hold a 42001 certificate.

**NIST AI RMF** at https://www.nist.gov/itl/ai-risk-management-framework is the only major framework written for AI from the ground up. It is voluntary, organized around four functions — Govern, Map, Measure, Manage — and the GenAI Profile released in July 2024 added 12 risk categories specific to generative systems. NIST AI RMF is not a vendor questionnaire; it is the scaffolding you use to build one. **The Custom AI SIG** is what sophisticated 2026 buyers send alongside CAIQ or SIG Lite — a 30-to-50 question supplement covering training opt-out, ZDR, BYOK, fine-tune handling, deletion SLA, sub-processor approval, and breach notification SLA. The right combination depends on buyer profile: SMB sends CAIQ plus the custom AI SIG; regulated mid-market sends SIG Lite plus the custom AI SIG; enterprise financial services adds SIG Core plus ISO 42001 attestation where available.

Encryption at rest and in transit is table stakes — the meaningful question is who holds the keys. Every major LLM provider publishes encryption posture: OpenAI at https://openai.com/enterprise-privacy/, Anthropic at https://www.anthropic.com/trust, Google Vertex AI at https://cloud.google.com/security, AWS Bedrock at https://aws.amazon.com/bedrock/security-compliance/, and Azure OpenAI at https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest. All five use AES-256 at rest and TLS 1.2 or 1.3 in transit. The differentiator is key management.

**Customer-managed keys (CMK)** are available across all five major providers but the implementation varies. AWS Bedrock and Azure OpenAI both support KMS-integrated CMK with full rotation and revocation control. Google Vertex AI supports CMEK for stored fine-tuned model data per https://cloud.google.com/vertex-ai/docs/general/cmek. OpenAI's enterprise tier supports CMK for stored API data. Anthropic supports CMK in select enterprise contracts but it is not a default — get it in writing in the order form.

**Bring Your Own Key (BYOK)** is a stronger posture than CMK because the key never leaves your HSM. True external-HSM BYOK is available on AWS Bedrock with KMS External Key Store per https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html and Azure OpenAI with Key Vault Managed HSM. OpenAI direct and Anthropic direct do not support true external-HSM BYOK as of June 2026. If your security policy mandates external HSM, you are buying Bedrock or Azure OpenAI, not direct API access.

The question your CISO will actually care about is the **key revocation effect** — if you rotate or revoke your CMK, what happens to in-flight requests, cached embeddings, and stored fine-tunes? AWS Bedrock and Azure OpenAI both document that revoked keys break access to stored data within minutes. Get the revocation behavior in writing. NIST SP 800-57 (https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final) recommends at least annual rotation; most teams set 90 days for sensitive workloads. The dealbreaker answer is any version of 'we use industry-standard encryption' without specifics — a 2026 vendor that cannot name their cipher suite, key length, HSM provider, and rotation cadence has not done the work.

The single most important AI-specific procurement question is whether your prompts and completions are used to train the vendor's models. Every major commercial provider has converged on the same default for enterprise and API tiers: no training on customer data. **OpenAI** confirms at https://openai.com/enterprise-privacy/, **Anthropic** at https://www.anthropic.com/legal/commercial-terms, **Google Vertex AI** at https://cloud.google.com/vertex-ai/docs/generative-ai/data-governance, **AWS Bedrock** at https://docs.aws.amazon.com/bedrock/latest/userguide/data-protection.html, and **Azure OpenAI** at https://learn.microsoft.com/azure/ai-services/openai/concepts/data-privacy. The catch is the consumer tier — ChatGPT free and Plus users have conversations used for training unless they opt out, and many enterprises have not figured out that employees paste source code into personal accounts.

**Zero Data Retention (ZDR)** is the next layer down. Default API behavior at most vendors retains prompts and completions for 30 days for abuse monitoring before deletion (documented at https://openai.com/enterprise-privacy/ and https://privacy.anthropic.com/). ZDR removes this window entirely — the vendor agrees not to log or store prompt or completion content beyond the API call duration. OpenAI offers ZDR on enterprise and select scale-tier contracts on approval. Anthropic offers ZDR on enterprise contracts. AWS Bedrock does not retain by default per their data protection page, which is effectively ZDR-by-default for stateless inference. Azure OpenAI offers ZDR with abuse-monitoring waiver as a formal approval process. Do not assume ZDR is on — verify in writing with the retention window stated explicitly.

