Do you know the 5 categories of responsible use of AI?

Written By Peter Vogel

SCworld.com reported that “Frameworks like NIST AI RMF and laws like the EU AI Act provide useful reference points for AI governance. But they focus on obligations for AI developers and deployers, not on how enterprise buyers should evaluate vendors.” The December 18, 2025 article entitled " Why traditional procurement breaks down for AI risk and governance” (https://tinyurl.com/w9ntech8) included Five categories that matter for responsible AI:

Traditional vendor questionnaires were not designed for AI systems. Rather than expanding them, consider focusing on categories that address AI-specific risks.

The categories below are not exhaustive. They represent gaps we believe translate between enterprise needs, existing frameworks, and startups building and deploying AI applications.

#1 Security and reliability

Prompt injection, training data poisoning, and model manipulation present attack surfaces traditional software does not. Consider asking how vendors defend against these threats and what happens when models fail or drift. Red teaming should be ongoing, not a one-time certification.

#2 Accountability

AI outputs are harder to audit than database queries. Consider asking how vendors log decisions, trace outputs to inputs, and support investigations when something goes wrong. The depth of inquiry will depend on your use case and regulatory environment.

#3 Governance

Regulation is being developed; vendors who build governance early will adapt faster than those who bolt it on later. California's AB 2013, effective January 2026, requires disclosure of training data sources. The result is a new reference point for procurement teams evaluating foundation models themselves, or applications built on top of those models.

#4 Privacy and data

AI raises questions about how customer data trains models, who accesses it, and how long it persists. Are prompts logged? Used to retrain the model? Accessible to vendor employees? For sensitive information, these questions matter as much as traditional data protection.

#5 Output quality and downstream impacts

AI carries risks traditional software does not: output bias, hallucinations, and training data memorization. None appear in SOC 2 certifications. Ask how vendors test for and mitigate these risks. If your use case touches customer outcomes in regulated domains, these questions become litigation exposure.

What do you think?

Peter Vogel
Next

Do you really want AI to cancel customers?