Skip to content
Playbook
AdvancedHRPeopleOps

AI Vendor Due Diligence for HR: A 30-Question Procurement Standard

Half of HR AI vendor failures are predictable from the procurement conversation. Here is the 30-question standard top procurement and HR partnerships use to…

11 min read
On this page
60-Second Summary
  • Run AI vendor DD in five domains: model + data, governance, security, bias/fairness, contract terms.
  • Always ask for the model card, the most recent independent audit, and the incident history.
  • Demand contractual rights you'll actually need: audit access, data deletion, model retraining notice.
  • If three answers come back as 'proprietary, we can't share' — walk away.

Most HR AI buying decisions are made in a demo and finalised in a contract negotiation. By that point, the questions that would have surfaced the real risks were never asked. The 30-question due diligence standard below is what mature procurement and HR partnerships run before signing — and it filters out 30–50% of vendors with no extra cost beyond two diligence sessions.

Five domains

  • Model & data — what's under the hood and what feeds it
  • Governance — who is accountable, audited, and improving the system
  • Security & privacy — where your data goes and who can see it
  • Bias & fairness — evidence of testing, not assurances
  • Contract — your rights when things change or go wrong

Model & data

  1. What underlying model is used (foundation model + fine-tuning, classical ML, rules + LLM hybrid)?
  2. What data was the model trained / fine-tuned on?
  3. Is our data used to retrain the model? If yes, on what terms? If no, prove it.
  4. How often is the model retrained, and what's the change-notification process?
  5. Can you provide a model card or system datasheet?
  6. What inputs does the system use for our decisions? What is excluded?

Governance

  1. Who internally owns AI ethics? What is their reporting line?
  2. What independent audits have been performed in the last 12 months? Share the executive summaries.
  3. What incidents have you had? How were they detected, communicated, and resolved?
  4. What is your roadmap for EU AI Act compliance? NYC AEDT compliance? UK / Colorado / Illinois?
  5. Do you have customer advisory board input on model changes?

Security & privacy

  1. Where is data stored and processed? Which regions and sub-processors?
  2. ISO 27001 / SOC 2 Type II — share the latest report under NDA.
  3. GDPR DPA: standard contractual clauses, transfer impact assessment for non-adequate jurisdictions.
  4. Data retention: how long is candidate / employee data kept, in what form, and how is deletion verified?
  5. Encryption in transit and at rest; KMS approach.
  6. Penetration test cadence and remediation SLA.

Bias & fairness

  1. What demographic groups have you tested for disparate impact?
  2. What were the impact ratios in your most recent test? Share the report.
  3. What is your re-test cadence after a model change?
  4. What is your remediation path if disparate impact is detected at our deployment?
  5. Can we run our own audit using our own data and our own auditor?

Contract terms

  1. Right to audit the system annually, with reasonable notice.
  2. Notification of any material model change ≥60 days in advance.
  3. Data deletion on contract termination, with certification.
  4. Indemnification for IP infringement in generated outputs and for AI Act / AEDT non-compliance attributable to the vendor.
  5. Service-level agreement with credits for downtime and degraded performance.
  6. Exit clause if independent audit reveals material disparate impact unfixed within 90 days.
  7. Liability cap appropriate to the risk — many vendors propose 12 months of fees, which is inadequate for AEDT or AI Act exposure.
The three red flags

1) 'Our model is proprietary, we can't share details.' (You're deploying a black box into employment decisions.) 2) 'We've never had an incident.' (Either lying or not looking.) 3) 'Our audit is for our model, not your deployment.' (You'll be the one liable when it fails on your data.)

The shape of a good vendor conversation

Mature AI vendors come prepared with the model card, the audit summary, the DPA, and a candid incident log. They ask you about your governance, not the other way around. If the vendor cannot have this conversation, the vendor is not ready to be in your high-risk hiring funnel.

Written by Pawan Joshi.Sources cited inline.
First published 23 Jun 2026See site changelog →