**Abuse monitoring** is the flip side of ZDR. The 30-day window exists because vendors need to detect CSAM, CBRN content, malware, and coordinated influence operations. If you waive abuse monitoring, you take on the detection obligation yourself — your AUP must be enforceable, your logging sufficient for forensics, and your incident response must cover model misuse. Most regulated enterprises do this work; most mid-market buyers do not, and they should think hard before requesting ZDR. The acceptable answer is: '30-day retention by default, ZDR available on approval with documented waiver, automated red-flag alerts for admin team on policy violations.' The dealbreaker is: 'We retain indefinitely for service improvement' — a vendor that has not updated their privacy posture since 2023.

Audit log access is where many AI vendor relationships quietly fail compliance review. The question is not whether the vendor has logs — they all do. The question is whether you can access them. **AWS Bedrock** ships full CloudTrail; every invocation is logged with IAM principal, model ID, and metadata (content only if you enable model invocation logging at https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html). **Azure OpenAI** ships Azure Monitor. **Google Vertex AI** ships Cloud Audit Logs. **OpenAI** and **Anthropic** direct provide admin-tier logs through enterprise consoles, but granularity is lower. You need SIEM-ingestible JSON with content logging configurable separately from metadata.

**Breach notification SLA** is the single most under-negotiated clause in AI vendor contracts. GDPR Article 33 (https://gdpr-info.eu/art-33-gdpr/) requires processors to notify controllers without undue delay; most enterprise DPAs translate this into 72 or 24 hours. The 2026 norm for AI vendor enterprise DPAs is 72 hours from confirmed breach. Get the trigger event in writing — 'confirmed' versus 'suspected' versus 'reasonable belief' — because the delta is often two to four weeks in practice. Verify the notification channel and whether the vendor will support your downstream notification obligations to end customers.

**Sub-processor approval** is the cousin question. Every major LLM provider uses sub-processors for hosting, moderation, and sometimes human review. OpenAI publishes at https://openai.com/enterprise-privacy/sub-processor-list, Anthropic at https://www.anthropic.com/legal/subprocessors, Google Vertex at https://cloud.google.com/terms/subprocessors. The procurement question is whether you have a right to approve, object, and terminate without penalty if a new sub-processor is unacceptable. Industry standard in 2026 is 30 days' advance notice with right to object.

EU data residency is the geographic dimension. **OpenAI** offers EU residency on enterprise tier. **Anthropic** offers EU residency via AWS Bedrock and Google Vertex in EU regions. **Google Vertex AI** and **Azure OpenAI** support multiple EU regions. **AWS Bedrock** supports Frankfurt, Ireland, Paris, and Stockholm per https://aws.amazon.com/about-aws/global-infrastructure/. If you have customers under Schrems II scrutiny, get the residency commitment for both inference and training-data storage in writing — the training-data residency question is often the one vendors hedge on.

What follows is the custom AI SIG worth sending to every LLM vendor in 2026, organized by control domain. Send these alongside CAIQ v4 or SIG Lite — they cover the AI-specific questions the general frameworks miss. The questions are written so that good vendors can answer in 8 to 20 hours total. Vendors that need six weeks to answer are usually telling you something about their security maturity.

**1. Do you train on inputs or outputs from our API or enterprise tier by default, and what is the contractual opt-out language? 2. Do you offer zero data retention (ZDR) as a configurable option, and what is the approval process and SLA to enable it? 3. What is the default abuse-monitoring retention window for prompts and completions, and where is that data stored? 4. Can we waive abuse monitoring contractually, and what evidence do you require of our internal abuse-detection program? 5. Do you offer customer-managed encryption keys (CMK), and through which key management service? 6. Do you support true bring-your-own-key (BYOK) with external HSM, and which HSM vendors are validated? 7. What is the key revocation behavior — what happens to in-flight requests, cached embeddings, and stored fine-tunes when our CMK is revoked? 8. What is your key rotation cadence for vendor-managed keys, and can we mandate a custom cadence for CMK?

