# ISO 42001 Supplier & Third-Party AI > Draft supplier and third-party AI evaluation, contracts, and documentation for ISO/IEC 42001:2023. Tags: ISO 42001, Supplier, Third-Party, Compliance, AI ## Example Prompts - Draft our third-party AI evaluation procedure - Document contract requirements for AI vendors - Create a supplier risk assessment template URL: https://rakenne.app/skills/iso42001-supplier-third-party/index.md Try this skill: https://rakenne.app/a/?skill=iso42001-supplier-third-party ## Overview Draft supplier and third-party AI evaluation, contracts, and documentation for ISO/IEC 42001:2023. ## Getting Started Add your source materials to the project workspace, then activate the *ISO 42001 Supplier & Third-Party AI* skill. The agent will guide you through the process step by step. ## Example conversation **You:** We’re evaluating a third-party AI API for [e.g. content moderation]. We need a procedure for evaluation, contracts, and ongoing monitoring for ISO 42001. **Agent:** I’ll draft the supplier/third-party AI procedure and templates using the skill reference. I’ll cover how we evaluate third-party AI (due diligence, risk assessment), contractual requirements (AI governance, incident notification, data, compliance), security and assurance expectations, and ongoing monitoring. I’ll add an evaluation and risk assessment template and link to the risk register and SoA third-party controls. ## Output excerpt ### Supplier and third-party AI excerpt **Evaluation** — Before adoption: due diligence (vendor, product, support); capability and limitation assessment; AI-specific risk assessment (bias, transparency, data, compliance). Checklist: [e.g. questionnaire]. Approval: [e.g. AIMS owner + procurement]. Record: evaluation result and risk assessment. **Contractual requirements** — Contracts for AI products/services include: AI governance and acceptable use; incident notification (e.g. within [X] days); data processing (lawful basis, retention, sub-processors); compliance (e.g. EU AI Act if applicable); audit/assurance rights. Ref: [e.g. standard clauses or legal template]. **Security and assurance** — We require [e.g. SOC 2 or equivalent] where relevant; [e.g. data residency]. Assurance evidence reviewed [e.g. annually]. **Ongoing monitoring** — [e.g. Quarterly or on incident]: performance; incidents; contract compliance; reassessment if material change. Findings feed risk register and management review. **Records** — Retain: vendor; product; evaluation date; risk assessment; contract reference; assurance evidence; monitoring log. ## Extension and validation This skill does not include custom validation tools. Elaboration is guided by the skill workflow and reference materials. --- Back to [Skill Library](https://rakenne.app/skills/index.md)