Executive Summary
77% of organizations identified AI-related security breaches in the past year (HiddenLayer AI Threat Landscape Report, 2024), yet standard security questionnaires don't cover AI-specific risks. The SIG 2024 update added a dedicated AI risk domain based on NIST AI RMF, but most organizations still use inadequate assessment tools.
This questionnaire synthesizes requirements from SIG 2024, MITRE ATLAS, OWASP LLM Top 10, and the EU AI Act into 80+ questions across 8 categories. Organizations using security AI and automation extensively incur $2.2M less in breach costs than those without (IBM 2024).[1]
Download the Complete AI Security Questionnaire
80+ questions aligned with SIG 2024, MITRE ATLAS, OWASP LLM Top 10, and EU AI Act. Excel format with scoring rubric and evidence requirements.
Download Free TemplateIn This Guide
Why AI-Specific Questionnaires Matter
Traditional security questionnaires like SIG, CAIQ, or custom forms focus on IT infrastructure: network security, access controls, encryption, incident response. These remain essential, but AI systems introduce entirely new risk categories that standard assessments don't cover.
The Evidence Gap
Organizations identified breaches to their AI systems in the past year (HiddenLayer 2024)[2]
Experienced third-party data breach or security incident (Prevalent TPRM Study 2024)[3]
Standard vs. AI-Specific Assessment
| Traditional Security | AI-Specific Security | Framework |
|---|---|---|
| Input validation (SQL injection) | Prompt injection defenses | OWASP #1 |
| Data encryption at rest | Training data governance | ATLAS |
| Access control policies | Model capability restrictions | NIST AI RMF |
| Output sanitization | Hallucination detection | NIST 600-1 |
| Software SBOM | ML-BOM / AI-BOM | CycloneDX |
| SOC 2 / ISO 27001 | EU AI Act / ISO 42001 | EU AI Act |
| Penetration testing | AI red teaming | ATLAS |
SOC 2 alone isn't enough for AI systems. According to IBM's 2024 Cost of Data Breach Report, organizations using security AI and automation extensively detected and contained breaches 98 days faster and saved $2.2 million compared to those without.[1]
Framework Alignment
This questionnaire aligns with the major AI security frameworks. The SIG 2024 update added a dedicated AI risk domain—the first major vendor questionnaire to do so.[4]
SIG 2024
New AI risk domain added with Supply Chain Risk Management. 600+ questions across 21 risk categories. AI domain based on NIST AI RMF.[4]
Shared AssessmentsMITRE ATLAS
Adversarial Threat Landscape for AI Systems. Knowledge base of tactics and techniques from real-world attacks and AI red teams.[5]
MITRE CorporationOWASP LLM Top 10
Updated 2025 with 10 critical security risks including prompt injection (#1), sensitive information disclosure, and supply chain vulnerabilities.[6]
OWASP FoundationNIST AI RMF + 600-1
AI Risk Management Framework with Generative AI Profile. 72 subcategories across GOVERN, MAP, MEASURE, MANAGE functions.[7]
US GovernmentFramework Gap Alert
Analysis of AI model documentation from 5 frontier models and 100 Hugging Face model cards identified 947 unique section names with extreme naming variation—usage information alone appeared under 97 different labels. Standardization is essential.[8]
Question Categories
The GLACIS AI Security Questionnaire covers eight categories, each mapped to the relevant frameworks:
Model Security
Prompt injection, jailbreaking, output filtering, adversarial robustness
Data Governance
Training data, customer data handling, retention, PII/PHI protection
Compliance & Regulatory
EU AI Act, NIST AI RMF, ISO 42001, industry-specific requirements
Supply Chain
Model provenance, ML-BOM, third-party dependencies, attestations
Bias & Fairness
Bias testing, discrimination audits, fairness metrics, documentation
Transparency
Model cards, system documentation, disclosure requirements
Operational Security
Monitoring, incident response, human oversight, model updates
Red Teaming
Adversarial testing, vulnerability assessment, remediation tracking
Model Security Questions
These questions assess defenses against attacks targeting the AI model itself, aligned with OWASP LLM Top 10 and MITRE ATLAS.
Model Security
OWASP • ATLASMS-1: What defenses are in place against prompt injection attacks? Describe both direct and indirect injection protections.
MS-2: How are jailbreaking attempts detected and prevented? What testing has been performed against known jailbreak techniques?
