AccuroAI
Platform
What We Do
Solutions
Company
Resources
Book demo
← Blog·AI Compliance11 read

The 50-Question AI Vendor Security Questionnaire Every CISO Should Be Sending in 2026

Procurement teams are bolting AI sections onto their security questionnaires faster than vendors can answer them. We assembled the 50 questions that actually matter — and put them in a downloadable Excel template you can send your vendors this week.

P
Priya Sundaram
Head of Vendor & Procurement Research
2026-06-08

Answer box

Procurement and vendor-risk teams at Fortune 1000 enterprises started bolting AI-specific sections onto their security questionnaires in 2025. By mid-2026, those sections have a shape: they pull from the Cloud Security Alliance's AI-CAIQ, the Shared Assessments SIG AI module, the OWASP Top 10 for Agentic Applications, and internal RFPs that procurement teams swap with each other in Slack groups. Most AI vendors aren't ready. We assembled the 50 questions that consistently show up in these questionnaires, organized them into eight domains with a scoring rubric, and put the whole thing in an Excel template you can hand to your vendors this week. This post explains the framework, walks through ten sample questions, and points to the free download.

Why this template exists

Twelve months ago, no procurement team had an "AI vendor security questionnaire." The question of whether to buy an AI tool was a feature comparison, not a security review.

That changed in 2025 for three reasons. First, the OWASP Top 10 for Agentic Applications (December 2025) gave the discipline a shared risk vocabulary — overnight, vendor-risk teams had ten categories of questions to ask. Second, the Cloud Security Alliance shipped AI-CAIQ in early 2026 and won the CSO Award — instantly the most cited reference questionnaire. Third, Section 1557 of the ACA in the U.S. and Article 25 of the EU AI Act both made covered entities/deployers liable for third-party AI tools' outputs — which means procurement is now responsible for whether the vendor's AI discriminates, leaks, or breaks.

The result: every Fortune 1000 procurement team is improvising an AI questionnaire on a moving deadline. We see fifteen different versions of it across customer deals every month. Many are bad. The 50 questions in this template are the ones that actually matter — distilled from CSA AI-CAIQ, Shared Assessments SIG AI, OWASP Top 10 for Agentic Applications coverage, and patterns from procurement RFPs we see in flight.

The 8 domains the 50 questions cover

The template groups questions by what they evaluate. Each domain has a weight; the template's auto-scoring tab computes a total out of 100.

Domain Question count Weight
1. Model & training data 5 10%
2. Agent architecture & execution 7 13%
3. Identity, access, and credentials 5 10%
4. Data security, privacy, residency 6 12%
5. Audit, logging, evidence 6 12%
6. Incident response & kill switches 4 10%
7. Compliance certifications 6 13%
8. Operational & integration 11 20%
Total 50 100%

The weights reflect what actually predicts post-deployment risk in our experience — not the easy-to-answer questions vendors love, but the operationally hard ones.

Ten sample questions (the full 50 are in the download)

A taste of what's in the template. Each question is scored 0-3 with a defined rubric (no answer / weak / acceptable / strong) — so two evaluators score the same vendor consistently.

From Domain 2 — Agent architecture

Q11. How does your product govern agent-to-agent (A2A) communication, and how are messages between agents signed, inspected, and audited?

A strong answer references signed agent identities, message inspection at the bus, and a queryable audit trail of A2A exchanges. A weak answer says "agents talk to each other through our API" without mentioning identity, signing, or inspection. Most vendors today score 0-1 here because the OWASP ASI07 risk category was named less than a year ago and few products were built with it in mind.

From Domain 3 — Identity

Q19. How are agent identities provisioned, scoped, and revoked? Are agents using user tokens, fleet-wide service accounts, or per-agent workload identities?

This is the single highest-signal question for predicting future incident severity. A vendor running on per-agent workload identity with capability-scoped tokens is in a different operational class than a vendor running everything off a shared OAuth grant. The procurement scorecard should reflect that.

From Domain 5 — Audit

Q28. For a single user task involving at least one agent, two tool calls, and one A2A handoff, can you demonstrate a complete audit trail in a single search?

