AccuroAI
Platform
What We Do
Solutions
Company
Resources
Book demo
← Blog·AI Compliance13 read

The Enterprise Agent RFP: 30 Procurement Questions Every AI Vendor Must Answer in Late 2026

Enterprise security questionnaires now have an AI section, and most vendors fail it. This is the 30-question RFP framework — mapped to OWASP, NIST, ISO 42001, EU AI Act, and CSA AI-CAIQ — that procurement teams are starting to standardize on, with what a good answer looks like for each.

P
Priya Sundaram
Buyer's Guides
2026-05-04

Answer box

Enterprise procurement teams have added an AI section to every security questionnaire — and most vendors are failing it. The questions converge: how is the model hosted, what training opt-outs apply, how are agent identities scoped, where is data residency, what audit trail exists, how is the kill switch operated, what compliance evidence is produced. This guide is the consolidated 30-question RFP — mapped to OWASP Top 10 for Agentic Applications, NIST AI RMF, ISO 42001, EU AI Act, and CSA AI-CAIQ — with a worked example of what a good answer to each looks like. Use it on both sides of the table: procuring AI capabilities, or being procured for them.

Why this list exists now

Three things happened in parallel during the first half of 2026:

  1. CSA shipped AI-CAIQ (the AI extension to the Consensus Assessments Initiative Questionnaire), mapped to the AICM 243-control matrix. Won the 2026 CSO Award.
  2. Shared Assessments updated SIG to include AI-specific modules. Enterprise procurement teams now ship SIG Lite (128 questions) or SIG Core (627 questions) with AI sections.
  3. Practitioner discussions on LinkedIn and Security Boulevard converged on the same complaint: vendors couldn't answer the new sections. "Your security questionnaire grew an AI section and our vendors can't answer it" became the canonical practitioner quote of Q2 2026.

Underneath the noise, the questions are converging. Whatever procurement template you use — CSA AI-CAIQ, SIG, Shared Assessments, custom internal — the underlying questions hit the same operational concerns. This list is the consolidated set.

Use it as a buyer to standardize your asks. Use it as a vendor to know what you'll be asked and what a strong answer looks like. Most importantly: use it as a CISO/CIO to evaluate where your own AI program would score under outside scrutiny.

The 30 questions, organized into seven domains

Domain 1 — Model and training data (Q1-5)

Q1. Which underlying models does your product use, by version, and how is hosting structured?

Maps to: NIST AI RMF MAP-1.5, EU AI Act Art. 25, CSA AICM AI-MOD-01.

Good answer: Specific model names and versions (e.g., "Claude Sonnet 4.6 for primary inference; on-prem Llama 3.3 for sensitive-data inference"). Hosting jurisdictions named. Vendor-managed vs customer-managed clear. Model-pinning policy stated.

Weak answer: "We use industry-leading models." Hosting "in the cloud."

Q2. Is customer data used to train models? Under what conditions can it be?

Maps to: NIST MEASURE-2.10, ISO 42001 A.7.4, EU AI Act Art. 10.

Good answer: Default no. Opt-in only with explicit signed addendum. Even with opt-in, training data isolated from cross-customer models. Specific data-handling addenda available.

Q3. What is the retention policy for prompts, completions, and embeddings, including during incident response?

Good answer: Specific retention durations by data class. Customer-configurable retention floors. Encrypted at rest with customer-held keys where applicable. Forensic-snapshot access controlled and logged.

Q4. What evaluation, red-teaming, and bias testing has each model passed before being placed in your product?

Maps to: NIST MEASURE-2.8, ISO 42001 A.8.4, EU AI Act Art. 15(3).

Good answer: Specific evaluation frameworks (HELM, BBQ, custom enterprise eval suites). OWASP Top 10 for Agentic Applications coverage. Bias and fairness test results available on request. Red-team cadence stated.

Q5. What is your model update / version management policy, and how do you handle a major-version change?

Good answer: Customer notification window. Rollback path. Pinning available for regulated workloads.

