← Back to playbooks
PLAYBOOK · 22 · CYBERSECURITY

Audit a vendor's AI policy in 5 minutes.

A checklist that flags the three clauses that actually matter for your data.

Advanced5 minTested · Apr 24, 2026

Why this works

Vendor AI policies hide the important parts in data-use, training, subprocessors, and retention clauses.

A five-minute audit should classify risk, not rewrite the contract.

Run it

  1. Collect the policy
    Use the vendor privacy policy, AI terms, and DPA if available.
  2. Extract the risky clauses
    Ask for training, retention, sharing, subprocessors, and opt-out language.
  3. Classify the workflow
    Map your intended data use to allowed, prohibited, or ambiguous.
  4. Write the follow-up
    Ask for the exact clarification email if the use case is ambiguous.

The prompt

Audit this vendor AI/data policy for our intended workflow.
Classify each concern as allowed, prohibited, or ambiguous.
Focus on model training, retention, subprocessors, human review, and opt-out controls.
Quote only the short clause fragments needed to support the classification.

Next 5-minute action