Third-Party AI Use Due Diligence Pack: A Disciplined Way to Manage AI Risk Across the Supply Chain
A practical due diligence solution for assessing how vendors and service providers use AI in delivering services. The pack includes a supplier AI use questionnaire, risk assessment framework, AI contract addendum, implementation playbook, and vendor AI register.
Lewis Ho
Most organizations do not set out to appoint an “AI vendor.” They engage software providers, outsourcing partners, customer service firms, recruitment platforms, analytics providers, managed service operators, and specialist consultants. Yet across these relationships, artificial intelligence is increasingly embedded in the way services are delivered.
Sometimes that use is obvious. More often, it sits behind the interface: in data processing, workflow automation, customer communications, software features, document handling, quality monitoring, or decision support. A vendor may also rely on downstream providers that use AI further along the service chain. From a commercial perspective, the engagement may look routine. From a governance perspective, it may present a materially different risk profile.
That distinction now matters. The question is no longer whether a business is adopting AI internally. It is whether third parties are already using AI on the business’s behalf and whether the business has a reliable way to identify that use, assess the resulting exposure, and apply suitable controls before the relationship becomes operationally embedded.
The Third-Party AI Use Due Diligence Pack is designed to give organizations a structured, implementation-ready framework for identifying supplier AI use, assessing legal and operational risk, and strengthening governance through targeted contractual and procedural safeguards.
Why this matters now
A vendor does not need to market itself as an AI company to create AI-related exposure. Any third party using AI in the delivery of services may raise issues involving personal data, confidential information, intellectual property, automated decision-making, explainability, quality control, accountability, regulatory compliance, and downstream subcontracting.
For senior management, this is not a niche technology issue. It is a question of visibility, control, and governance. If suppliers are using AI in ways that influence service delivery, data handling, outputs, or decision support, the organization needs to know where that use sits, what risks it creates, and whether the contractual framework reflects the reality of the arrangement.
A structured AI due diligence process helps organizations:
gain visibility into where suppliers are using AI
identify higher-risk use cases before contracting or onboarding
assess whether additional controls, approvals, or escalation are needed
align vendor review with internal AI governance requirements
reduce legal, compliance, and operational exposure through appropriate contract terms
Done properly, this is not merely a legal safeguard. It is a practical management discipline that strengthens procurement, supports risk oversight, and improves the quality of decision-making across the vendor lifecycle.
Why this is particularly important for listed companies
Boards and senior executives are already expected to approach governance, risk management, internal controls, and disclosure with increasing rigor. As AI becomes more deeply embedded in products, services, and business operations, supplier AI use can quickly become relevant not only to legal and operational exposure, but also to broader governance and reporting expectations. This is particularly important in the context of ESG reporting and risk management strategy.
Where suppliers use AI in ways that affect privacy, cybersecurity, workforce practices, customer outcomes, operational resilience, or decision-making quality, those issues may also shape how the company explains its governance approach, risk oversight framework, and technology-related controls. Investors, regulators, counterparties, and other stakeholders are paying closer attention to how businesses identify emerging risks and manage them through governance systems rather than reactive remediation.
For listed companies, a more disciplined approach to vendor AI risk assessment can therefore support several objectives at once:
strengthening board-level oversight of emerging technology risk
improving internal documentation of risk identification and escalation
supporting a more credible account of governance and control processes in ESG-related disclosures
showing that AI-related exposure is being addressed within supply chain and operational risk management
reducing the risk of inconsistency between public reporting and actual vendor oversight practice
In that sense, the Third-Party AI Use Due Diligence Pack is useful not only as a procurement or legal tool, but also as part of a more mature approach to enterprise risk management for Hong Kong listed issuers.
The challenge many organizations now face
In practice, AI-related exposure often enters the business through ordinary supplier relationships rather than through a formal enterprise AI programme.
A customer service provider may use AI to generate responses. A recruitment platform may apply automated screening. A SaaS provider may activate generative features within an existing product. A data-processing vendor may use AI-assisted workflows without that being fully understood at onboarding stage. A subcontractor may introduce AI tools downstream without clear visibility at the contracting level.
Each of these scenarios can create issues around privacy, confidentiality, output quality, oversight, accountability, and contractual fit. Yet many existing vendor review processes still do not ask the right questions in a sufficiently structured way.
That is the gap this service is designed to address.
What the service covers
The service combines supplier-facing information gathering, risk-based review, contractual safeguards, and implementation support. It is designed to be practical enough for day-to-day use and robust enough to support sophisticated governance expectations.
Supplier AI Use Questionnaire
At the centre of the pack is a Jotform-based Supplier AI Use Questionnaire, available in both a universal version and a Hong Kong version. It is designed to gather key information on whether and how a supplier uses AI in delivering products or services.
The questionnaire helps identify matters that standard vendor forms often miss, including:
whether AI is used in service delivery
what functions or use cases it supports
what categories of data are involved
whether personal data, confidential information, or sensitive business information is affected
whether there is human oversight over AI-generated outputs
whether subcontractors or downstream providers use AI in the service chain
This provides internal teams with a more reliable factual basis for assessing whether a supplier’s use of AI is low-risk, higher-risk, or unsuitable without further controls.
