Compliance & Legal

How to run a vendor risk assessment with AI

Compliance & Legal4 AI tools7 steps6 friction points
Want an agent to handle this on your live data? See the Starch version →

A vendor risk assessment is a structured review of the third parties your business depends on — suppliers, SaaS tools, contractors, data processors — to determine how much operational, financial, legal, or security exposure each one introduces. Most operators run these reactively: before signing a significant contract, after a vendor breach makes the news, or when an auditor asks for documentation. The output is usually a scored list of vendors with notes on risk level and any required mitigations.

The workflow feels tailor-made for AI because so much of it is document-heavy and judgment-intensive rather than technically complex. You're reading SOC 2 reports, privacy policies, financial indicators, and contract terms, then synthesizing them into a coherent risk picture. That's pattern recognition across text — exactly what large language models are built for. The alternative is a junior employee spending three days in a spreadsheet, or a consultant billing you for something that's mostly reading.

ChatGPT, Claude, and Gemini can genuinely help with vendor risk assessments today. They can analyze uploaded policy documents, score vendors against a framework you define, generate due diligence questionnaires, and produce summary memos. Where they stop is live data: they can't pull your vendor list from your contracts folder, query current financial signals, or update a risk register automatically when a vendor's status changes.

Skip the manual work → See the Starch version
Compliance & Legal4 AI tools7 steps6 friction points
AI walkthrough

How to do it with AI today

A practical walkthrough using ChatGPT, Claude, and other off-the-shelf LLMs — what they're good at, what you'll have to do by hand.

Tools that work for this
ClaudeChatGPTGeminiPerplexity
Step-by-step
1 Export your current vendor list manually — from a spreadsheet, your accounting software, or wherever it lives — and paste it into Claude or ChatGPT. Ask the model to categorize each vendor by risk domain (data access, financial dependency, operational criticality) so you know where to focus first.
2 For each high-priority vendor, locate their security documentation: SOC 2 reports, ISO 27001 certificates, privacy policies, or subprocessor lists. Upload these PDFs directly to Claude (which handles long documents well) and prompt it to extract key risk indicators: data retention policies, breach notification timelines, subprocessor disclosure, and any carve-outs in coverage.
3 Build a risk scoring rubric in your chat session — define what constitutes low, medium, and high risk across dimensions like data sensitivity, revenue dependency, and vendor financial stability. Ask the model to score each vendor against this rubric and return a structured table you can paste into a spreadsheet.
4 Use Perplexity or ChatGPT with web browsing enabled to check for recent public signals on each vendor: news of layoffs, funding issues, security incidents, or regulatory actions. Paste those findings back into your scoring session for context.
5 Ask Claude or ChatGPT to generate a vendor due diligence questionnaire tailored to your industry and the specific risk domains you've flagged. Edit the output, then send it to vendors whose documentation was incomplete.
6 Once questionnaires come back, paste the responses into a new chat session and ask the model to compare each vendor's answers against your rubric. Ask for a final risk register with recommended actions — for example, 'require annual re-certification' or 'add data breach indemnification to the next renewal.'
7 Ask the model to draft a one-page risk summary memo you can share with your co-founder, board, or auditor. Specify the audience and any compliance framework you're referencing (SOC 2, ISO 27001, GDPR, etc.) so the language is calibrated correctly.
Prompts you can copy
Here is my vendor list with spend amounts and data access levels. Categorize each by risk domain — data, financial dependency, operational criticality — and flag the top five for immediate review.
I'm uploading our primary SaaS vendor's SOC 2 Type II report. Extract the key risk indicators: coverage period, any qualified opinions, subprocessor list, breach notification SLA, and data retention policy.
Build me a vendor risk scoring rubric for a 20-person SaaS company that handles B2B customer data. Dimensions should include: data sensitivity, financial exposure, replaceability, and security posture. Score each dimension 1-5 with clear criteria.
Here are responses to our due diligence questionnaire from three vendors. Score each against the rubric I defined earlier and return a comparison table with recommended risk tier — low, medium, or high — and any required mitigations.
Draft a one-page vendor risk summary memo for our board, referencing our SOC 2 Type II audit preparation. Include our top five vendors, their risk tiers, and the three mitigations we've prioritized for Q3.
Reality check

Where this gets hard

The walkthrough above works — until your numbers change, the LLM hallucinates, or you have to re-paste everything next month.

