Ctrlk
Sprinto DashboardAPI Reference

Perform AI System Due Diligence

Learn how to perform AI system due diligence in Sprinto by requesting documents, reviewing evidence, managing questionnaires, and tracking vendor security reviews.

The AI Systems module in Sprinto includes due diligence workflows that help organisations review the security, compliance, and governance posture of AI systems and AI vendors.

Due diligence workflows help organisations:

  • Review AI vendor security posture

  • Collect governance evidence

  • Request compliance documents

  • Send security questionnaires

  • Review uploaded evidence

  • Track due diligence completion

  • Maintain audit-ready records

Sprinto supports both manual and AI-assisted due diligence reviews.

Navigate to the Due Diligence Tab

To access AI system due diligence:

  1. Log in to the Sprinto dashboard.

  2. Navigate to Data Library.

  3. Select AI Systems.

  1. Open an AI system from the Added AI Systems tab.

  2. Select the Due diligence tab.

The Due diligence tab displays the due diligence status and review workflows associated with the AI system.

Due Diligence Eligibility

Sprinto determines whether due diligence is mandatory or optional based on configured governance criteria.

If the AI system does not meet the configured due diligence requirements, Sprinto displays:

  • Due diligence is optional for this AI system

You can still perform due diligence manually if required.

Start Due Diligence

To begin a due diligence review:

  1. Open the AI system.

  2. Navigate to the Due diligence tab.

  3. Click Perform due diligence.

The due diligence workflow opens in a side drawer.

Due Diligence Workflow

The due diligence workflow contains two major stages:

  1. Choose vendor documents for due diligence

  2. Review vendor documents and complete due diligence

Request Documents from Vendors

Sprinto allows organisations to request compliance and security documents directly from vendors.

Request Vendor Documents

To request documents:

  1. In the due diligence drawer, select Request from vendor.

  1. Select the required documents.

  2. Configure the request settings.

  3. Click Preview & send request.

Sprinto sends the request to the vendor after confirmation.

Configure Requested Documents

You can configure:

  • Required documents

  • Optional documents

  • Custom questionnaires

  • Document request notifications

Examples of supported documents include:

  • SOC 2 reports

  • ISO 27001 certifications

  • GDPR agreements

  • HIPAA agreements

  • Security whitepapers

  • PCI DSS reports

Configure Custom Questionnaires

You can attach custom questionnaires while requesting documents.

To add a questionnaire:

  1. Enable the custom questionnaire option.

  2. Upload the questionnaire.

  3. Configure whether the questionnaire is mandatory.

Questionnaires help organisations standardise AI vendor assessments.

Configure Request Notifications

Sprinto supports configurable request notifications.

You can configure:

  • Recipients

  • CC recipients

  • Submission notification recipients

  • Email subject

  • Email header

  • Email body

You can also choose whether selected documents appear inside the email.

Preview and Send Requests

Before sending the request:

  1. Click Preview & send request.

  2. Review the generated email.

  3. Click Send request.

Sprinto then sends the due diligence request to the vendor.

Upload Documents Manually

Teams can manually upload documents instead of requesting them from vendors.

Upload Documents or Links

To upload documents:

  1. In the due diligence drawer, select Upload documents.

  1. Choose the document or link type.

  2. Upload files or add URLs.

  3. Click Save.

Sprinto stores the uploaded evidence within the AI system record.

Supported Upload Types

Sprinto supports:

  • File uploads

  • URL-based evidence

  • Multiple document uploads

Supported file formats may include:

  • PDF

  • DOC/DOCX

  • XLS/XLSX

  • CSV

  • PPT/PPTX

  • ZIP

  • JSON

  • MSG

  • ODT/ODS

Add Multiple Documents

To upload additional evidence:

  1. Click Add another document/link.

  2. Repeat the upload process.

This helps organisations centralise all governance evidence for the AI system.

Review Vendor Documents

After documents are uploaded or received, organisations can review the vendor evidence.

Sprinto supports three review approaches.

Option 1: Complete Due Diligence Without Findings

If the vendor meets the required security and governance standards:

  1. Select:

    • Vendor meets necessary security requirements. There are no due diligence findings.

  2. Complete the review.

This closes the due diligence workflow without creating findings.

Option 2: Manually Review Documents and Add Findings

Teams can manually review submitted evidence and record governance observations.

To manually review documents:

  1. Select:

    • Manually review the vendor documents and add findings

  2. Review the uploaded evidence.

  3. Add findings and observations.

  4. Complete the review.

This helps organisations document governance gaps or compliance concerns.

Option 3: Use Sprinto AI to Generate Findings

Sprinto supports AI-assisted due diligence reviews.

To generate AI-assisted findings:

  1. Select:

    • Let Sprinto AI review vendor documents and add findings

  2. Click Generate findings.

Sprinto AI analyses the uploaded documents and surfaces suggested findings.

The generated findings can then be reviewed before completing due diligence.

Complete Due Diligence

After the review is completed:

  1. Click Complete due diligence.

Sprinto:

  • Updates the due diligence status

  • Records the review activity

  • Maintains governance history

  • Stores the associated evidence

Review Due Diligence History

The Due diligence tab also maintains historical review information.

You can review:

  • Due diligence status

  • Review dates

  • Performed by details

  • Document counts

  • Additional review information

This helps organisations maintain audit-ready governance records.

Relationship Between Due Diligence and Risk

AI systems with higher risk scores may require additional due diligence reviews.

Organisations may use due diligence workflows to:

  • Validate vendor security posture

  • Review compliance readiness

  • Assess data protection practices

  • Evaluate governance controls

  • Support management review workflows

Due diligence and risk assessment workflows work together to strengthen AI governance.

AI Governance Best Practices

When performing AI system due diligence:

  • Review governance evidence periodically

  • Request updated certifications when required

  • Maintain audit-ready records

  • Review sensitive data handling practices

  • Use questionnaires for standardised assessments

  • Track unresolved findings and remediation activities

  • Reassess vendors after significant security changes

Related Information

PreviousAssess AI System RiskNextManage Documents and Security Questionnaires

Last updated