Live demonstration question — the kind you ask in the vendor demo, not the kind they answer on a form. The template includes notes for the buyer's procurement lead on which questions to ask live.

From Domain 6 — Incident response

Q34. Walk us through your kill switch in a live production incident. How long does mean-time-to-kill take? What happens to in-flight tool calls when the kill fires?

Scored against five components: single control-plane operation, in-flight tool call cancellation, per-agent (not per-fleet) scoping, watchdog tombstoning, and monthly drill cadence. Most vendors have one or two; few have all five.

From Domain 7 — Compliance

Q41. What audit and compliance reports does your product generate, mapped to which frameworks? Show us an audit export for ISO 42001 A.8.24.

The live "show us" version of the question. Vendors who built the audit story can produce the export in five minutes; vendors who didn't will offer to "follow up." The template flags which questions get the "show us" follow-up.

From Domain 8 — Operational

Q44. What is your p99 inline inspection latency in production, customer-observed, not vendor-stated?

Sub-50ms is the threshold for inline deployment without breaking the productivity case. Above 100ms users will route around it under load. Above 300ms is unworkable. Ask for the customer-observed number, not the marketing one.

The other 44 questions are in the download.

How to actually use this in procurement

Two patterns we see work well at customer enterprises:

Pattern 1 — Use it as the first-pass filter. Before you let an AI vendor into the sales cycle, send the template. Give them 10 business days to return it filled out. Score it. Anyone below 60/100 doesn't get a demo slot. Saves your security team hours of demo time on vendors who couldn't pass procurement anyway.

Pattern 2 — Use it as the contractual baseline. Whichever vendor you select, the questionnaire becomes Exhibit A in the MSA. Vendor commits to maintaining or improving their score over the contract term. Material score regressions trigger contractual remedies. This is the model SOC 2 contractual incorporation has used for a decade; we're applying it to AI vendor security.

The template ships with both workflows documented in the instructions tab.

Download the questionnaire

Download the 50-question AI Vendor Security Questionnaire (Excel, free) — 4-field form, instant access, scoring rubric included.

FAQ

How is this different from CAIQ or the Shared Assessments SIG?

CAIQ and SIG are general infosec questionnaires with new AI sections being added in 2026. This template focuses entirely on AI-specific questions and is aligned to the OWASP Top 10 for Agentic Applications. Use both: SIG/CAIQ for general infosec, this template for the AI-specific layer.

Is the template free?

Yes. Free download in exchange for a work email. We use the email to send updates when the questionnaire version changes (we expect minor updates every 6-12 months as the OWASP framework evolves).

Will AccuroAI score my vendors for me?

Not as part of this template. If you'd like AccuroAI to run an evaluation against vendors in your shortlist, book a 30-minute working session.

Can I modify the template?

Yes. The Excel template is unlocked. Add domains, adjust weights, change rubrics — make it fit your procurement workflow. The 50 questions are a strong starting point, not a finished policy.

How often will the template update?

We expect to release a v2 in early 2027 after the OWASP Agentic Top 10 anniversary refresh and after Gartner publishes its expected AI-SPM Market Guide. Subscribers to the download list get the new version automatically.

What if a vendor refuses to answer?

A vendor that refuses to answer at procurement stage will refuse to answer when something breaks. Treat the refusal as the answer.

Related reading: The Enterprise Agent RFP: 30 Procurement Questions Every AI Vendor Must Answer in Late 2026 · AI-SPM Buyer's Guide 2026 · Pillar Hub: AI Compliance Evidence.

See AccuroAI in action.
30-minute demo tailored to your top AI risk.
Book a demo
More from the blog
CEO Opinion · AI Regulation
Board & CISO Narrative · 9
We're Underregulating AI Agents. The Bill Is Coming Due.
Tabletop · IR Kit
Agentic AI Governance · 8
Run an AI Incident Tabletop This Quarter: A Three-Scenario Kit for Security Teams
CEO POV · Risk Calculator
Board & CISO Narrative · 9
How Much Is Your Unaudited AI Agent Surface Costing You? A 2026 Risk Calculator for CISOs
See AccuroAI in action.

Book a 30-minute demo and see how security teams use AccuroAI to discover, govern, and protect every AI asset across their organization.

Book a demoTalk to security