Domain 2 — Agent architecture and execution (Q6-12)

Q6. Does your product run autonomous agents, semi-autonomous agents, or human-in-the-loop only?

Maps to: EU AI Act Art. 14, Berkeley AILCCP, OWASP Agentic Top 10 ASI09.

Good answer: Categorized clearly. If agents are autonomous, the autonomy tier per use case is documented (cf. Phil Venables' "autonomy tiers" framework).

Q7. What tools or systems can your agents call, and how is that surface controlled?

Maps to: OWASP ASI02, ISO 42001 A.8.24.

Good answer: Allowlisted tool registry. Per-customer tool scoping. Customer-controlled tool grants. AI Bill of Materials available for review.

Q8. How is agent-to-agent (A2A) communication signed, inspected, and audited?

Maps to: OWASP ASI07, NIST MEASURE-2.

Good answer: Signed identities per agent. Message inspection at the bus. Audit trail of every A2A exchange. (Many vendors will fail here — A2A is the newest of the OWASP categories.)

Q9. What is the maximum action permissions an agent can hold without explicit human authorization?

Maps to: EU AI Act Art. 14, OWASP ASI03.

Good answer: Specific thresholds by action class. Configurable per-customer. Examples of actions requiring escalation.

Q10. How are agent memory writes attributed, signed, and revoked?

Maps to: OWASP ASI06.

Good answer: Every memory write has a provenance signature (user, agent identity, session). Customer-controlled retention. Selective memory purge available.

Q11. What MCP servers does your product use or expose, and how are they governed?

Maps to: OWASP ASI04, CSA AICM.

Good answer: Signed registry. Pinned versions. AIBOM available. Tool descriptions inspected. Tool responses inspected.

Q12. How does your agent respond to indirect prompt injection in tool responses, documents, or web content?

Maps to: OWASP ASI01, NIST MEASURE-2.

Good answer: Inline inspection of every input the agent reads. Detection signatures named. Documented behavior on injection detection (block, redirect, redact, log).

Domain 3 — Identity, access, and credentials (Q13-17)

Q13. How are agent identities provisioned, scoped, and revoked?

Maps to: NIST MAP-3, ISO 42001 A.5.10, EU AI Act Art. 9(4).

Good answer: Per-agent workload identity. Not the user's token. Capability-scoped, time-bounded. Revocation atomic across the control plane.

Q14. How is the customer's IdP integrated for SSO and SCIM?

Good answer: Okta, Entra, Ping, custom OIDC supported. SCIM v2 for user provisioning. Group-based authorization mapping.

Q15. What is your model for credential storage and rotation?

Good answer: Customer credentials encrypted with customer-controlled KMS. Rotation API available. Secrets never logged in plaintext.

Q16. How do you support break-glass / emergency-access scenarios?

Good answer: Time-bounded, audit-logged, requires multi-party approval. Documented procedure.

Q17. How are non-human identities and machine accounts modeled?

Maps to: Saviynt CISO AI Risk Report, RSAC 2026 agent identity track.

Good answer: NHI is a first-class concept. Each agent has its own NHI. Lifecycle is automated. Identity-vs-secrets are managed separately.

Domain 4 — Data security, privacy, and residency (Q18-21)

Q18. What is the data residency story for prompts, completions, embeddings, and audit logs?

Maps to: GDPR Art. 32, EU AI Act Art. 10, sector-specific (HIPAA, PCI).

Good answer: Customer-selectable region. Specific data centers named. No cross-region data movement without explicit customer authorization. EU-only deployment available.

Q19. What inline DLP and PII detection runs on prompts and responses?

Maps to: OWASP ASI01 + ASI06, ISO 42001 A.8.24.

Good answer: Specific data class detection (PII, PHI, financial, source code, credentials). Detection accuracy with stated false-positive rate. Customer-configurable rules. Redact/block/warn options.

Q20. How is sensitivity-label inheritance handled across prompts, responses, and mixed-source outputs?

