Undocumented approvals
Approvals through chat or email leave no auditable record of what was considered, who decided, or what conditions were set.
AI & vendor risk playbook | NIST CSF 2.0 aligned
Your AI vendors move fast. Your approval process needs to keep up.
AI tools train on your data, change their models without notice, and route sensitive information through infrastructure you never reviewed. The Playbook gives your team a structured, AI-specific approval workflow built on NIST CSF 2.0 - from first request through to a complete, auditable approval record.
Saves 20 - 40 hoursNIST CSF 2.0 alignedBuilt for Australian risk workflows
TECHTONIC TRUST
AI & Vendor Risk Playbook
workflow guide, intake form, evidence review, decision workbook, approval brief, and lifecycle checklist - with diagrams, decision gates and editable Office formats.
IntakeEvidenceDecideMonitor
AI Tool RegisterVendor · tier · conditions · review date
Approval BriefApprove with conditionsEvidence basis
18
Editable documents & workbooks
33
Evidence review questions
12
NIST CSF 2.0 domains
20 - 40 hrs
Saved versus building from scratch
The problem
Vendor approvals by email leave no evidence trail when things go wrong.
Vendor integrations and AI tools create real exposure: client data, confidential contracts, financial details, personal information and credentials. Without a structured process, approvals are informal, conditions are forgotten, and no one can demonstrate due diligence. The question is not whether to approve them - it is whether you can prove you did it properly.
No evidence standard
Without a framework, assessments rely on opinion. Hard to demonstrate due diligence during audits, incidents, or regulatory reviews.
AI risk is different
Generic vendor questionnaires miss AI-specific controls: model training on your data, feature changes, automated decisions, and output handling.
Frameworks are too heavy
Enterprise GRC platforms are excessive for most approval workflows. Building from scratch takes weeks. The Playbook gives you the structure without the overhead.
The workflow
One complete approval workflow. A documented record at every stage.
The Playbook gives you the complete path: capture the request, assess the risk, collect evidence, make a documented approval decision, review the contract, and maintain control after go-live.
Audit-supporting evidence - approval records, risk registers and review trails that support internal assurance and audit preparation.
Due-diligence records - document the review steps taken before approval, so decisions are easier to explain later.
Privacy accountability - demonstrate each vendor was assessed before personal information was shared.
Client security reviews - answer "how do you approve vendors and AI tools?" with a documented approval workflow, not a vague promise.
Request
→
Capture vendor and AI tool requests through one structured intake.
Assess
→
Apply a structured decision-support workbook, then review evidence confidence, red flags and approval conditions.
Decide
→
Issue a formal approval record with conditions and sign-off.
Control
Track conditions, registers and review dates after go-live.
What's inside
One complete toolkit. 18 editable documents and workbooks.
A full third-party and AI risk program with questionnaire, policy, standard, agreements, board briefing, incident reporting, workbooks and an overview guide. Ready to use from day one.
Evidence & Security Review Questionnaire
33 questions across 12 domains mapped to NIST CSF 2.0 and CSA CAIQ.
Covers AI-specific controls - model training, output handling, feature-change risk alongside identity, data protection, supply chain and sovereignty.
Third-Party Risk Policy & Security Standard
A board-ready third-party risk policy plus a vendor security requirements standard - baseline and enhanced controls by risk tier, ready to adopt as your own.
Data Processing Agreement & AI/SaaS Addendum
A DPA template with Australian Privacy Principle and subprocessor clauses, plus an AI & SaaS addendum for model training, data-use and output-handling terms.
Executive Board Briefing
The Australian threat landscape, named incidents, regulatory obligations and the ten questions every board should ask management - ready to present.
Cyber Incident Reporting Template
A first-response reporting form aligned to ACSC triage questions and incident-response workflow, covering summary, scope, impact, notifications, evidence and sign-off.
Assessment Report & Risk Workbooks
A sign-off-ready assessment report, a Vendor Trust Index scoring matrix, a live risk register, and on/offboarding trackers - four editable Excel workbooks with dashboards.