**9. What audit logs are available, in what format, and what is the access and retention model? 10. Can audit logs be exported to a customer-controlled bucket or SIEM in near real time, and at what additional cost? 11. Are prompt and completion contents logged by default, and can we configure that separately from metadata logging? 12. What is your contractual breach notification SLA, and is the trigger event confirmed breach, suspected breach, or reasonable belief? 13. What notification channels do you support — email, webhook, formal letter — and to which designated contacts? 14. Will you support our downstream breach notification obligations to our end customers, and is that obligation captured in the DPA? 15. Where is your current sub-processor list published, and how often is it updated? 16. What is the advance notification window for new sub-processors, and do we have a right to object that allows contract termination without penalty?

**17. In which geographic regions can inference run, and where is the training data for our fine-tunes stored? 18. Do you offer EU-only data residency for both inference and any stored training artifacts, and is that commitment in the order form or only in the marketing page? 19. What is the data deletion SLA after contract termination or customer-initiated deletion, and what is the verification mechanism — log entry, attestation, or both? 20. Is there a guaranteed point-in-time deletion option for specific conversations or fine-tune artifacts, and what is the SLA? 21. How is fine-tune training data isolated from other customers, and is it ever used to improve base models even with opt-out? 22. Can we delete fine-tunes and have you certify that no derived model weights persist anywhere in your infrastructure? 23. What is your published Acceptable Use Policy (AUP), and how is AUP enforcement automated versus human-reviewed? 24. What happens to our API access if another tenant in our organization violates the AUP, and what is the appeal process?

**25. Do you publish a model card or system card for each production model, and does it include training data sources, known limitations, and evaluation results? 26. Do you publish a red-team report for each major model release, and does it cover prompt injection, jailbreak resistance, CBRN refusal, and bias evaluation? 27. What is your responsible disclosure program for security vulnerabilities, and what is the historical median time-to-fix for high-severity reports? 28. Do you hold a current SOC 2 Type II report, ISO 27001 certificate, and where applicable HIPAA, PCI-DSS, FedRAMP, or ISO 42001 attestation? 29. What is the audit period covered by your most recent SOC 2 Type II, and is there a bridge letter covering the period since? 30. Can we receive a copy of your latest SOC 2 Type II report under NDA before contract signature?

**31. What is your DDoS protection and rate-limiting posture, and how do you protect against model extraction attacks on our endpoint? 32. What is your stance on customer pen-testing of your API endpoints, and what is the request process? 33. Do you maintain a documented model governance program covering version management, rollback, and customer notification of model deprecations? 34. What is the minimum notice period before a model is deprecated or behavior changes materially, and is there a contractual right to model stability for our use case? 35. What is your published cyber insurance coverage, what is the limit, and is the coverage extended to liability arising from model outputs?** Send these 35 questions to every shortlisted vendor. The answers will sort the serious vendors from the rest faster than any 1,400-question SIG Core ever will.

Reading vendor questionnaire responses is a learned skill, and the AI dimension makes it harder because the marketing has gotten slicker. Good answers in 2026 have three properties: they are specific, dated, and cite a verifiable document — a SOC 2 section, a privacy page URL, a contract clause. Hedged answers use 'industry-standard' and 'best practices' without saying what the practice is. Dealbreaker answers refuse to commit in writing.

On **training opt-out**, the good answer is: 'No, we do not train on customer API inputs by default. Contractual language is at Section X of our Commercial Terms, published [date].' The dealbreaker is: 'Yes, we use customer inputs to improve our models.' On **ZDR**, the good answer is: 'ZDR available on enterprise with abuse-monitoring waiver. Approval takes 5 to 10 business days. Once enabled, no content logged beyond API call duration; metadata retained 90 days.' The dealbreaker is: 'Our standard retention applies to all customers.'

On **breach notification SLA**, the good answer is: '72 hours from confirmed breach, per Section X of our DPA, with email to designated security contact plus webhook. We support customer downstream notification including data classification and scope required for GDPR Article 34.' The dealbreaker is the absence of a written SLA in the DPA. On **sub-processor approval**, the good answer is: 'Current list at [URL], updated within 5 business days. We provide 30 days' advance notice with right to object constituting grounds for termination without penalty per Section X.' The dealbreaker is: 'We do not commit to sub-processor approval rights.'