Risk Assessment Framework
The pack includes a Risk Assessment Framework that translates supplier responses into a structured review. Rather than leaving teams to interpret answers on an ad hoc basis, the framework supports a more consistent methodology for assigning risk levels based on legal, privacy, security, operational, governance, and reputational considerations.
This helps organizations distinguish between lower-risk and higher-risk use cases and provides a reasoned basis for escalation, approval conditions, or further investigation.
Vendor Agreement on AI Use / AI Contract Addendum
Where supplier AI use creates additional exposure, standard contract terms may not be enough. The pack therefore includes a template of Vendor Agreement on AI Use, or AI Contract Addendum, designed to address AI-related safeguards, restrictions, transparency obligations, accountability, and risk allocation.
This provides a contractual basis for dealing with issues such as disclosure of AI use, limits on data use, oversight expectations, downstream provider responsibilities, and obligations where AI-related concerns arise during the course of the relationship.
AI Use Due Diligence Playbook
A process is only useful if internal teams know when and how to apply it. The pack therefore includes an AI Use Due Diligence Playbook—a concise guidance note explaining when to send the questionnaire, how to approach vendors, how the risk scoring works, when to escalate internally, and what remediation steps may be considered.
The playbook is designed to help procurement, legal, compliance, and risk teams operate from a shared approach rather than improvising from matter to matter.
Vendor AI Register
To support governance on an ongoing basis, the pack also includes a Vendor AI Register—a spreadsheet-based record containing the information completed by vendors. This turns the pack into more than a one-off questionnaire. It creates a practical mini-governance system that helps organizations track supplier AI use across relationships and maintain a central record for oversight, review, and follow-up.
Why senior management should pay attention
For senior management, the significance of this service is not confined to legal compliance. The broader issue is control.
If AI-related questions in the supply chain are not identified early, they can become embedded in critical processes before the organization has decided whether the risk is acceptable. By the time concerns emerge, the vendor may already have access to sensitive information, the business may already be operationally dependent on the service, and the commercial relationship may already be difficult to unwind.
A disciplined supplier AI due diligence process shifts the point of control forward. It brings visibility to vendor AI use before onboarding, renewal, or deeper integration. It supports better-informed contracting. It improves the basis for escalation and challenge. It also helps demonstrate that AI-related exposure is being managed through existing governance channels rather than left to informal assumptions.
For sophisticated organizations—and especially for listed companies in Hong Kong—that matters. A documented, repeatable approach to third-party AI risk management can support stronger internal controls, more coherent risk reporting, and more credible governance narratives for boards, investors, and other stakeholders..
Who this service is for
This pack is suitable for organizations that want a more structured and operational approach to third-party AI risk and supplier AI due diligence, including:
legal teams
procurement teams
compliance and risk functions
privacy and data protection teams
governance and internal audit teams
regulated businesses and listed companies
Hong Kong listed issuers seeking stronger alignment between operational controls, risk management, and ESG-related reporting
It is particularly relevant where suppliers may use AI in handling personal data, processing confidential information, supporting customer interactions, enabling software functionality, producing automated outputs, or operating through subcontracted delivery models.
What organizations gain from a structured approach
When implemented properly, a structured due diligence process helps organizations create a stronger foundation for vendor governance in an AI-enabled environment.
The practical benefits include:
clearer visibility into where suppliers are using AI
more consistent vendor review and escalation
stronger alignment between procurement, legal, compliance, and risk teams
better use of contractual protections where AI is involved
a more defensible record of assessment and decision-making
improved governance over supplier AI use across the organization
stronger support for enterprise risk management and, where relevant, ESG reporting narratives
These are not abstract advantages. They help organizations make better decisions early, reduce the likelihood of late-stage surprises, and demonstrate that emerging technology risk is being approached with discipline rather than improvisation.
A practical next step for organizations reviewing supplier AI risk
Much of the discussion around AI governance begins with internal adoption. In practice, one of the more immediate sources of exposure may sit outside the organization—in the vendors and service providers already involved in delivering critical products and services.
The Third-Party AI Use Due Diligence Pack offers a practical response. It brings together a supplier questionnaire, a risk assessment framework, an AI contract addendum, an internal playbook, and a vendor AI register in a single, usable solution.
For organizations seeking a more disciplined approach to vendor AI risk assessment, third-party AI due diligence, AI governance in supply chains, and supplier risk management, it provides more than a policy statement. It creates a workable control point that can be integrated into procurement, onboarding, contract review, and governance processes.
For Hong Kong listed companies in particular, it also supports a more mature approach to risk management strategy and ESG-related governance disclosure—two areas where stakeholders increasingly expect substance, not broad assurances.
If your organization is reviewing how AI-related exposure enters the supply chain, this is a sensible place to start.
Is this only for vendors that sell AI products or AI services?
No. This pack is designed for any third party that may use AI in delivering products or services to your organization. The risk often arises not because the vendor is an “AI company,” but because AI is being used somewhere in the service chain.
When should the questionnaire be sent to a vendor?
The questionnaire is typically sent during vendor onboarding, procurement review, contract renewal, or where there is reason to believe a supplier uses AI in service delivery. It can also be used as part of a broader review of existing vendors.
Can this pack be adapted for Hong Kong or internal governance requirements?
Yes. Referencing PDPO, SFC, HKEX and digital policy, the package includes a Hong Kong version of the supplier questionnaire and can be aligned with internal governance, legal, compliance, and procurement requirements to fit the organization’s review process.