MS-3: What output filtering is applied before responses are returned to users? Are outputs scanned for harmful content, PII, and policy violations?
MS-4: How is the system prompt protected from extraction? What evidence demonstrates its effectiveness?
MS-5: What controls prevent the model from taking unauthorized actions (tools, APIs, system access)? How are capabilities restricted?
MS-6: How is the model protected against adversarial inputs designed to cause incorrect outputs (adversarial examples)?
MS-7: What rate limiting, abuse prevention, and anomaly detection measures are implemented?
MS-8: Has the system undergone AI red teaming? Provide summary findings and remediation status.
MS-9: How are multi-turn attacks and conversation manipulation detected and prevented?
MS-10: What safeguards prevent the model from generating hallucinated or fabricated information?
Data Governance Questions
These questions assess how data is handled throughout the AI lifecycle, from training to inference.
Data Governance
NIST • EU AI ActDG-1: What data is used for training/fine-tuning? Is any customer data used? Provide complete data provenance documentation.
DG-2: How is customer data isolated from other customers (multi-tenancy controls)? What prevents cross-tenant data leakage?
DG-3: What is the data retention policy for user prompts and model outputs? How is deletion enforced?
DG-4: Can customers opt out of data being used for training? How is this enforced and audited?
DG-5: What PII/PHI detection is performed on inputs and outputs? What redaction or masking is applied?
DG-6: How is training data provenance documented? Is the origin of all training data known and verified?
DG-7: What controls prevent training data poisoning attacks?
DG-8: For healthcare: Is there a BAA available? What PHI protections are in place?
DG-9: What controls exist to prevent the model from memorizing and reproducing training data (extraction attacks)?
Supply Chain & Provenance Questions
Supply chain risk is a critical blind spot. In 2024, a supply chain compromise of a published AI library led to users unknowingly installing cryptocurrency mining malware. Only 24% of organizations apply comprehensive evaluations to AI-generated code.[9]
Supply Chain
OWASP • ATLASSC-1: What is the provenance of the AI model(s) used? Are they custom-trained, fine-tuned, or third-party?
SC-2: Is an ML-BOM (Machine Learning Bill of Materials) maintained? Does it include datasets, models, and code dependencies?
SC-3: How are third-party AI models validated before use? What security testing is performed?
SC-4: What controls protect against backdoored or trojanized models?
SC-5: Are cryptographic attestations used to verify model and data integrity (SLSA, Sigstore)?
SC-6: How are model updates verified and tested before deployment?
SC-7: What visibility exists into Nth-party dependencies (your vendor's vendors)?
Bias & Fairness Questions
Bias audits are now a regulatory requirement. NYC Local Law 144 requires independent bias audits before using AI in hiring, with penalties of $500–$1,500 per violation per day. Audits typically cost $20,000–$75,000 depending on system complexity.[10]
Bias & Fairness
EU AI Act • NYC LL144BF-1: Has the system undergone independent bias testing? Provide audit results for protected characteristics (gender, race, age, disability).
BF-2: What fairness metrics are used (demographic parity, equalized odds, individual fairness)? How are thresholds determined?
BF-3: How is training data evaluated for representativeness and potential bias amplification?
BF-4: What bias mitigation techniques are applied (pre-processing, in-processing, post-processing)?
BF-5: Is bias monitoring continuous? How often are bias metrics recalculated in production?
BF-6: What tools are used for bias detection (IBM AI Fairness 360, Microsoft Fairlearn, Aequitas)?
BF-7: How are bias incidents reported, investigated, and remediated?
Transparency & Model Cards
California's new AI disclosure law (2025) requires transparency reports with penalties up to $1 million per violation. The EU AI Act Article 50 establishes transparency requirements extending to businesses outside the EU using AI within the EU.[11]
Transparency
EU AI Act • CA SB 1047TR-1: Is a model card available? Does it include intended uses, limitations, training data summary, and evaluation results?
TR-2: Is documentation available in machine-readable format (JSON) for programmatic analysis?
TR-3: Are users notified when they are interacting with an AI system (disclosure requirements)?
TR-4: Is safety evaluation documentation publicly available? What testing methodology is described?
TR-5: How is documentation updated when the model is substantially revised?
TR-6: What information is disclosed about model capabilities, limitations, and known failure modes?
