Bailey & Associates - Manufacturing IT Strategy & Leadership
020 3435 9075

AI Vendor Due Diligence for UK Manufacturers: A Practical Questionnaire

An AI vendor due diligence UK manufacturer programme is the structured way a UK manufacturer screens AI suppliers (and the AI features baked into existing SaaS suppliers) against UK GDPR, EU AI Act, ISO 42001, SOC 2 and customer-audit expectations, before signing a contract. Done well, it removes the noise of unsuitable vendors in minutes, leaves a defensible evidence pack on the high-risk ones and keeps shadow AI out of the business.

TL;DR for busy MDs:

  • Two-phase questionnaire: a 4-question binary sanity check plus a 12 to 20 question deep dive.
  • Tie every question to a real obligation: UK GDPR, EU AI Act (Articles 12 and 17), ISO 42001, SOC 2 Type II.
  • Reject any vendor that fails any Phase 1 question. Score Phase 2 and feed the result into the AI risk register.
  • Re-run annually for high-risk vendors, biennially for medium-risk, and immediately after any material change.
  • Most UK SME manufacturers can run the whole process in 60 to 90 minutes per vendor.
AI vendor due diligence UK manufacturer: procurement, IT director and AI vendor discussing a printed questionnaire with tickboxes and a tablet showing UK data residency, ISO 42001, SOC 2 Type 2 and EU AI Act compliance badges, with a UK factory floor visible through the meeting room glass

Last updated: 9 June 2026

What AI vendor due diligence UK manufacturer programmes actually cover

AI vendor due diligence is more than the old IT security questionnaire with an “AI” prefix bolted on. It tests four things at once: (1) does the vendor’s technology do what it says, (2) is the vendor capable of helping you meet your own UK GDPR, EU AI Act, ISO 27001 and customer-audit obligations, (3) is the vendor’s commercial behaviour sustainable (training-data rights, indemnities, exit), and (4) is the vendor’s AI estate stable enough that a model change next year does not invalidate your DPIA, conformity assessment or board decision today.

For a UK manufacturer, the scope of AI vendor due diligence has expanded sharply in 2026. It now needs to cover dedicated AI tools (Microsoft Copilot, ChatGPT Enterprise, Anthropic, Glean, Gong, Otter), AI features that have appeared inside existing SaaS (ERP, MES, CRM, finance, helpdesk, HR), embedded AI in machinery and instrumentation supplied to the manufacturer, and AI delivered through services (predictive maintenance, vision QC, recruitment scoring). Treating these as one due-diligence discipline rather than four siloed procurement processes is what makes the programme manageable.

The most useful structure, drawn from the cleanest UK and EU enterprise guidance, is a two-phase questionnaire: Phase 1 binary sanity check, Phase 2 deep dive. Both attach to a single AI vendor record that links to the AI risk register, the ISO 27001 risk treatment plan and any UK GDPR DPIA.

Phase 1: the four-question binary sanity check for an AI vendor due diligence UK manufacturer

The first job of any AI vendor due diligence UK manufacturer questionnaire is to reject unsuitable vendors before anyone wastes a meeting. The Phase 1 questions should be answerable yes/no by a procurement team in a web form. A vague or “no” answer to any of them is an immediate rejection:

  • 1. Do you offer a verifiable UK or EEA data residency option? Defaults to US-only is an immediate UK GDPR concern. Ask for the specific regions per service.
  • 2. Can you provide current ISO 27001 certification and SOC 2 Type II? No certification, expired certificates or scope statements that exclude the AI service you are buying are all rejections.
  • 3. Do you indemnify us against IP infringement claims for outputs? Now standard for credible enterprise AI vendors. Vague answers indicate untested products.
  • 4. Do you commit, in writing, not to train your models on our prompts, inputs or outputs by default? No-training-by-default is the line between an enterprise tool and a consumer product dressed up as one.

UK manufacturers using this Phase 1 approach typically reject 70 to 90 percent of inbound AI vendor approaches inside ten minutes. According to enterprise procurement guidance, this short binary check alone reduces noise by 80 to 90 percent without missing any genuinely competent vendor.