AI Agent & Vulnerability Tools
An AI Agent & Coding-Tool Risk Review (register + checklist) and an Emergency Vendor Vulnerability Attestation for fast CVE/KEV exposure checks — built for 2026 realities.
Outreach, Evidence & Customisation
Ready-to-send vendor outreach emails, an evidence-request checklist with ISO/SOC interpretation guidance, and a customisation guide to rebrand the whole pack.
Overview Guide
An 8-page PDF that explains the whole approach - VTI scoring, data impact levels, the vendor lifecycle and board questions simplified.
What this replaces
A$10k–20k
Big 4 advisory firm to design this process
A$2k–10k/yr
Enterprise GRC platform — content not included
20–40 hours
Building this from scratch internally
A$249.99
The complete toolkit, once-off
Questionnaire depth
33 questions. 12 domains. Built for AI and cloud vendors.
The Evidence & Security Review Questionnaire maps every question to NIST CSF 2.0 and CSA CAIQ — the same frameworks used by enterprise security teams and Big 4 advisors. Each domain covers the controls that matter for AI tools, SaaS platforms, and third-party integrations.
Governance & AccountabilityGV.OC, GV.RR
Asset & Data ClassificationID.AM
Identity & Access ManagementPR.AA
Data Protection & EncryptionPR.DS
AI-Specific Controls AIAI RMF: MAP
Vulnerability ManagementPR.PS, ID.RA
Security Monitoring & DetectionDE.CM, DE.AE
Incident Response & BreachRS.MA, RS.CO
Business Continuity & DRRC.RP
Supply Chain & Fourth-PartyGV.SC, ID.SC
Contractual Terms & Audit RightsGV.RR
Data Sovereignty & TransfersGV.OC
Every question ships in an editable Microsoft Word document, with evidence columns, confidence ratings and follow-up fields for each row.
Get the full questionnaire — $249.99What's inside
One workflow, from first request to documented approval.
A complete, editable toolkit built for real vendor and AI governance work — ready to adapt to your organisation's standards and brand.
Illustrative workflow map
From request to documented approval record
Intake→
Triage→
Evidence→
Decision→
Operate→
Offboard
What the record captures
Vendor purpose · data touched · evidence gaps
Approval conditions · owner · sign-off · review date
Framework alignment
Respected frameworks translated into practical vendor-review evidence and decisions.
Essential EightACSC control mapping
NIST CSFGovern · Identify · Protect
Privacy Act / APPNDB-aligned review points
ISO 27001Control reference points
Consultant path
Turn ad hoc vendor-review questions into defined, billable advisory work.
Use one review structure across client engagements so your scoping, evidence requests, decision records and handoff points stay consistent — while delivery stays faster and easier to package.
Create a service clients can understand and buy
Turn messy vendor-review questions into a defined piece of advisory work with a clear scope, process and deliverable.
Show exactly where your work ends
Show what you reviewed, what sits outside scope, and where specialist advice is still required — protecting you and your client.
Deliver faster without rethinking every engagement
A repeatable structure instead of rebuilding from scratch each time. Consistent quality, faster turnaround.
Frameworks & alignment
Built on recognised security and privacy frameworks. Translated into practical review steps.
Every template, question and checklist maps to a framework you already know or audit against. No need to translate between your obligations and the review process.
NIST Cybersecurity Framework (CSF 2.0)
Evidence review questions map to Govern, Identify, Protect, Detect, Respond and Recover functions. Each question includes the CSF function and category reference so you can trace the control basis.
Essential Eight (ACSC)
Application controls, patching, MFA and backup posture are assessed against ACSC maturity indicators. Decision records flag where a finding relates to Essential Eight strategies.
ISO/IEC 27001
Control reference points from Annex A help map evidence requests to a recognised information security framework. Useful when a vendor claims ISO certification and you need to verify scope.
Australian Privacy Principles (Privacy Act)
Data-processing, consent, disclosure and cross-border transfer questions align with APP obligations. Notifiable Data Breach (NDB) review points are embedded in the incident-response checklist.