Compliance & Regulatory Questions
These questions assess alignment with AI-specific regulations and standards. Financial services leads AI governance adoption, with FS-ISAC publishing dedicated AI vendor assessment guidance and major banks implementing formal AI risk classification frameworks.[13]
Compliance & Regulatory
EU AI Act • NIST • SIGCR-1: How is the system classified under the EU AI Act? What compliance measures are in place for that risk tier?
CR-2: Is the organization aligned with NIST AI RMF? Describe implementation status across all four functions.
CR-3: Is the organization ISO 42001 certified or pursuing certification?
CR-4: How does the organization comply with the Colorado AI Act safe harbor provisions?
CR-5: What documentation is maintained for regulatory compliance (risk assessments, impact assessments, conformity assessments)?
CR-6: Are there any pending regulatory actions or findings related to AI systems?
CR-7: What industry-specific AI regulations apply (healthcare, financial services, employment)?
CR-8: How are regulatory changes monitored and incorporated into the system?
Operational Security Questions
These questions assess ongoing security operations and human oversight.
Operational Security
NIST • SIGOS-1: What monitoring is in place for AI system behavior? What metrics are tracked and alerted on?
OS-2: How are AI-related security incidents detected, triaged, and responded to? Is there an AI-specific incident response plan?
OS-3: What human oversight exists for AI decisions? When is human review required?
OS-4: How is model drift monitored? What triggers model review or retraining?
OS-5: What audit logging is maintained? How long are logs retained? Are they tamper-evident?
OS-6: Can customers access logs of AI interactions with their data?
OS-7: What is the process for reporting AI safety concerns (internal and external)?
OS-8: How are AI model updates tested before deployment? What rollback capabilities exist?
Scoring & Evaluation
Use this scoring framework to evaluate vendor responses. Each question should be scored based on both the control maturity and the evidence quality provided.
| Score | Criteria | Evidence Required | Action |
|---|---|---|---|
| 4 | Comprehensive controls with continuous monitoring | Documented, tested, audited | Accept |
| 3 | Controls in place, some evidence gaps | Documented, partially tested | Accept with monitoring |
| 2 | Some controls, significant gaps | Partial documentation | Remediation required |
| 1 | Few controls, major gaps | Minimal or no evidence | Material remediation |
| 0 | No controls or evidence | None | Reject |
Category Weights
Adjust weights based on your risk profile. These defaults reflect a balanced approach:
Red Flags
Watch for vendors who claim "we use [major provider] so we inherit their security" without demonstrating application-layer controls. LLM security requires layered defenses. Also flag vendors who can't answer basic questions about prompt injection or training data governance.
Need Help Assessing AI Vendors?
Our Evidence Pack Sprint includes vendor security assessment templates, scoring frameworks, and expert review of vendor responses. Get compliance-ready vendor documentation.
Learn About the Evidence PackReferences
- [1] IBM. "Cost of a Data Breach Report 2024." July 2024. ($4.88M average, $2.2M savings with AI)
- [2] HiddenLayer. "AI Threat Landscape Report." March 2024. (77% identified AI breaches)
- [3] Prevalent. "Third-Party Risk Management Study." 2024. (61% third-party breaches)
- [4] Shared Assessments. "SIG 2024: Key Updates and Considerations." 2024.
- [5] MITRE Corporation. "MITRE ATLAS: Adversarial Threat Landscape for AI Systems." 2024.
- [6] OWASP Foundation. "OWASP Top 10 for Large Language Model Applications." 2025.
- [7] NIST. "AI Risk Management Framework (AI RMF 1.0)." January 2023.
- [8] "AI Transparency Atlas: Framework, Scoring, and Real-Time Model Card Evaluation Pipeline." arXiv, 2024.
- [9] ReversingLabs. "Secure Your AI Supply Chain with the ML-BOM." 2024.
- [10] NYC Department of Consumer and Worker Protection. "Local Law 144: Automated Employment Decision Tools." 2023.
- [11] California Legislature. "Transparency in Frontier AI Act (SB 53)." 2025. ($1M per violation)
- [12] Venminder. "State of Third-Party Risk Management 2025 Survey." 2025.
- [13] FS-ISAC. "Generative AI Vendor Risk Assessment Guide." February 2024.
Disclaimer: Statistics cited are from third-party research and may be subject to methodology limitations. All figures reflect data available as of publication date (December 2025). Organizations should conduct independent verification for compliance or legal purposes. This guide is for informational purposes only and does not constitute legal advice.