AI API Vendor Security Assessment: The Checklist That Goes Beyond Certifications
The Certification Checkbox Won't Save You
Before connecting to GPT-5.5, Claude Opus 4, or DeepSeek V3, most enterprise security teams follow the same ritual: request a SOC 2 Type II report, verify the ISO 27001 certificate, mark both boxes green, and move on.
The problem is what those two documents actually cover. SOC 2 and ISO 27001 describe a vendor's internal information security management system — their office access controls, their change management process, their HR policies. They say nothing about what specifically happens to your data during model inference. That gap is where AI API vendor security assessments get complicated, and where most teams underinvest.
Here's what to look at instead.
Three Data Questions to Ask Before You Look at Anything Else
The audit scope for SOC 2 and ISO 27001 is the vendor's infrastructure and internal controls. Neither standard requires vendors to disclose whether your prompts feed their next training run, which regional node processes your inference requests, or whether their engineers can read your request payloads.
Start with the vendor's Data Processing Agreement (DPA) and Terms of Service, and read these specific clauses:
Training data opt-out. OpenAI's API terms default to excluding API calls from training data, but you need to confirm you haven't opted into anything that overrides that. Anthropic makes the same promise for API customers, but it only becomes contractually binding after you sign a DPA — a verbal assurance doesn't count. For vendors like DeepSeek or Qwen, the training data language in their terms tends to be vague. Get written clarification before you proceed.
Data residency. GDPR prohibits cross-border transfer of personal data without appropriate safeguards. Ask whether the vendor supports locking inference to a specific region (EU-West, for example) and require that to be fixed in the contract — not just set via a dashboard dropdown that they can change later.
Retention periods. How long do they keep request logs, inference payloads, and model outputs? Most major vendors default to 30 days. Many will negotiate zero-retention for enterprise customers. Whatever the number is, get it in the contract as an exhibit, not buried in a help article.
Audit Logs: Your Visibility Determines Your Accountability
Every serious vendor offers audit logs. The quality gap between them is enormous. Before you commit, ask for a sample log and check which fields are actually populated:
| Field | Minimum | Recommended |
|---|---|---|
| Request timestamp | Second-level precision | Millisecond, with timezone |
| Caller identity | API Key ID | API Key ID + IP + User-Agent |
| Model version | Model name | Model name + version hash |
| Token usage | Total | Input/output split |
| Response status | Present | Present, with error classification |
| Request content | Not logged (privacy) | Optional, encrypted at rest |
The critical question is whether logs can be exported to your own SIEM. A vendor that supports webhook push or S3 export is meaningfully more auditable than one that only lets you query through their dashboard. Also confirm log immutability — ideally, vendor employees can't delete logs after they're written. Some vendors offer log signing to prove integrity; that's a meaningful signal of maturity.
Employee Access: The Question Nobody Asks
A lot of security teams skip this one entirely: can the vendor's engineers access your inference requests? This isn't a theoretical attack surface. Internal data exposure via privileged employees is a real incident pattern.
Ask for written answers to these three questions:
- Does accessing production data require a ticket-based approval workflow? Are those approval records in scope for the SOC 2 audit?
- Does the vendor use Just-in-Time (JIT) access — temporary grants rather than standing permissions?
- Are employees with production system access subject to background checks, and under what standard?
OpenAI and Anthropic both include a Trust & Safety Addendum in enterprise contracts that spells out employee access restrictions. For domestic Chinese vendors like Zhipu AI (GLM series), you can request their Level 3 Classified Protection certification (GB/T 22239) as the equivalent compliance baseline for access controls.
Model Integrity and Supply Chain Risk
This is a relatively new evaluation dimension, but it's real: are the model weights you're calling at risk of poisoning or silent substitution?
Three concrete checks:
Version locking. Can you specify an exact model version in your API calls (like claude-opus-4-20260501) rather than a floating alias like claude-latest? Floating aliases mean the vendor can swap the underlying model without telling you.
Public changelogs. Does the vendor maintain a public changelog that records when models are updated and what changed? Anthropic's model version page is reasonably well-maintained. For OpenAI, you can verify the actual model served by checking the openai-model response header.
Third-party aggregators. If you're calling through an aggregation platform rather than the original model provider, confirm where the weights actually come from and whether the platform performs integrity verification (hash comparison against official releases). This matters more than most teams realize.
12 Questions to Ask Every Vendor Before You Sign
Use this directly in your security assessment meetings:
- Are API calls used to train models? What's the default, and how do I turn it off?
- Is a DPA available, and which jurisdiction's law governs it?
- Can I specify and contractually fix a data residency region for inference?
- How long are request logs retained? Can retention be set to zero?
- Can audit logs be exported to a SIEM (Splunk, Datadog, etc.)?
- Does employee access to production data require approval? Where are those records?
- Is exact model version locking supported — no floating aliases?
- What's the audit period covered by the SOC 2 Type II report, and when was it last completed?
- Is there a bug bounty program? Does it cover API endpoints?
- What's the SLA for notifying enterprise customers after a data breach, in hours?
- Do you support IP allowlists or VPC peering to reduce network exposure?
- If you're an aggregator, how do you verify the integrity and provenance of upstream model weights?
The Real Standard to Hold Vendors To
Having spent a lot of time on this topic, the most consistent mistake I see enterprise teams make is treating certifications as sufficient rather than necessary. SOC 2 and ISO 27001 tell you a vendor has baseline security hygiene. They don't tell you whether your data is safe in the specific way AI API usage creates risk.
Work through the questions above before you commit. The vendors who can answer them clearly — in writing, in your contract — are the ones worth trusting with production workloads.
If your team is evaluating multiple LLM providers simultaneously and wants a single audited layer rather than managing a dozen separate API keys, I've been using XycAi. It holds a licensed LLM algorithm filing with compliant invoicing, covers 200+ global models including GPT and Claude at a fraction of list price, and supports one-command setup for Claude Code, Codex, and Gemini CLI. For security teams that need unified audit coverage across providers, having one compliant intermediary is considerably easier to govern than the alternative.
One API for 200+ global AI models
GPT · Claude · Gemini official models from 14% of list price. Licensed LLM filing, CN2 direct connect at ~5ms, compliant global invoicing.
Try XycAi →