AI Vendor Due-Diligence Checklist, TEMPLATE

What this is. The questions to clear before routing any client data to an AI tool. It satisfies the FTC Safeguards Rule's service-provider selection/oversight duty (§314.4(f)) and the AICPA duty to evaluate a provider (ET §1.300.040), and it gives you the written record an examiner expects. Run it once per tool; re-run on material change or annually.

Grounded in Regulatory Foundation §1–§3. Not legal advice.

Tool: [NAME / VENDOR] · Reviewed by: [QUALIFIED INDIVIDUAL] · Date: [DATE] Intended use: [e.g., OCR of source docs / summarizing / tax research]

Step 1, The four gating questions (must all clear for client TRI)

Get these in writing from the vendor (terms, DPA, or security page):

• [ ] 1. No training. The vendor does not train, fine-tune, or improve models on our prompts, files, outputs, embeddings, or feedback.

• [ ] 2. Retention. There is true zero/minimal retention for the specific features we use (not a blanket marketing line), confirm per endpoint (files, threads, assistants, vector stores, project memory can retain state even when "ZDR" is on).

• [ ] 3. U.S.-only access. Processing and human access (support, subprocessors, model monitoring) stay in the United States, absent a §7216 consent. (Offshore access = consent required; SSNs generally can't be consented offshore.)

• [ ] 4. Confidentiality agreement. The vendor will sign a DPA/confidentiality agreement appropriate to taxpayer information and discloses its subprocessors.

If any of the four can't be confirmed → do not enter client-identifiable or return-derived data. Anonymize instead (see redactor), or keep it out.

Step 2, Full diligence record (the 10 points)

• (1) No model training/improvement on our data (= Q1)
• (2) True ZDR for the specific endpoints/features used (= Q2)
• (3) No persistent application state unless necessary and approved
• (4) U.S.-only processing/access absent §7216 consent (= Q3)
• (5) No third-party/downstream tool calls with our data unless each is separately vetted
• (6) Confidentiality + subprocessor terms appropriate to TRI (= Q4)
• (7) Vendor human-access restrictions
• (8) §7216/§6713 contractor-notice mechanics where vendor access is possible
• (9) Use limitation, data used only to provide the service to the firm
• (10) CPA final review, AI output is never the final substantive tax determination

Step 3, Security baseline

• Encryption in transit and at rest
• MFA + access controls; no shared/personal accounts for client data
• SOC 2 Type II (or equivalent) reviewed (⚠️ SOC 2 ≠ a no-training term and ≠ a §7216 basis, it's one input, not the answer)
• Logging, vulnerability management, documented incident response + breach notification

Step 4, Decision

• 🟢 Approved for [use case], add to the WISP approved-tool list, file this record.
• 🟡 Conditional, approved only for [anonymized / non-substantive / specific] use; conditions: […]
• 🔴 Rejected for client data, reason: […]. Permitted only with anonymized/synthetic input.

Signed (Qualified Individual): [NAME] · Re-review due: [DATE]

Cross-references: Regulatory Foundation §1–§3; the four questions mirror the ai-use-checker. Educational template, counsel review before adoption.