A transparent, reproducible framework for evaluating AI vendor risk across five core dimensions.
Overview
The AI Vendor Risk Index evaluates vendors using a weighted composite score derived from publicly available information, third-party audits, regulatory filings, and vendor self-disclosures. Our goal is to provide enterprise buyers with an objective, comparable measure of vendor risk.
Scores range from 0 to 100, where higher scores indicate lower overall risk. Vendors are classified into three risk tiers:
Low Risk — Score 70–100
Medium Risk — Score 40–69
High Risk — Score 0–39
Five Scoring Dimensions
1. Security (25% weight)
Evaluates the vendor's technical and organizational security posture:
SOC 2 Type II and ISO 27001 certification status
Data encryption at rest and in transit
Access control and authentication mechanisms
Penetration testing and bug bounty programs
Incident response history and disclosure practices
2. Transparency (25% weight)
Measures how openly the vendor documents its AI systems:
Model card or system card publication
Training data provenance and documentation
Benchmark results and evaluation disclosures
Known limitation and failure mode documentation
Open-source contributions and research publications
3. Compliance (20% weight)
Assesses alignment with current and emerging AI regulations:
Reviews the vendor's approach to AI safety and responsible deployment:
Red-teaming and adversarial testing programs
Content filtering and output safety measures
Bias and fairness evaluation methodologies
Responsible disclosure and vulnerability handling
Safety research investment and commitments
5. Market Stability (10% weight)
Evaluates business continuity and organizational risk:
Funding status and financial viability
Organizational governance structure
Business continuity and disaster recovery planning
Vendor lock-in risk and data portability
Customer support and SLA commitments
Data Sources
We rely exclusively on publicly verifiable information:
Vendor websites, documentation, and policy pages
SEC filings, annual reports, and press releases
Third-party audit reports and certifications
Academic papers and industry benchmarks
Government regulatory databases and enforcement actions
We do not accept vendor sponsorship, paid placements, or preferential treatment. Our independence is core to our mission.
Update Cadence
Scores are recalculated weekly using automated data collection pipelines. Major scoring methodology changes are versioned and documented in our wiki. Historical scores are preserved to enable trend analysis.