Best Practices for Using AI in Security Reviews

Vendor Risk Management uses Vanta AI to extract insights about vendors in security reviews. You can configure the default questions the AI asks on the settings page.

Screenshot 2025-01-06 at 3.28.00 pm.png

 

Best practices

Best practice Examples
Do include the vendor's name in your questions
Including the vendor's name using the { Vendor } placeholder improves answer quality and relevance
"What is { Vendor } 's vulnerability management policy?"

Do ask about general security practices

Vanta AI excels at summarizing security. Don't hesitate to ask broad questions that require analyzing many facts.

"What procedures does {Vendor} have in place for data encryption?"


"What data does {Vendor} collect?"

Do dig into the details

Vanta AI can also process tables and other semantic information to answer specific facts.

"What exceptions were found in the latest audit?"


"Does {Vendor} support MFA?"

Ask questions that span documents

Vanta AI can draw insights across all documents uploaded to a security review, so don't hesitate to ask questions that refer to the contents of SOC 2s, penetration tests, and more.

"What vulnerability scanning practices were found in the {Vendor} 's documents?"

Avoid subjective questions

Steer clear of questions that ask the AI to make subjective, hard-to-verify judgments.

"Is the vendor's security infrastructure reliable?"

Avoid copying and pasting your questionnaire

Avoid simply inputting the questions you send directly to the vendor. These tend to ask for multiple data points with yes/no responses. The more anonymized and open-ended, the better! 

"Does [my company] have a DPA in place with you?"

Avoid asking yes/no or binary questions

Vanta AI performs best when asked open-ended questions

Instead of "Does { Vendor } expire sessions after seven days?"

 

Try "How long is 

{ Vendor } 's session timeout?"





Updated