Vendor Risk Management uses Vanta AI to extract insights about vendors in security reviews. You can configure the default questions the AI asks on the settings page.
Best practices
Best practice | Examples |
Do include the vendor's name in your questions Including the vendor's name using the { Vendor } placeholder improves answer quality and relevance |
"What is { Vendor } 's vulnerability management policy?" |
Do ask about general security practices Vanta AI excels at summarizing security. Don't hesitate to ask broad questions that require analyzing many facts. |
"What procedures does {Vendor} have in place for data encryption?" "What data does {Vendor} collect?" |
Do dig into the details Vanta AI can also process tables and other semantic information to answer specific facts. |
"What exceptions were found in the latest audit?" "Does {Vendor} support MFA?" |
Ask questions that span documents Vanta AI can draw insights across all documents uploaded to a security review, so don't hesitate to ask questions that refer to the contents of SOC 2s, penetration tests, and more. |
"What vulnerability scanning practices were found in the {Vendor} 's documents?" |
Avoid subjective questions Steer clear of questions that ask the AI to make subjective, hard-to-verify judgments. |
"Is the vendor's security infrastructure reliable?" |
Avoid copying and pasting your questionnaire Avoid simply inputting the questions you send directly to the vendor. These tend to ask for multiple data points with yes/no responses. The more anonymized and open-ended, the better! |
"Does [my company] have a DPA in place with you?" |
Avoid asking yes/no or binary questions Vanta AI performs best when asked open-ended questions |
Instead of "Does { Vendor } expire sessions after seven days?"
Try "How long is { Vendor } 's session timeout?" |
Updated