advanta

HomeModule LibrarySustaining

Module SUS-01 sigil: Sustaining pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module SUS-01. The Pillar geometry encodes Sustaining (Pillar 8); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SSUS-01
P8· L-E· Bands FoundationalOperationalIntegratedOptimisedDefensible

· SUS-01

Vendor Performance Review Cycle

AI vendor performance degrades silently. The model behind the product gets retrained, the cost structure shifts, the agentic capabilities expand, the compliance posture drifts — and unless the firm runs a structured quarterly review, none of it surfaces until something breaks. The Vendor Performance Review Template scores vendors across five weighted dimensions (output quality, governance posture, cost efficiency, agentic-tier compliance, and Risk Taxonomy 2026 drift) on a quarterly cadence, producing the evidence record that justifies renewal, renegotiation, or exit. Methodology v2026.1.

Operational

·

Quarterly

·

3–4 hours per vendor per quarter once established

Methodology v2026.1·Verified 23 May 2026·Reviewed 23 May 2026

Executive Summary

AI vendor relationships require structured, evidence-based quarterly evaluation to sustain performance, manage compliance obligations, and generate defensible governance records. This Vendor Performance Review Template gives General Counsel and Legal Operations a five-dimension weighted scoring framework covering technical performance, service delivery, compliance and governance, business alignment, and relationship management. It embeds a Metric 0 pre-check to confirm security, policy, and risk register currency before each review, and produces a weighted 1–5.0 vendor rating with SLA and user satisfaction context. A Risk Taxonomy 2026 Class Mapping assesses the vendor’s contribution to all nine risk classes, with explicit handling of Class 6 Shadow AI exposure and escalation to the AI Task Force where rated High. For Level 4 autonomous AI tools, an Agentic Tier Governance Assessment verifies five mandatory controls and blocks production use if any control fails. All completed reviews, SLA dashboards, and governance assessments are retained for 5–7 years as DPS Defensibility lens evidence.

Defensibility Evidence Produced

Produces a structured quarterly record of AI vendor oversight, including weighted performance scores, SLA monitoring, Risk Taxonomy 2026 Class Mapping, Agentic Tier governance checks, risk register updates, and signed approvals, retained for 5–7 years to demonstrate continuous supply chain and compliance governance.

Elements:

Methodology transparencyEvidence framework

Metric 0 Pre-Check

Complete these five gates before every quarterly vendor performance review. If any gate fails, pause and remediate before proceeding.

  • M0.1 — VEN-04 current: Confirm the Security and Compliance Checklist (VEN-04) for this vendor is completed and current for the review period.
  • M0.2 — AI BoM entry current: Confirm the AI Bill of Materials entry for this vendor’s tool(s) is current, including vendor name, function, data access scope, and compliance status.
  • M0.3 — GOV-02 currency: Confirm the AI Use Policy (GOV-02) is current so vendor obligations reflect the latest policy version.
  • M0.4 — GOV-03 vendor entry: Confirm the Risk Register (GOV-03) has a current vendor risk entry that this review will update.
  • M0.5 — STR-07 engagement: Confirm the AI Task Force (STR-07) has been briefed; any vendor risk level High or Critical requires STR-07 escalation before the review is closed.

Record pass/fail for each gate and any remediation notes.

Do not start or complete a quarterly vendor performance review if any Metric 0 gate fails. Treat remediation as a prerequisite, not a follow-on task.

Review Header

Capture the following for each quarterly review:

  • Review Period: Q___ 20___
  • Vendor Name: __________________
  • Solution / Service: __________________
  • Review Date: __________________
  • Reviewer: __________________
  • Internal Sponsor: __________________
  • Vendor Account Manager: __________________

Strategic Importance Classification (select one):

  • Mission Critical
  • High Value
  • Standard Service

Operational Signals

sus-01.quarterly-review-completion

Defensibility Posture Statement

Vendor reviews completed on quarterly cadence — DE-2 Methodology transparency record.

Quarterly

sus-01.performance-drift-detection-rate

Annual Legal AI OS Index

Performance drift events flagged before client impact feeds Annual Index vendor-discipline signal.

Quarterly

sus-01.renewal-decision-evidence-grade

Console

Renewal decisions traceable to evidence record for Console intelligence substrate.

