Skip to content
shadowiq
Use case · Third-party AI assessment

Quantitative third-party AI risk. Not a 200-question form.

Vendor AI risk is the spreadsheet nobody wants to own. ShadowIQ scores vendors quantitatively, monitors them continuously, and produces contract-ready artifacts your Legal team can actually use.

See third-party ai assessment in actionPlatform overview
What this is

Summary

Third-party AI risk assessment in ShadowIQ combines an automated vendor questionnaire with continuous signals (latency, PII handling, training-data policy, subprocessors, breach history) to produce a quantitative vendor risk score aligned to EU AI Act Article 25, NIST AI RMF, and SOC 2.

How it fits · explainer

The before / after, in one picture.

PROBLEM · BEFORE SHADOWIQ
Different teams assessing the same AI vendor differently.
siqSOLUTION · WITH SHADOWIQ
Quantitative scoring model reviewed with Big-4 advisory. Customizable weights; defaults aligned to EU AI Act Article 25.
PILLARS ENGAGEDEvaluateEvidence
Where it hurts

You've heard this one before.

  • Different teams assessing the same AI vendor differently.
  • Legal reviewing AI contracts without a shared risk rubric.
  • No continuous monitoring — assessment is a point in time, not a relationship.
  • Subprocessor changes missed until an incident.
What we do about it

Three moves.

  1. 1
    One shared rubric.

    Quantitative scoring model reviewed with Big-4 advisory. Customizable weights; defaults aligned to EU AI Act Article 25.

  2. 2
    Continuous signals.

    Automated probes: latency, TLS configuration, training-data policy, subprocessors, public breach history — updated daily.

  3. 3
    Contract-ready artifacts.

    Assessment summary, SCC addenda, and DPA clauses generated from the score. Legal edits, doesn't draft from blank.

Outcomes

Numbers, not adjectives.

1
shared rubric across teams
daily
continuous vendor signals
–60%
vendor review cycle time
Frequently asked

Asked, answered, sourced.

A weighted model across five pillars: data handling, model security, operational maturity, incident history, and contract posture. Each input is either a verified signal or a questionnaire answer — weights and formulas are visible and customizable.

Yes. We ingest SIG, CAIQ, and CAIQ-Lite. The ShadowIQ AI addendum (30 questions) is designed to plug into your existing TPRM tool (OneTrust, ProcessUnity, SecurityScorecard).

We monitor subprocessor pages, DPAs, and public filings; any change triggers a reassessment and a delta is added to the signed record. Legal is notified in ServiceNow or Jira.

Related

Keep going.

Role
Legal & Privacy
Role
Chief Risk Officer
Ready to see the signet in motion?

Your 30-minute demo. A signed audit trail by the end of it.

We'll wire ShadowIQ into one live workload, block a prompt injection in real time, and hand you a cryptographic receipt — before the meeting ends.

Schedule a 30-minute walkthroughReview pricing