What this means for you: When you use the Playbook, the framework basis is visible in every review. You are not expected to be a framework expert — every question, rating and decision record includes enough context to stand behind the assessment.
See what is included in the PlaybookPricing
The complete process for $249.99. Consultant licence at $899.
What a Big 4 advisory firm charges $10,000-$20,000 to design - as a complete, working toolkit at an accessible entry price. No subscription, no platform lock-in, no ongoing fees.
Free sample
$0
See the approach before you buy.
- Free AI & Vendor Risk overview guide (PDF)
- VTI scoring, data impact, board questions, all explained
- Guided decision generator (online)
AI & Vendor Risk Playbook
$249.99AUD
Built as a editable workflow asset for Australian Privacy Act, Essential Eight and NDB-aware approval records.
- Evidence review questionnaire with confidence ratings and red flags
- Approval decision brief — manager-ready with sign-off fields
- Risk triage and decision workbook with dashboard charts
- Review and offboarding checklist
- premium editable workflow artefacts — see what's included ↓
Internal-use licence. Redistribution, resale, hosting or repackaging is not permitted. Consultant use requires a separate licence.
Consultant / Advisor Licence
$899AUD
Use the complete Playbook across client engagements. Includes the core pack plus consultant-specific add-ons for scoping, delivery and client handoff.
- Everything in the core Playbook
- Multi-client engagement licence
- Consultant delivery playbook and scoping worksheet
- Client handoff report template
- Scope-boundary and escalation language
- Priority email support
Multi-client use licence. Completed client deliverables may be handed off; blank master templates may not be resold or redistributed.
FAQ
Clear answers before you buy.
Who is the Playbook for?
Anyone responsible for approving AI tools or SaaS vendors and standing behind that decision later — IT and security managers, risk and compliance leads, operations owners in small businesses, and consultants delivering vendor risk work for clients. You do not need a dedicated risk team to run a structured review process.
Do I need to be a security expert to use it?
No. The Playbook is written in clear, professional language and structured so the person who owns approvals can run the process end to end. Where a decision genuinely needs specialist input — legal review, privacy advice, deep technical assessment — it tells you so, instead of letting you discover that during an incident.
Will this help us prepare for audits or assurance reviews?
Yes — it helps organise common audit-supporting artefacts: a third-party risk policy, completed vendor assessments with scores and rationale, a live risk register with review dates, approval records, and data-processing/agreement starting points for legal review. It uses ISO 27001, Essential Eight, NIST CSF and Australian privacy reference points, but it is not a certification, audit opinion, or compliance guarantee.
How does this compare to hiring a consultant or buying a GRC platform?
A consultant designing this process for you is an engagement measured in weeks and thousands of dollars. GRC platforms are ongoing subscriptions built for large teams, and you still have to design the assessment content yourself. The Playbook sits in between: the complete working approval process, ready on day one, for the price of an hour of consulting — and if you later grow into a platform, everything you've documented moves with you.
We're not in Australia — does it still apply?
Yes. It's built around Australian frameworks (Privacy Act, ACSC Essential Eight, NDB Scheme) because that's where the depth matters most, but the workflow, questionnaire domains and decision logic are jurisdiction-neutral. The Customisation Guide shows where to swap regulatory references for your own country.
Can we adapt it to our organisation and brand?
Completely. Every resource is fully editable Microsoft Office format — no locked PDFs, no viewer app, no licence keys. Put your organisation's name on everything, adjust the wording to your risk appetite, and reuse it across every vendor review you run.
Can consultants use this with clients?
Yes — the Consultant / Advisor Licence (A$899) covers use across multiple client engagements. It includes everything in the core Playbook plus a delivery playbook, scoping worksheet, client handoff report template, scope-boundary language and priority email support. Completed client-specific deliverables may be handed off to clients; blank master templates may not be resold or redistributed. Email hello@techtonictrust.com.au to enquire.
AI & Vendor Risk Playbook
Every vendor approval, properly documented. First request through to board sign-off.
Once-off payment. No subscription. The complete premium playbook delivered after checkout. Editable Office files, preview PDF, manifest and internal-use licence included.