Your vendor list lives in QuickBooks, your contracts folder, or someone's head — not in the chat window. Every session starts with a manual export and copy-paste, and the list is stale the moment you close the tab.
Document uploads reset per session. If you close the chat or hit a context limit mid-review, you re-upload the SOC 2 PDF and re-establish your rubric from scratch next time.
Nothing is stored between runs. The risk register you built last quarter has no relationship to this quarter's session — version tracking, change history, and trend data don't exist unless you maintain them yourself in a separate spreadsheet.
Scoring consistency drifts. The rubric you carefully defined in one session doesn't reliably produce identical scores in a new session, even with the same prompt — small phrasing differences change outputs enough to make quarter-over-quarter comparisons unreliable.
There's no connection to renewal dates or contract terms. The model can't tell you which high-risk vendor contract expires in 60 days unless you manually paste that information in — which means remediation actions routinely miss their window.
Questionnaire follow-up is entirely manual. Once the LLM generates your due diligence questionnaire, tracking who responded, chasing non-responders, and logging answers back into a risk register is all on you.

Tired of the friction?

Starch runs the whole workflow on live data — no copy-paste, no hallucinated numbers, no re-prompting next month.

See the Starch version →
Starch alternative

The same workflow on Starch

Starch is an agentic operating system — an agent builds and runs the actual software your vendor risk process needs, connected to your live business data, so the work happens continuously rather than as a one-off prompt you repeat each quarter.

Connect your email and contracts once. Starch syncs your Gmail or Outlook on a schedule, so the agent can surface vendor communications, flag incoming SOC 2 reports, and track questionnaire responses without you forwarding anything manually.
Describe the risk register you want in plain English — 'build me a vendor risk tracker that scores each vendor on data sensitivity, spend, and security posture, and shows renewal dates' — and an agent builds it as a persistent app that stays current.
Contract Lifecycle Management (coming soon) will handle vendor document storage, renewal alerts, and clause extraction in one place — so your risk register is connected to the actual contract terms, not a manual summary you typed in.
Automate questionnaire follow-up: tell Starch 'every week, check which vendors haven't returned their due diligence questionnaire and send a follow-up from my Gmail.' That automation runs on schedule without you prompting it again.
Build a vendor risk dashboard that pulls live spend data from QuickBooks and flags any vendor whose risk tier is high and whose contract renewal is within 90 days — the kind of cross-source view that raw LLMs can't construct because they have no connection to either system.
Use the Knowledge Management app to store your risk rubric, scoring history, and assessment notes in one searchable place — so the next team member who runs an assessment inherits your methodology, not a blank chat window.
Get closed-beta access →
Toolkit

Starch apps for this workflow

Knowledge Management
A team knowledge base that keeps your company's information organized, searchable, and always up to date. AI-powered search finds answers instantly so your team stops asking the same questions.
Task Manager
Track tasks, set priorities, and stay on top of deadlines. A simple, focused task list with priority levels, due dates, and custom ordering.
Email Agent
AI that organizes your inbox and drafts replies instantly. Smart prioritization, automated follow-ups, and one-click actions help you reach inbox zero and get through email twice as fast.
Contract Lifecycle Management
Manage every contract from creation to renewal. AI-powered drafting, e-signature collection, automated approval workflows, and renewal alerts — all in one contract repository.
Pick your role

See this workflow by operator

For your role
For Small Legal and Compliance Teams

The AI stack built for small in-house legal and compliance teams.
For your role
For Small IT and ITOps Teams

The AI stack built for small IT and ITOps teams.
For your role
For Asset Management Founders

The AI stack built for emerging fund managers.
For your role
For Small Finance Teams

The AI stack built for small finance teams.
For your role
For Chief of Staff and Founder's Office

The AI stack built for the founder's office.
For your role
For Foundation and Nonprofit Ops Teams

The AI stack built for foundation and nonprofit ops teams.

Run run a vendor risk assessment on Starch

You're on the list! We'll be in touch soon.