Home  /  Answers  /  AI vendor due diligence checklist

AI vendor due diligence checklist for RIAs

Last updated April 13, 2026 · By Isaiah Grant, Founder

Before signing with any AI vendor, an RIA should get written answers to twelve questions covering security, data handling, compliance, and operational continuity. The single most important one is whether the firm and its clients' data will ever be used to train the vendor's models — most RIAs need a hard no.

The 12 questions, in order of importance

  1. Will any of our data be used to train your models? Demand a written 'no' or a documented opt-out.
  2. Do you have a current SOC 2 Type II report? Type I is not enough. Ask for the full report under NDA.
  3. Where does our data live and who can see it? Cloud region, encryption-at-rest method, employee access logs.
  4. What happens to our data if we cancel? Deletion timeline in writing — 30 days is standard.
  5. Do you support our books-and-records obligations under SEC Rule 204-2? Audit trail export format, retention guarantees.
  6. What's the SLA for security incidents? Notification within 24 hours of discovery is the floor.
  7. What is your subprocessor list? If they use OpenAI, Anthropic, AWS Bedrock — that needs to flow to our diligence stack.
  8. What's your AI-washing posture? Specifically: which features are AI and which are deterministic? The SEC has been enforcing this since 2024.
  9. Do you have cyber liability insurance? Minimum $5M for any vendor touching client PII.
  10. What's your uptime track record? Ask for the last 12 months of status-page incidents.
  11. Can we get a sandbox or test environment? Required to run a Compliance review before go-live.
  12. Who's the vendor's compliance contact? A name and a phone number, not a contact form.

The non-negotiables

Three of the twelve are dealbreakers. Data training opt-out — if the vendor reserves the right to train on the firm's data, the firm cannot use the tool with client PII without violating its own privacy policy. SOC 2 Type II — Type I documents the design of controls; Type II tests them over a period of months. The SEC's exam priorities for 2026 specifically call out 'cybersecurity controls and oversight of third-party vendors,' which means a Type I won't survive an exam. Subprocessor disclosure — the firm needs to know if the vendor's AI runs on OpenAI, Anthropic, or a private deployment, because that decision flows downstream into every other diligence question.

The three answers most vendors fumble

The questions that surface the most useful red flags are about books-and-records support, the subprocessor list, and the cancellation data-deletion timeline. Vendors built for advisors handle these in one email; vendors built for everyone-with-a-credit-card take three rounds and a sales engineer. The vendor that fumbles all three should not be on the shortlist regardless of feature breadth.

Where to put the answers

Capture the answers in a one-page vendor-diligence file inside the firm's compliance folder. Include the date, the responder's name and title, and a screenshot or PDF of the SOC 2 report cover page (not the full report — that's NDA-protected). Re-run the diligence on the renewal anniversary; vendor postures change after acquisitions, funding rounds, and security incidents.

Frequently asked

Is a SOC 2 Type II actually required?

Required by no one specifically, but every CCO worth their seat treats it as the floor. The SEC's 2026 exam priorities include vendor cybersecurity oversight, and the easiest way to show oversight is a SOC 2 Type II review on file.

What if a vendor refuses to share their SOC 2?

That's a no. SOC 2 reports are routinely shared under NDA. A refusal usually means either the report doesn't exist or it has unresolved exceptions the vendor doesn't want to explain.

Do we need a separate diligence file for each AI tool?

Yes. The SEC's books-and-records rule applies per vendor. A single 'AI vendors' folder with one file per vendor is the cleanest pattern.

What's the right SLA for incident notification?

24 hours from vendor discovery is the floor. Some firms negotiate 4 hours for tools that touch high-net-worth client data. Anything longer than 72 hours is unacceptable.

How often should we re-run diligence?

Annually at minimum, plus on any of these triggers: vendor acquisition, vendor funding round, vendor security incident, our own renewal date, or a SEC enforcement action against a similar vendor.

Quiet Machines installs an AI brain inside advisory firms in a 3-day on-site build. Free AI visibility audit →

Related answers

Go deeper

Sources

Compliance and SEC considerations