Phase 2: the deep-dive questionnaire

For vendors that pass Phase 1, the Phase 2 deep dive is the real AI vendor due diligence UK manufacturer questionnaire. Organise it into seven sections and keep each to two to four questions:

  • AI usage and scope. What AI systems does the vendor deploy, customer-facing or internal? Which model types (LLMs, predictive analytics, computer vision, recommendation systems)? What AI features are planned in the next 12 months that could affect your engagement?
  • Data handling and privacy. Will AI access your proprietary or customer data? Is data used for training or improvement? Which third-party AI providers (OpenAI, Anthropic, Google, Mistral) sit behind the service, and on what terms? Data flow per workflow, named subprocessors, data residency per category.
  • EU AI Act posture. Risk classification per use case (Annex II or III, high-risk or limited-risk), conformity assessment status, deployer guidance, technical documentation structure, instructions for use, Article 17 quality management system evidence.
  • Audit logs and accountability. EU AI Act Article 12 record-keeping: per-inference logs with timestamp, prompt template version, model and version, output, human approval or override, retention policy and export format. GDPR-compatible audit trails for personal data processing.
  • Security controls. Encryption in transit and at rest, key management, SSO and MFA, access controls, network segmentation, prompt-injection and data-poisoning defences, vulnerability management.
  • Third-party and subprocessor risk. Critical AI subprocessors, SOC 2 / ISO 27001 / ISO 42001 evidence for each, change-notification commitments, contingency plans if a model provider deprecates a model.
  • Change management and exit. Model versioning, deprecation policies, prompt and template version control, customer notification SLAs for material changes, exit procedures, data deletion confirmation, transition help.

Each section should be scored (red/amber/green or 1 to 5) and weighted by the use case’s inherent risk in your NIST AI RMF or ISO 42001 risk assessment. Capture supporting evidence: certificates, screenshots, sample audit-log exports, data flow diagrams, sample DPIA inputs.

Why this matters for UK manufacturers in 2026

Four forces have made AI vendor due diligence non-negotiable for UK manufacturers in 2026:

  • EU AI Act Article 17 (high-risk QMS). Providers must operate a quality management system covering supplier and subprocessor oversight; deployers (including UK manufacturers selling into the EU) need that evidence to discharge their own obligations.
  • EU AI Act Article 12 (logging). High-risk AI must produce automatic event logs. Your vendor must be able to give you that data in your timezone, in usable format, for the retention period the regulation requires.
  • ICO AI and data protection guidance. The ICO’s AI and data protection guidance reinforces that the manufacturer remains the data controller. Your DPIA is only as strong as the vendor evidence behind it.
  • Customer audits. AS9100, IATF 16949, BRCGS, MHRA and large customer cyber questionnaires now ask explicit AI vendor due diligence questions. UK manufacturers that cannot answer them lose contracts.

None of this requires a Big Four consultancy. It requires a one-page Phase 1 form, a short Phase 2 questionnaire, and a named senior owner who is allowed to say no.

What good answers look like in practice

The cleanest test of a credible enterprise AI vendor is whether their answers are concrete and verifiable, not whether they use the word “compliance” a lot. Three concrete signals to look for:

Named subprocessors and regions per workflow. “We use OpenAI gpt-4o-mini in eu-west-2 for summarisation, Anthropic Claude Sonnet in eu-west-1 for tender drafting, and our own self-hosted models in eu-central-1 for sensitive workloads.” This is far stronger than “we use leading AI providers in the EU”.

Per-inference audit log with sample export. A credible vendor can show you an actual audit log row, with timestamp, prompt template version, model and version, redacted input, output, human approver and retention. If they cannot, Article 12 evidence is missing.

Explicit EU AI Act classification per use case. “We have classified our recruitment screening assistant as high-risk under Annex III(4); our customer support assistant as limited-risk; our internal coding assistant as minimal-risk. Conformity assessment for the recruitment assistant is in progress with a notified body, targeting completion Q2 2026.” This is a vendor that has done the homework.

What to look out for and what to avoid

Five red flags should kill an AI vendor deal in any AI vendor due diligence UK manufacturer programme:

  • “We are SOC 2 compliant” with no Type II report or with a scope statement that excludes the AI service you are buying.
  • “US-only data residency” with no UK or EEA option for customer prompts and outputs.
  • “We may use your data to improve our models” without a clear opt-out or an enterprise tier that flips the default.
  • “Our models update transparently” with no formal change-management policy or customer notification SLA.
  • “We are working on ISO 42001” as the only AI-specific governance signal, with no actual roadmap, gap assessment or target date.

The boards that get AI vendor due diligence right in UK manufacturing do three things differently: they give procurement and IT a written mandate to reject vendors at Phase 1, they integrate AI vendor due diligence with their existing ISO 27001 supplier process rather than running a parallel programme, and they reuse evidence across customer audits, cyber-insurance renewals and EU AI Act conformity work instead of collecting it three times.

