AI Section of a Security Questionnaire: What to Write
Your EU customer sent a security questionnaire. There is an AI section. It is blank. Here is exactly what they are asking for, what documents answer it, and how to build a reusable package so you never rewrite from scratch again.
Enterprise and mid-market companies in the EU now routinely add an AI section to their vendor security questionnaires. This happens because procurement teams, DPOs, and security officers need to understand what AI is doing inside the tools they sign contracts with, and because the EU AI Act (Regulation 2024/1689) put AI documentation on every legal team's radar since February 2025.
The problem for SaaS founders: the AI section arrives mid-deal. You have 48 hours, you have no compliance officer, and you have never written a model card in your life. This guide gives you the full picture.
What the AI section actually asks
Across vendor security questionnaires (SIG Lite, CAIQ, ISO 27001 vendor assessments, and custom enterprise forms), the AI section covers the same 8 to 12 questions. Here are the most common ones, with the answer each maps to.
The three documents that answer every AI section
Every question above maps to one of three documents. Build these once per AI system, and you can answer any security questionnaire without rewriting.
| Document | What it covers | Questions it answers |
|---|---|---|
| Model Card | System ID, purpose, architecture, providers, inputs/outputs, data governance, human oversight, transparency, contact | Q1, Q2, Q3, Q4, Q6, Q8, Q10 |
| Risk Assessment | EU AI Act classification, risk identification, mitigation measures, monitoring plan | Q5, Q9 |
| Compliance Summary | One-page overview, obligations checklist, transparency disclosure, validity date, audit contact | Q5, Q7, Q10 |
When a customer asks for "AI documentation," attaching these three PDFs closes the question. The procurement team forwards them to the DPO. The deal moves.
Generate your three AI documents in 5 minutes
Answer 15 questions about your AI system. Get your Model Card, Risk Assessment, and Compliance Summary as ready-to-send PDFs, reusable across every questionnaire.
Start the questionnaire, freeWhy you cannot answer the AI section without a model card
Most founders try to fill the AI section manually, from memory, in the questionnaire portal. Three problems with this:
- The next customer asks the same questions differently. You rewrite. Then a third customer. Each rewrite takes 2 to 4 hours and introduces inconsistencies between your answers.
- The answers are not signed or dated. A DPO reviewing vendor compliance needs a document with a validity date they can attach to the vendor file. A text box answer does not satisfy audit requirements.
- You answer from memory, not from a documented source of truth. If the DPO follows up asking for the actual documentation behind the answers, you have nothing to send.
A model card solves all three. It is the source of truth, written once, attached to every questionnaire, updated when your system changes.
EU AI Act obligations relevant to the AI section
Customers ask about the EU AI Act because their legal teams do. Here is what applies to most SaaS products using third-party models:
Article 50 : Transparency (in force since February 2025)
- Art. 50.1, If your product includes a chatbot or AI assistant that interacts with users, you must inform users they are interacting with AI. Disclosure must be clear and upfront.
- Art. 50.2, If your product generates text, images, audio, or video, you must mark the content as AI-generated (metadata, watermark, or explicit label).
- Art. 50.3, Deepfakes (synthetic representations of real people) require explicit disclosure.
High-risk classification (Annex III), delayed to December 2027
If your system makes decisions on employment, credit scoring, essential services, biometrics, or education evaluation without human validation, you fall under Annex III. Full high-risk obligations (conformity assessment, EU database registration, etc.) apply from December 2027 per the EU Digital Omnibus amendment.
Article 6.3 exemption
If your system performs a preparatory task and a human reviews the output before any decision is acted on, you may qualify for the Article 6.3 exemption, which removes you from the high-risk category even if your use case matches Annex III. This needs to be documented in your Risk Assessment.
What "validity date" means and why it matters
Enterprise customers increasingly require AI documentation to carry a validity date, similar to a security certificate or penetration test report. A document dated 2025 presented in a 2027 renewal is likely to trigger a follow-up request for updated documentation.
The practical implication: your model card and risk assessment should be re-issued at least annually, or whenever you change your AI system (new model provider, new data inputs, new use case). Keeping documentation current is part of what distinguishes a one-time checkbox response from real AI governance.
How to build a reusable AI documentation package
- Identify each AI system you operate. One model card per system, not per feature. If you use GPT for document generation and a separate ML model for classification, those are two systems requiring two model cards.
- Run a 15-question classification. This determines your EU AI Act risk level and the applicable articles, the answer to Q5 in every security questionnaire.
- Generate the three PDFs. Model Card, Risk Assessment, Compliance Summary. Store them in a shared drive folder you can access mid-deal.
- Set a review reminder. When you change your AI stack, update the documents. When the calendar year turns, re-issue with a new validity date.
- Attach, do not retype. For every security questionnaire, answer Q1–Q4 with a sentence, then write "full documentation attached" and send the PDFs. You are done.
Already have a questionnaire waiting?
Answer 15 questions about your AI system and receive Model Card, Risk Assessment, and Compliance Summary as PDFs, with a validity date your customer's DPO can file. One-time payment, no subscription.
Build my documentation packSources
- Regulation (EU) 2024/1689 on Artificial Intelligence, EUR-Lex
- EU Digital Omnibus, May 2026, high-risk obligations delayed to December 2027
- Article 50 transparency obligations, in force since 2 February 2025
- SIG Lite questionnaire (Shared Assessments), AI/ML section
- CSA CAIQ v4, AI trust controls