Your AI vendor just got a letter. The SEC wants to see how they're supervising the algorithms behind their product. Or an EU authority is asking for conformity documentation on a high-risk use case. Or your own internal audit is asking you to prove that the vendor you use for resume screening meets the same compliance bar you've promised your board. Suddenly you need to show that your vendor's obligations flowed down to you, and that you had a right to verify they did. The contract is where that story gets told. Often it isn't.
The Moment It Stops Being "Their" Problem
When a regulator or examiner looks at an AI vendor, they don't stop at the vendor's door. If you're the deployer (the enterprise that put that AI into production for hiring, credit, underwriting, or any high-stakes use), you're in the chain. The EU AI Act makes deployers responsible for using systems in line with provider instructions, ensuring human oversight, monitoring operation, and reporting serious incidents. The SEC's 2026 exam priorities tie AI to whether your representations match reality and whether you have controls to monitor AI use. In both cases, "we use a vendor" doesn't excuse you. You're expected to have done due diligence, to have required the right things in the contract, and to have a way to verify that the vendor actually did them. When the vendor gets audited, the next question is: what did you do to ensure their compliance, and what can you show?
Flow-down is where that bites. Compliance obligations don't vanish because a third party runs the model. They flow through the supply chain. The contract is the mechanism. If it doesn't say the vendor will comply with the EU AI Act, maintain audit logs, give you notice of material model changes, or submit to your (or your auditor's) review, then when someone asks you for evidence, you don't have a contractual hook to pull. You have a handshake and a hope.
What "Flow-Down" Actually Means
Flow-down is the idea that obligations you have to your customers, your regulator, or your own policies get passed to the vendor in the contract. You're not just buying a black box. You're buying a service that must meet specific compliance conditions so that you can meet yours. Classic examples from data protection are already familiar: the vendor signs a DPA that mirrors your obligations to data subjects; they don't use customer data for training without explicit permission; they notify you of breaches within a defined window; they allow audits or provide SOC 2 (or equivalent) so you can demonstrate control. For AI, the same logic applies, but the clauses are newer and often missing.
Audit and inspection rights: Can you or your auditor verify that the vendor's AI controls exist and work? Many standard SaaS agreements allow an annual audit with notice, or the right to rely on the vendor's SOC 2 Type II. For AI, that's a start but often not enough. You may need to verify model documentation, change logs, bias testing, or incident response for AI-specific events. If the contract only gives you a generic "security" audit right and the vendor refuses to share model cards or training-data attestations, you're stuck. When your auditor or regulator asks how you verified the vendor's AI governance, "they wouldn't give us that" isn't a good answer. The time to get audit rights that explicitly cover AI controls, model lifecycle, and data use is at contract negotiation, before the vendor is under scrutiny.
Certifications and warranties: Does the vendor warrant that its AI system complies with applicable law (e.g., the EU AI Act for high-risk use in the EU) or that it won't use your data for training? Surveys of AI vendor contracts show that only a minority warrant regulatory compliance; many more impose broad liability caps and disclaim compliance responsibility. You're the deployer with legal obligations, but the contract doesn't say the vendor will meet the provider-side requirements that make your deployer position defensible. When the vendor gets audited and gaps are found, you're the one explaining to your regulator or board why you didn't have a warranty, or a right to see the conformity documentation, in the first place.
Breach and incident notification: If the vendor has an AI incident (bias discovered in production, a prompt-injection breach, a material model change that affects outputs), how quickly do they have to tell you? Your own incident response and regulatory reporting often depend on it. If the contract is silent or gives the vendor 30 days, and your regime requires you to report within 72 hours, the flow-down is broken. You need notification terms that match your obligations and that explicitly cover AI-related incidents, not just "security" breaches.
Subprocessors and the chain: Your vendor may use another provider for models, APIs, or infrastructure. Your obligation to know who touches your data and how they handle it doesn't end at the first vendor. Under the EU AI Act and under many data-protection frameworks, you need visibility into the chain and assurance that the same rules flow down. If your contract doesn't require the vendor to bind subprocessors to equivalent AI and data obligations, and to give you a list and updates, you can't demonstrate that the flow-down is complete. When the vendor gets audited, the auditor may look at their subprocessors; if those aren't covered by your contract, you're left with a gap.
The Asymmetry Most Contracts Lock In
Here's the uncomfortable pattern. Vendors routinely cap their liability, disclaim compliance warranties, and reserve broad rights to use data (including for model improvement) unless you negotiate otherwise. At the same time, regulators and courts are increasingly holding operators and deployers accountable: for discriminatory outcomes, for misleading AI claims, for inadequate oversight. You're contractually left holding risk the vendor won't take, while the law and your auditors expect you to have controlled that risk through your vendor relationship. The vendor gets audited; you're the one who needs to show you did due diligence and had a right to verify. If the contract didn't give you that, you're in a liability squeeze.
That doesn't mean every enterprise can force every vendor to accept full compliance warranties and uncapped liability. It does mean you should treat AI vendor contracts as a compliance mechanism, not just a commercial one. Negotiate for: explicit audit rights that cover AI controls and model lifecycle; warranties (or at least covenants) that the vendor will comply with specified regimes (e.g., EU AI Act) for the use case you're buying; clear, short notification windows for AI-related incidents; and flow-down to subprocessors with a right to object or to see equivalent terms. Where the vendor won't warrant compliance, get a right to receive and rely on their conformity or audit reports so you can show your own diligence. Document what you asked for, what you got, and how you use it in your governance. When the vendor gets audited, that documentation is your story.
When the Audit Letter Arrives
Suppose the letter does arrive, at the vendor or at you. The regulator or your internal audit wants to know how you ensure that the AI you use meets legal and policy requirements. Your response depends on what you have in place today. Can you point to contract clauses that require the vendor to comply with the relevant regime and to give you evidence? Do you have audit rights you've actually exercised, or at least a right to receive SOC 2 and any AI-specific attestations? Have you done periodic due diligence and kept a record? If yes, you can show that compliance obligations flowed down and that you verified (or had a right to verify) performance. If no, you're explaining why your main control was "we picked a reputable vendor" and why the contract doesn't reflect the obligations you're now being asked to meet.
Don't panic. Treat the contract as the place where downstream compliance obligations are defined and enforced. When your AI vendor gets audited, the question will be whether your contracts gave you the right to require and verify their compliance. If they didn't, fix the next renewal. If they did, make sure you're actually using those rights and keeping the evidence your own auditors will ask for.
We help with AI governance, vendor due diligence, and contract review so flow-down matches your compliance obligations. Get in touch.