Where senior IT leadership fits in

The single biggest predictor of success in AI vendor due diligence UK manufacturer programmes is the presence of senior, vendor-independent leadership inside the business: someone with the authority to say no to a glossy vendor pitch, integrate AI procurement with ISO 27001 and UK GDPR, and brief the board on what AI vendor risk actually looks like in plain English. For most UK SME and mid-market manufacturers, a fractional IT director is the most cost-effective way to put that capability in place. Bailey & Associates offers fractional IT director cover specifically for UK manufacturers from £2,000 per month with no tie-in, alongside a free IT Director’s Playbook.

Frequently Asked Questions

What is AI vendor due diligence and why does a UK manufacturer need it?

AI vendor due diligence is the structured process of assessing AI suppliers (and AI features baked into existing SaaS suppliers) against your business, compliance and security requirements before signing a contract. For a UK manufacturer, it matters because the manufacturer remains the data controller under UK GDPR, the deployer under the EU AI Act and the accountable party in customer audits, regardless of what the vendor says in its marketing. A good AI vendor due diligence UK manufacturer questionnaire screens out unsuitable vendors fast, reduces shadow AI, and gives the board defensible evidence that AI risk is being managed.

What should an AI vendor due diligence UK manufacturer questionnaire include?

A workable AI vendor due diligence UK manufacturer questionnaire is split into two phases. Phase 1 is a four-question binary sanity check (UK or EEA data residency, ISO 27001 and SOC 2 Type II, indemnification against IP infringement of outputs, no training on customer data by default). Phase 2 is a 12 to 20 question deep dive covering model routing, EU AI Act classification, audit logs (Article 12), subprocessors, training data provenance, prompt injection defence, change management, exit and data deletion. Each Phase 1 fail rejects the vendor without a call; Phase 2 produces a scored, evidenced risk profile the board can accept or escalate.

How does an AI vendor due diligence UK manufacturer questionnaire fit with EU AI Act compliance?

For UK manufacturers in scope of the EU AI Act, vendor due diligence is the principal mechanism for inheriting compliance evidence from upstream providers. Under EU AI Act Article 17, high-risk AI providers must operate a quality management system covering supplier oversight, and as a deployer the manufacturer needs the vendor’s technical documentation, instructions for use and conformity-assessment evidence to discharge its own obligations. An AI vendor due diligence UK manufacturer questionnaire should therefore ask explicitly for risk classification, Annex III mapping, Article 12 audit-log evidence, change-management practices and the deployer-facing material the EU AI Act expects vendors to provide.

How often should AI vendor due diligence be repeated?

Run full AI vendor due diligence at onboarding and then re-run it annually for high-risk vendors and every two years for medium-risk vendors. Run a delta review whenever the vendor materially changes its model providers, subprocessors, data residency, training data or routing logic. UK manufacturers should also re-run AI vendor due diligence at any major regulatory milestone: EU AI Act provider obligations on 2 August 2026, UK Cyber Governance Code updates, ICO AI guidance refreshes and ISO 42001 surveillance audits. A simple delta review keeps the AI risk register and customer audit pack current.

Take the Next Step

Designing an AI vendor due diligence UK manufacturer programme that protects the business without strangling AI adoption is one of the highest-leverage commercial moves a UK manufacturing board can make in 2026. Bailey & Associates provides fractional IT director cover specifically for UK manufacturers, with 15+ years of sector experience, fixed monthly pricing from £2,000 per month and cancel-anytime terms. Explore our vendor and technology management services or book a free discovery call today.

Related Service: Vendor & Technology Management — Learn how Bailey Associates can help your manufacturing business.

Related Articles

Picture of David Bailey

David Bailey

David Bailey is the founder and principal consultant at Bailey & Associates, an independent IT consultancy built exclusively for UK manufacturers. With over 15 years of experience at the intersection of IT strategy and manufacturing operations, David provides fractional CIO/IT Director services, ERP advisory, IT/OT integration strategy, and vendor management to manufacturing businesses across the UK. He currently serves as IT Director at the UK Sailing Association (UKSA) alongside his consultancy work, bringing a live, operational perspective to every engagement. His career began in the military at 18, and he brings a structured, disciplined approach to IT leadership, project governance, and technology decision-making. David is vendor-independent, manufacturing-specialist, and committed to transparent pricing.

Ready to Add a Fractional Data Director to Your Team?

Take the first step — get your free readiness score or book a discovery call.

Take Scorecard
Book a Call