# Vendor AI risk review brief

## Vendor and workload

State the vendor, product, workflow, data classes, regions, expected users, integration surfaces, and business reason for use.

## Evidence review

Attach security documentation, data processing terms, model cards, evaluation reports, incident process, support model, pricing controls, and exit plan. Identify missing evidence and owner.

## Decision

Approve, conditionally approve, request remediation, or reject. Conditional approvals need an expiry date, compensating controls, and a review trigger.