Compliance, Governance & Risk
How to Answer the AI Section of a Security Questionnaire (2026)
Last verified against primary/authoritative sources: 2026-06-16. This is practical guidance and self-assessment material, not legal advice — see the note at the end.
Last verified against primary/authoritative sources: 2026-06-16. This is practical guidance and self-assessment material, not legal advice — see the note at the end.
A customer sends their standard vendor security questionnaire. You've filled out a dozen of these. SOC 2 posture, data residency, sub-processors, breach history — routine.
Except this one has a section you haven't seen before: an AI section. Do you use AI in delivering your service? Do you have an AI usage policy? Are your staff trained on responsible AI use? Can you evidence your AI risk assessment on request?
And suddenly a signed contract is waiting on answers you don't have written down.
This is now one of the most common ways an SMB deal stalls. Enterprise procurement has operationalised AI due diligence, and the AI section has spread into CAIQ-style, SIG-Lite-style and most internal vendor-risk templates — questions that simply didn't exist a couple of years ago. This guide gives you the structure of those questions, honest sample answers, and the one thing that turns a stalled deal into a one-paragraph reply: the dated file behind the answers.
First principle: they're not testing your AI. They're testing your governance.
The most common mistake is treating the AI section as a technical interrogation of your models. It isn't. The reviewer on the other side is a procurement or security analyst, and they're checking one thing: can you produce evidence that you've governed your AI use?
That distinction changes everything about how you answer:
- They don't want a clever explanation of how transformers work. They want to know there's an owner, a policy, a training record, and a risk assessment — and that you can show them.
- A blank, generic policy you downloaded last night doesn't help. They've seen it. What moves them is the populated, dated version that proves the policy is real.
- The single hardest answer to fake — and therefore the most valued — is the dated AI-literacy training record: who was trained, their role, and when.
So before you write a word, get honest about what you can actually evidence. (If you're not sure, our free, no-email AI Governance Readiness Check scores you against exactly these themes in a few minutes and runs entirely in your browser.)
The 8 questions the AI section almost always asks
The wording varies, but the AI section clusters into eight predictable themes. Here's each one, what they're really checking, and an honest sample answer you can adapt. Edit every answer to your facts — and only ever state what is true.
1. Do you use AI / machine learning in delivering your services?
What they're checking: whether you even know what AI is in use (including the AI features baked into the SaaS you already pay for).
"Yes. We use the following approved AI tools, governed by our AI Acceptable Use Policy: [list your tools]. Each is recorded in our AI Tool Inventory and Risk Register."
If you genuinely don't use AI, say so plainly — and add that any future adoption goes through your governance process. But inventory first: "shadow AI" (tools staff adopted individually) is the reason most "we don't really use AI" answers are wrong.
2. Do you have an AI usage / acceptable-use policy?
What they're checking: that a rulebook exists, is owned, and is current.
"Yes. We maintain an AI Acceptable Use Policy (v[X], effective [date]), owned by [name, role] and reviewed at least annually. Available under NDA."
A policy with no named owner and no date reads as theatre. The owner and the date are doing most of the work in this answer.
3. Are staff trained on responsible AI use?
What they're checking: the dated training record — the artifact, not a claim.
"Yes. Staff who use AI complete AI-literacy training aligned to EU AI Act Article 4, recorded in our AI-Literacy Training Record ([N] staff recorded as at [date])."
This is the question most vendors fail, because "we talked about it in a meeting" isn't a record. If you can't put a number and a date here, this is the gap to close first.
4. Do you maintain an AI risk assessment / register?
What they're checking: that you've thought about AI risk deliberately, with controls.
"Yes. We maintain an AI Tool Inventory and Risk Register, populated by use case and reviewed by the named owner, mapped to ISO/IEC 42001 and the NIST AI RMF."
A use-case-driven register with ratings and controls beats a generic list you wrote once and never reopened.
5. Do you input customer / personal data into AI tools?
What they're checking: data-handling discipline and UK GDPR awareness.
"Where personal or customer data is involved, use is governed by our AUP data-handling rules; we check each tool's retention and training settings and consider DPIA requirements under UK GDPR. We do not input special-category or client-confidential data into tools not approved for it."
If your honest answer is "we don't put personal data into AI tools," say that — it's often the stronger position.