On change

Inputs · Outputs

Inputs

  • · Completed VEN-04 Security and Compliance Checklist for the vendor
  • · Current AI Bill of Materials entry for the vendor’s tools
  • · Current AI Use Policy (GOV-02)
  • · Current vendor risk entry in GOV-03 Risk Register
  • · STR-07 AI Task Force briefings and escalation records
  • · Vendor contracts, SLAs, and DPAs
  • · System uptime, performance, and incident metrics
  • · Support ticket and resolution data
  • · User satisfaction and adoption survey results
  • · Vendor security certifications and audit reports
  • · Regulatory and bar association guidance mappings
  • · Financial and business performance data for ROAI analysis

Outputs

  • · Completed quarterly Vendor Performance Review with weighted 1–5.0 rating
  • · Dimension-level scores and trends for Technical, Service, Compliance, Business, and Relationship performance
  • · Agentic Tier Governance Assessment for Level 4 autonomous AI tools
  • · Risk Taxonomy 2026 Class Mapping table with remediation flags
  • · Updated vendor risk entries in GOV-03 Risk Register
  • · Class 6 Shadow AI vendor contribution assessment and escalation record
  • · SLA compliance dashboard and breach log
  • · Documented action plan with 30-, 90-, 180-day and 12-month commitments
  • · Strategic recommendation on optimisation, expansion, remediation, renegotiation, or replacement
  • · Approval and sign-off record for DPS Defensibility evidence

Framework Crosswalk

NIST AI Risk Management Framework

NIST

Maps vendor risk and control assessments to NIST AI RMF functions, especially Govern and Manage.

ISO/IEC 42001 AI Management System

ISO

Supports ongoing supplier monitoring, risk treatment, and evidence of AI governance controls for vendors.

EU AI Act

European Union

Aligns vendor classification, transparency, and logging obligations with EU AI Act requirements for high-risk and general-purpose AI systems.

ABA Formal Opinion 512

American Bar Association

Addresses confidentiality, competence, and supervision duties when using AI vendors in legal practice.

Operational Artefacts

  • Vendor Performance Review Template (Quarterly)

    xlsx · v2026.1

    Gated
  • Risk Taxonomy 2026 Vendor Mapping Worksheet

    xlsx · v2026.1

    Gated
  • Agentic Tier Governance Assessment Checklist

    checklist · v2026.1

    Gated

Diagnostic Relevance

Running quarterly Vendor Performance Reviews strengthens the Defensibility lens — expected Band progression: Operational → Integrated.

Confidence: high

Key Takeaways

  • Run a Metric 0 pre-check before every quarterly vendor review to confirm security, policy, and risk register currency.

  • Score vendors across five weighted dimensions to produce a defensible 1–5.0 overall rating with SLA context.

  • Apply the Agentic Tier Governance Assessment to any Level 4 autonomous AI tools and block production use if controls fail.

  • Map vendor exposure to all Risk Taxonomy 2026 classes, with explicit escalation for High Class 6 Shadow AI contribution.

  • Retain completed reviews, SLA dashboards, and governance records for 5–7 years as DPS Defensibility evidence.

  • Use the action plan section to define 30-, 90-, 180-day and 12-month improvement and partnership commitments.

  • Align strategic recommendations (optimise, expand, remediate, or replace) directly to the weighted performance results.

Run this Module

Operational artefacts available to Practitioner Membership members. Methodology v2026.1.

View Membership

Targeting

Audience

GC / CLOLegal Operations

Strengthens

Defensibility lensSophistication lens

Module Details

Format
Module
Difficulty
Foundational
Pillar
P8
Owner
General Counsel + Legal Operations
Access
Practitioner Membership
Certification
Practitioner

Maturity Bands

FoundationalOperationalIntegratedOptimisedDefensible

Where this Module lives

Vendor Performance Reviews close the loop opened by VEN-01 (Vendor Evaluation Operating Methodology) at procurement. They consume the original VEN-01 evaluation scores as the baseline and feed SUS-04 (Exit Strategy Checklist) when scores fall below the renewal threshold. The Module produces DE-2 (Methodology transparency) and DE-3 (Evidence framework) records into the DPS. Without it, vendor decisions get made on anecdote and budget pressure rather than evidence.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.