Maps to: ISO 42001 A.8.5, Microsoft Purview readiness model.

Good answer: Labels propagate through the agent. Mixed-source outputs receive the highest label of any source. Downstream actions respect the label.

Q21. How do you respond to a data subject access request (DSAR), erasure request, or court order?

Maps to: GDPR Art. 15-17.

Good answer: Documented process. Per-user data extractable. Per-user data deletion possible with stated retention exceptions. SLA committed.

Domain 5 — Audit, logging, and evidence (Q22-25)

Q22. What is logged for every prompt, response, tool call, and policy decision?

Maps to: NIST MEASURE-2.4, ISO 42001 A.5.10/A.8.24, EU AI Act Art. 12.

Good answer: Full provenance: user, agent identity, model version, tool version, arguments (with sensitive data redacted), response hash, policy decision rationale. Logs are immutable, signed, and exportable.

Q23. How long are logs retained and where?

Good answer: Customer-configurable retention floor and ceiling. Customer-controlled archive destination available. Immutable retention for regulated workloads.

Q24. What audit and compliance reports does your product generate, mapped to which frameworks?

Maps to: ISO 42001 audit, EU AI Act Art. 11/12, NIST AI RMF MEASURE-2.

Good answer: Specific report templates mapped to ISO 42001 A.8.24, NIST AI RMF MEASURE-2 / MANAGE-2, EU AI Act Articles 9 / 11 / 12 / 15. Customer-runnable on demand.

Q25. Show me a complete audit trail for a single user task that involved at least one agent, two tool calls, and one A2A handoff.

Good answer: Single search query produces the full chain in under 10 seconds. Provenance fields populated. Logs are reproducible across redeploys.

Domain 6 — Incident response and recovery (Q26-28)

Q26. Walk through your kill switch in a live incident.

Maps to: OWASP ASI10, EU AI Act Art. 14(4)(e).

Good answer: Single control-plane operation. Stops the agent identity, revokes outstanding tokens, drops bus subscriptions, denies egress — atomically and in seconds. In-flight tool calls are explicitly cancelled or quarantined. Sibling agents unaffected. Tested monthly with measured mean time to kill.

Q27. What is your incident reporting timeline under EU AI Act Article 73?

Maps to: EU AI Act Art. 73.

Good answer: 15 days for high-risk system serious incidents; shorter for critical-infrastructure or death/serious-injury. Documented runbook. Pre-prepared notification templates.

Q28. What detection signals fire on agent misbehavior, and how are they wired into the customer's SIEM?

Good answer: Named detection signal library (tool-call rate anomaly, tool description change, inline-inspection signature hits, agent egress anomalies, goal-drift). Native integrations with Splunk, Sentinel, Chronicle, Datadog.

Domain 7 — Compliance and certifications (Q29-30)

Q29. What certifications and attestations do you hold, and what is in scope?

Good answer: SOC 2 Type II (named auditors, current report date). ISO 27001. ISO 27017 / 27018. ISO 42001 (where current). HIPAA-aligned. PCI-aligned. EU AI Act-readiness self-attested with documentation.

Q30. Can we run a private pilot in our environment that produces evidence we can show our auditors?

Good answer: Yes, with a stated pilot scope, timeline, and what evidence the pilot will produce. Pilot evidence is portable; it doesn't expire when the pilot ends. Customer keeps the artifacts.

What a "good answer" actually looks like

Three structural traits, applied to every question:

  1. Specific. Names, numbers, dates, versions, jurisdictions. Not "industry-leading," "best-in-class," or "robust."
  2. Mapped. Every answer references the framework it supports — OWASP, NIST, ISO 42001, EU AI Act, CSA AICM, GDPR. Procurement teams' job is easier when the vendor pre-maps.
  3. Demonstrable. Every answer can be shown live in a demo or proven with an artifact (a SOC 2 report, an audit log export, a runbook). "Take our word for it" is not an answer.