On **model card and red-team transparency**, the good answer is: 'Each production model has a published system card with training data composition, benchmark results (MMLU, HELM, TruthfulQA, JailbreakBench), known refusal patterns, and pre-release red-teaming covering prompt injection, jailbreak resistance, CBRN refusal, and bias evaluation. Full red-team report available under NDA.' The dealbreaker in 2026 is no published model card at all — the vendor has decided transparency is a marketing risk, which tells you everything about their internal posture.

Some teams wonder whether to skip the vendor security review entirely and self-host an open-weight model — Llama 3.1, Mixtral, Qwen2, DeepSeek — in their own VPC. The honest answer in 2026 is: sometimes. Self-hosting eliminates most of the questionnaire by design: no third-party processor, no training opt-out question, no abuse-monitoring window, no sub-processor list. Your security review becomes your own infrastructure security review, which you already have a program for.

Self-hosting wins for highly regulated workloads with deterministic privacy requirements — defense, intelligence, classified government, certain healthcare, and EU public-sector use cases where any data leaving the customer's tenancy is contractually impossible. Llama 3.1 70B on a properly-sized vLLM cluster (https://docs.vllm.ai/) runs roughly $0.50 to $1.50 per million tokens depending on hardware utilization, versus $3 to $15 per million on a managed API. For high-volume regulated workloads, the self-host math wins by 18 months.

Self-hosting loses for most everything else. You have replaced one set of security questions with another — you still need a model card, red-team evaluation, model-version management policy, fine-tune data lineage tracker, abuse-monitoring program, and an incident response playbook for prompt injection and jailbreak. You still need an internal AUP. You still need to comply with the EU AI Act. The questions migrate to your team — most teams underestimate this by 3 to 6 engineer-months.

The hybrid pattern that works in 2026: keep major commercial vendors for general-purpose work under a strong custom AI SIG plus DPA, and self-host an open-weight model for the specific workloads where data sovereignty is non-negotiable. If you go self-host, the inference economics (GPU hourly cost, utilization, throughput, engineering overhead) move the breakeven further out than back-of-envelope math suggests. Run the math against the OpenAI API cost calculator before deciding self-hosting is cheaper. The bottom line: self-host where sovereignty is the binding constraint, buy where speed and capability matter more, and questionnaire every commercial vendor seriously regardless of brand.

If I were building a vendor security review program for an AI-heavy team tomorrow, I would do three things. First, download **CAIQ v4** from https://cloudsecurityalliance.org/research/caiq as the baseline cloud security filter. Second, build the **35-question custom AI SIG** from the section above as the mandatory AI-specific supplement. Third, map risk tiers using the **NIST AI RMF GenAI Profile** at https://airc.nist.gov/AI_RMF_Knowledge_Base/ so depth of diligence scales with workload criticality.

For regulated industries — financial services, healthcare, insurance, government — add **SIG Lite** as the supplier-risk overlay because auditor and regulator expectations specifically reference Shared Assessments work. SIG Core at 1,400+ questions is overkill for most LLM vendor reviews; SIG Lite at ~330 questions hits the right balance. For ISO 27001-certified vendors, treat the certificate as a baseline filter and always request the **Statement of Applicability** — if the SoA carves out the AI service from ISMS scope, the certificate is decorative.

I would not send SIG Core to a sub-50-person LLM vendor. The questionnaire takes four months to answer, the answers come back uneven, and you spend more procurement time reviewing inconsistent answers than the contract is worth. For smaller AI vendors, send CAIQ plus the 35-question custom AI SIG and supplement with a 60-minute security architecture review with the vendor's CTO. You learn more in that call than from 1,400 questions.

For ISO 42001 at https://www.iso.org/standard/81230.html, adoption is early and most LLM vendors do not yet hold a current certificate. Ask whether they are pursuing 42001 and what the target audit window is. The vendors with a plan and a target are investing in mature AI governance. The vendors that dismiss it will struggle when EU AI Act enforcement scales in 2027. Finally — do not rely on pre-filled CAIQ in the CSA STAR Registry without freshness checks. Pre-fills go stale; vendor postures change. Resend questionnaires annually at renewal. Pair this work with the zero data retention LLM options guide when ZDR is the binding requirement.