In two months, the remaining provisions of the EU AI Act become enforceable. On August 2, 2026, deployer obligations for high-risk AI systems take full effect across the European Union — and the compliance burden does not stop at European borders. Any organization using AI-powered tools that touch EU residents faces new requirements around risk management, transparency, human oversight, and incident reporting.
For procurement teams evaluating AI vendors, the question is no longer whether to assess AI governance risk. The question is whether your current process can actually surface it.
The Questionnaire Problem
Most enterprises still rely on security questionnaires and SOC 2 reports to vet technology vendors. These instruments were designed for data protection and infrastructure reliability. They were not designed to evaluate whether a vendor's AI system drifts after deployment, whether its training data introduces bias into consequential decisions, or whether the vendor can produce the technical documentation a regulator will eventually request.
Supply chain risk has expanded into new territory. If your vendor uses a foundation model API from a third party, your AI vendor due diligence must extend to that fourth party as well. Traditional questionnaires rarely reach that far — and the gap is costly. Supply chain compromises accounted for 47% of affected individuals in data incidents during early 2025, at an average cost of $4.91 million per event.
The same structural blind spot applies to AI governance. A vendor's SOC 2 attestation says nothing about model drift, training data provenance, or the vendor's capacity to produce the technical documentation a regulator requests after an adverse outcome.
Regulatory Convergence Creates Urgency
The EU AI Act's August deadline is the most immediate pressure point, but it is not the only one. A patchwork of U.S. state legislation is creating overlapping obligations that procurement teams must navigate simultaneously.
Colorado's SB 26-189, signed in May 2026 and effective January 1, 2027, requires AI developers to provide deployers with documentation covering intended uses, training data categories, known limitations, and instructions for human review (Section 6-1-1702). Deployers must then provide notice before using automated decision-making technology for consequential decisions and disclose adverse outcomes within 30 days (Section 6-1-1704). The law covers seven domains: education, employment, housing, financial services, insurance, healthcare, and government services.
California's AI Transparency Act (SB 942) takes effect on August 2, 2026, requiring AI systems with more than one million monthly visitors to implement comprehensive disclosure measures. Connecticut's automated employment decision framework activates on October 1, 2026. More than 35 states now have active AI legislation.
For a procurement team evaluating an AI vendor in lending or insurance, the question is not which regulation applies. Multiple regulations apply simultaneously, and each one requires the deployer to verify that its vendor can support the disclosure, documentation, and oversight obligations the deployer now carries.
What Standardized AI Governance Vendor Evaluation Looks Like
The gap in the market is not awareness. Compliance officers and procurement leads understand the risk. The gap is measurement. There is no widely adopted equivalent to a credit rating or a cybersecurity score for AI governance maturity.
This is the problem that independent AI transparency ratings are designed to solve. The AI Clear public registry evaluates companies against a 57-criteria rubric anchored to NIST AI RMF 1.0, ISO/IEC 42001:2023, and the MIT AI Risk Repository. The output is a letter grade from A+ to F across five pillars of AI disclosure quality, available to anyone without restriction.
The structural analog is BitSight in cybersecurity: an independent, standardized signal that procurement teams can incorporate into vendor evaluation workflows without commissioning a custom audit for every supplier. When a vendor scores well, the procurement conversation moves faster. When a vendor scores poorly, the team has a specific, documented basis for requiring remediation before contract execution. You can read the full AI Clear scoring methodology to understand exactly what each pillar measures and how it maps to regulatory requirements.
The Insurance Dimension
Insurers are watching this space with particular intensity. D&O carriers are increasingly incorporating AI governance maturity into underwriting assessments. Some carriers, including Berkley, have introduced absolute AI exclusions across D&O, E&O, and cyber lines. Others, like Munich Re, are developing standalone AI liability policies.
The global AI-liability insurance segment has reached $6.8 billion, with rate increases of up to 15% hitting exposed organizations. For insurers, the challenge is identical to the one procurement teams face: how to evaluate third-party AI risk at scale without relying solely on self-reported questionnaires.
An independent, standardized rating provides the kind of signal insurers need to differentiate between organizations that have robust AI governance practices and those that do not. The same data that helps a procurement team decide whether to onboard a vendor helps an underwriter decide how to price the policy.
What to Do Before August
Procurement teams that want to get ahead of the August 2 EU AI Act deadline should take three concrete steps.
First, audit your current vendor evaluation process for AI-specific criteria. If your questionnaire does not ask about model drift monitoring, training data provenance, and incident reporting protocols, it is incomplete for the current regulatory environment.
Second, map your vendor portfolio against the regulatory jurisdictions that apply to your operations. A vendor deploying AI in lending decisions faces different EU AI Act deployer obligations than one powering a customer service chatbot — and your AI governance vendor evaluation should reflect that distinction.
Third, supplement self-reported assessments with independent data. Check the AI Clear registry to see how your vendors score on AI disclosure quality, and use that data to prioritize which vendor relationships require deeper due diligence. The registry is open and free at aiclear.org.
The regulatory environment is not going to simplify. The organizations that build third-party AI risk assessment into their procurement workflows now will spend less time scrambling when the next deadline arrives.
---
*AI Clear is an independent AI transparency rating company. Explore the public registry at aiclear.org or request a rating for your organization.*
See where your company stands
AI Clear scores companies on AI transparency. Search the registry or request your scorecard.