If a vendor's answer to any of these 30 is "we'll get back to you," that's data.

How to use this list

If you're a buyer

  1. Use the 30 questions as your master AI RFP. Trim sections that don't apply (e.g., A2A questions for a vendor that doesn't do multi-agent).
  2. Score each answer 0-3 (no answer / weak / acceptable / strong). 60 points possible. Anything below 40 is a fail; above 50 is a contender.
  3. Run the live demo questions (Q25, Q26) in the actual demo. If they can't show, don't move forward.
  4. Insist on pilot evidence (Q30) before contract signature.

If you're a vendor

  1. Score yourself honestly against the list before any RFP arrives.
  2. Build the evidence artifacts (audit trail export, kill switch demo, mapping documents) before you need them. Producing under pressure is worse than producing in advance.
  3. Map your product capabilities to the OWASP/NIST/ISO/EU language. If you don't, the customer will, and they may map you wrong.

If you're an internal AI program owner

  1. Run the 30 against your own organization. Pretend you are being procured.
  2. Every "no" or "we'll get back to you" is a gap to close.
  3. Bring the scorecard to your AI risk committee. Most committees haven't seen what an outside RFP would surface.

What this looks like on AccuroAI

We score ourselves against this list publicly because we maintain it. We meet or exceed strong-answer criteria on 28 of 30. Two we're growing on: Q4 (we publish red-team results internally but not yet in a customer-portal artifact), Q24 (we have ISO 42001 + NIST AI RMF + EU AI Act report templates; the SOC 2 + HIPAA mapping templates are in development).

If you want to run this list against AccuroAI as a live exercise, book a 30-minute working session and we will go through all 30 with your procurement and security teams in the same call. The output is an evidence packet you can use whether or not you become a customer.

FAQ

What is CSA AI-CAIQ? The Cloud Security Alliance's AI extension to the Consensus Assessments Initiative Questionnaire (CAIQ). Maps to CSA's AI Controls Matrix (AICM), which has 243 controls across 18 domains. Won the 2026 CSO Award. Available free from CSA.

Is this list the same as Shared Assessments SIG? No. SIG Lite (128 questions) and SIG Core (627 questions) are broader information security questionnaires that now include AI sections. The 30-question list above consolidates the AI-specific subset across SIG, AI-CAIQ, and emerging RFP templates.

Should we use NIST AI RMF, ISO 42001, or EU AI Act as our framework? Use all three with one control library. See One Map to Rule Them All: A Unified Crosswalk Between NIST AI RMF, ISO 42001, and the EU AI Act.

Will this list become longer? Yes. The OWASP Agentic Top 10 and emerging regulator releases (UK AISI, Singapore IMDA agentic-AI framework, NIST agent identity standards) will add specifics. Treat this as a 2026 snapshot.

Is there a downloadable version? Yes — request from the contact form on accuroai.co. PDF + Excel scorecard.

Sources: CSA AI Controls Matrix · CSA AICM 2026 CSO Award · Shared Assessments SIG (AI extensions) · Kognitos — Agentic AI RFP Template · Asteros — Your Security Questionnaire Now Has an AI Section · Security Boulevard — AI Security Questionnaires · OWASP Top 10 for Agentic Applications 2026.

Related: AI-SPM Buyer's Guide 2026 · One Map to Rule Them All: Unified Compliance Crosswalk · Guardian Agents Explained.

See AccuroAI in action.
30-minute demo tailored to your top AI risk.
Book a demo
More from the blog
Agentic AI Governance · 12
The CISO's MCP Field Guide v2: From Inventory to Runtime Governance
Pillar Hub · 6
The CISO & Board AI Narrative: The Enterprise Hub
Prompt DLP · 11
Microsoft 365 Copilot vs ChatGPT Enterprise: Where Each Leaks (and How to Plug It)
See AccuroAI in action.

Book a 30-minute demo and see how security teams use AccuroAI to discover, govern, and protect every AI asset across their organization.

Book a demoTalk to security