6. Is there human oversight of AI output?
What they're checking: that a human is accountable, not the model.
"Yes. Our AUP mandates review of AI output by a competent person before it is used externally. AI assists; a human remains accountable."
7. Which frameworks / regulations do you align to?
What they're checking: maturity signals — and whether you'll overstate them.
"The EU AI Act (notably Article 4 on AI literacy), ISO/IEC 42001:2023, and the NIST AI Risk Management Framework 1.0. References are mapped throughout our governance file."
Critical honesty rule: say "aligned to ISO/IEC 42001," never "ISO 42001 certified," unless you actually hold an accredited certificate. The difference is material, checkable, and claiming certification you don't have is a contractual misrepresentation.
8. Do you use AI for high-risk decisions (hiring, credit, biometrics, emotion)?
What they're checking: whether you're doing something the EU AI Act treats as high-risk or restricted — without assessing it.
"No. Our declared AI uses do not include automated high-risk decisioning. Any future high-risk use would trigger our Deployer Impact Assessment first."
If the honest answer is yes and you haven't formally assessed it: stop. Don't answer this question until you've documented an impact assessment and obtained qualified professional review. This is the one area where a hasty answer can do real harm.
The cover sentence that frames the whole section
Before answering individual questions, paste a one-line summary at the top of the AI section. It tells the reviewer the evidence exists, which often shortens their follow-ups:
"[Organisation] maintains a documented AI governance file — an AI Acceptable Use Policy, a staff AI-literacy training record, an AI risk register, and an impact assessment — aligned to the EU AI Act (Article 4), ISO/IEC 42001 and the NIST AI RMF, owned by [owner, role] and reviewed at least annually. Supporting documents are available under NDA."
The one rule that protects you: only state what is true
Every answer in a security questionnaire is a contractual representation. Overstating your posture to close a deal isn't a clever shortcut — it's a breach waiting to surface in an incident, an audit, or a renewal. "We're maturing this; here's our plan, owner and date" is always safer than a claim you can't back up.
If an answer isn't true yet, the fix is to do the work — run the training session, populate the register — not to fake the answer. That's slower today and far cheaper than the alternative.
The shortcut: build the file once, answer in minutes forever
You can assemble all of this by hand from free templates — but free templates are blank, and the AI section is asking for the populated, dated version. That's the gap.
The AI Governance Pack was built specifically for this moment. You answer about 15 minutes of questions in your browser and it generates six tailored, dated, clause-mapped documents — including a Security-Questionnaire Answer Kit with ready-to-tailor versions of every answer above, plus the AI Acceptable Use Policy, the dated training record (and the ~1-hour training brief behind it), the pre-seeded risk register, and an impact assessment. It runs 100% client-side — nothing is uploaded — and it's £149 one-time, backed by a 60-day "put-it-in-place" money-back guarantee.
It won't make you "compliant" or "ISO 42001 certified" — no tool can, and we don't pretend otherwise. What it does is turn the next AI section from a deal-blocker into a paragraph you paste in.
Start free: run the AI Governance Readiness Check to see exactly which of the eight answers you can stand behind today.
FAQ
What is the AI section of a security questionnaire? A set of questions added to vendor security/due-diligence questionnaires (CAIQ-style, SIG-Lite-style, and internal templates) covering your AI usage policy, staff AI training, AI risk assessment, data handling and framework alignment. It exists because enterprise buyers now push AI-governance expectations down to their suppliers.
Do I need an AI policy to win enterprise deals? Increasingly, yes — not because of any single law, but because procurement teams ask for one in the questionnaire. The durable driver is your customers, not a regulatory deadline.
Can I just say we're "ISO 42001 compliant"? No. Say "aligned to ISO/IEC 42001" unless you hold an accredited certificate. Certification only comes from an accredited certification body, and overstating it in a questionnaire is a misrepresentation.
What's the single most important thing to have ready? A completed, dated AI-literacy training record — who was trained, their role, and when. It's the hardest thing to backfill and the artifact reviewers most want to see.
This article is practical guidance and self-assessment material, not legal advice, and its author is not a regulated law firm. It does not certify compliance with the EU AI Act, ISO/IEC 42001 or the NIST AI RMF. AI-assisted content; regulatory references verified against primary/authoritative sources on 2026-06-16 — re-verify before relying on them, and obtain qualified review for any high-stakes AI use.