Vendor AI Disclosure Review.
A buyer-side rubric for evaluating an AI disclosure you received from a vendor — their AI System Card, their /.well-known/aeo.json, their model card, or the AI section of their security questionnaire. Ten dimensions. Per dimension you mark found, quality, and notes. Get back a verdict band, structured strengths/gaps/follow-ups list, and a markdown or JSON record you can paste into your vendor file. Counterpart to the AI System Card Builder (vendor-side) and AI Procurement Pulse (population-side measurement).
Review header
Live review record 0 / 10 dimensions reviewed
Strengths · disclosed cleanly
- Nothing marked yet.
Gaps · missing or vague
- Nothing marked yet.
Follow-ups for vendor
- Nothing marked yet.
How the rubric works
Scoring: each dimension gets a score from 0–2. Found=yes & quality=clear → 2. Found=yes & quality=vague/contradictory → 1. Found=partial → 1. Found=no → 0. Total maxes at 20.
Verdict bands: 17–20 well-disclosed · 11–16 standard · 5–10 sparse · 0–4 red-flag. Bands are the starting point of your judgment, not the end of it. A red-flag total can still be acceptable if the vendor isn't deploying anything you'd consider high-risk; a well-disclosed total doesn't override the failure modes you actually observed in their product.
What this is: a structured note-taking + scoring frame for a human review. Ten dimensions chosen to mirror what AI Procurement Pulse measures on vendor populations, plus what NIST AI RMF 1.0 and EU AI Act high-risk-system disclosure expectations ask for.
What it isn't: a regulatory verdict, a vendor-blocking recommendation, or legal advice. Your governance team owns the procurement decision. Verdict bands are decision-support, not policy.