As artificial intelligence becomes embedded in both operational technology (OT) and traditional IT products, procurement teams face a growing challenge: how to evaluate the security, privacy, and risk implications of AI-driven capabilities before purchase. Fortunately, there are established tools designed to make this process more structured and effective, and recent updates make these tools even more valuable.
When procuring products that include artificial intelligence or machine learning capabilities, procurement teams should refer to the AI-specific section of the HECVAT (Higher Education Community Vendor Assessment Toolkit). Originally developed to help higher education institutions assess vendor risk, the HECVAT has evolved to address modern concerns, including those introduced by machine learning and AI-enabled systems.
The HECVAT is distributed as an Excel workbook containing multiple worksheets/tabs. The HECVAT "AI" tab was added in version 4 and provides a structured set of security and privacy questions designed to evaluate how a vendor develops, secures, and manages its AI systems. This includes areas such as data handling, model training, access controls, bias management, transparency, and incident response. The AI tab goes beyond traditional security assessments by asking vendors to disclose how a product uses AI, what data it processes, how models are trained, and what safeguards are in place to prevent misuse or unintended outcomes. This level of insight is especially important when evaluating both OT and IT systems, where AI features may not always be obvious but can introduce significant risk. Examples of systems using AI features introducing risk might include “smart,” “adaptive,” or “intelligent” features on new HVAC devices, security cameras, and door locks. Such systems could track potentially sensitive information, such as user behavior, and upload that data to the cloud for analysis.
Trusted CI has recently updated its Guide to the Use of the Vendor Procurement Matrix. The latest update explicitly references the HECVAT AI tab, reinforcing its importance as part of a comprehensive vendor assessment strategy. By requiring vendors to complete the HECVAT AI tab as part of procurement workflows, especially when using the Trusted CI Vendor Procurement Matrix, organizations can ensure they are asking the right questions at the right time.
Using the HECVAT AI tab helps procurement teams identify risks that may not be covered by traditional security reviews, such as unauthorized model access, exposure of sensitive training data, or weaknesses in third-party AI services. By requiring vendors to complete the HECVAT AI tab, institutions can ensure a more consistent and thorough evaluation of AI-related risks across products.
This capability is particularly relevant in environments where AI is increasingly embedded in critical functions, from predictive maintenance tools in OT systems to AI-powered analytics platforms in IT environments. Understanding these underlying AI components is essential to maintaining security, privacy, and operational integrity.
If you have questions or suggestions on this topic, please contact Trusted CI at help@trustedci.org.
