Advanta is currently undergoing final system calibration ahead of launch. Selected infrastructure and experiences may still be in active refinement.

advanta

HomeModule Library

Module SUS-01 sigil: Sustaining pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module SUS-01. The Pillar geometry encodes Sustaining (Pillar 8); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SSUS-01

P8

L-E

SUS-01

Vendor Performance Review Template

Evaluate AI vendor performance quarterly across five weighted dimensions with Risk Taxonomy 2026 mapping and Agentic Tier governance checks.

ModuleFoundationalQuarterlyAdoption lensDefensibility lens

Audience

GC / CLOLegal Operations

·

3–4 hours per vendor per quarter once established

Executive Summary

AI vendor relationships require structured, evidence-based quarterly evaluation to sustain performance, manage compliance obligations, and generate defensible governance records. This Vendor Performance Review Template gives General Counsel and Legal Operations a five-dimension weighted scoring framework covering technical performance, service delivery, compliance and governance, business alignment, and relationship management. It embeds a Metric 0 pre-check to confirm security, policy, and risk register currency before each review, and produces a weighted 1–5.0 vendor rating with SLA and user satisfaction context. A Risk Taxonomy 2026 Class Mapping assesses the vendor’s contribution to all nine risk classes, with explicit handling of Class 6 Shadow AI exposure and escalation to the AI Task Force where rated High. For Level 4 autonomous AI tools, an Agentic Tier Governance Assessment verifies five mandatory controls and blocks production use if any control fails. All completed reviews, SLA dashboards, and governance assessments are retained for 5–7 years as DPS Defensibility lens evidence.

Metric 0 Pre-Check

Complete these five gates before every quarterly vendor performance review. If any gate fails, pause and remediate before proceeding.

  • M0.1 — VEN-04 current: Confirm the Security and Compliance Checklist (VEN-04) for this vendor is completed and current for the review period.
  • M0.2 — AI BoM entry current: Confirm the AI Bill of Materials entry for this vendor’s tool(s) is current, including vendor name, function, data access scope, and compliance status.
  • M0.3 — GOV-02 currency: Confirm the AI Use Policy (GOV-02) is current so vendor obligations reflect the latest policy version.
  • M0.4 — GOV-03 vendor entry: Confirm the Risk Register (GOV-03) has a current vendor risk entry that this review will update.
  • M0.5 — STR-07 engagement: Confirm the AI Task Force (STR-07) has been briefed; any vendor risk level High or Critical requires STR-07 escalation before the review is closed.

Record pass/fail for each gate and any remediation notes.

Do not start or complete a quarterly vendor performance review if any Metric 0 gate fails. Treat remediation as a prerequisite, not a follow-on task.

Review Header

Capture the following for each quarterly review:

  • Review Period: Q___ 20___
  • Vendor Name: __________________
  • Solution / Service: __________________
  • Review Date: __________________
  • Reviewer: __________________
  • Internal Sponsor: __________________
  • Vendor Account Manager: __________________

Strategic Importance Classification (select one):

  • Mission Critical
  • High Value
  • Standard Service

Defensibility Evidence

Produces a structured quarterly record of AI vendor oversight, including weighted performance scores, SLA monitoring, Risk Taxonomy 2026 Class Mapping, Agentic Tier governance checks, risk register updates, and signed approvals, retained for 5–7 years to demonstrate continuous supply chain and compliance governance.

Operational Artefacts

  • Vendor Performance Review Template (Quarterly)

    xlsx · v2026.1

    Gated

  • Risk Taxonomy 2026 Vendor Mapping Worksheet

    xlsx · v2026.1

    Gated

  • Agentic Tier Governance Assessment Checklist

    checklist · v2026.1

    Gated

Framework Crosswalk

NIST AI Risk Management Framework

NIST

Maps vendor risk and control assessments to NIST AI RMF functions, especially Govern and Manage.

ISO/IEC 42001 AI Management System

ISO

Supports ongoing supplier monitoring, risk treatment, and evidence of AI governance controls for vendors.

EU AI Act

European Union

Aligns vendor classification, transparency, and logging obligations with EU AI Act requirements for high-risk and general-purpose AI systems.

ABA Formal Opinion 512

American Bar Association

Addresses confidentiality, competence, and supervision duties when using AI vendors in legal practice.

Operational Details

Inputs

  • · Completed VEN-04 Security and Compliance Checklist for the vendor
  • · Current AI Bill of Materials entry for the vendor’s tools
  • · Current AI Use Policy (GOV-02)
  • · Current vendor risk entry in GOV-03 Risk Register
  • · STR-07 AI Task Force briefings and escalation records
  • · Vendor contracts, SLAs, and DPAs
  • · System uptime, performance, and incident metrics
  • · Support ticket and resolution data
  • · User satisfaction and adoption survey results
  • · Vendor security certifications and audit reports
  • · Regulatory and bar association guidance mappings
  • · Financial and business performance data for ROAI analysis

Outputs

  • · Completed quarterly Vendor Performance Review with weighted 1–5.0 rating
  • · Dimension-level scores and trends for Technical, Service, Compliance, Business, and Relationship performance
  • · Agentic Tier Governance Assessment for Level 4 autonomous AI tools
  • · Risk Taxonomy 2026 Class Mapping table with remediation flags
  • · Updated vendor risk entries in GOV-03 Risk Register
  • · Class 6 Shadow AI vendor contribution assessment and escalation record
  • · SLA compliance dashboard and breach log
  • · Documented action plan with 30-, 90-, 180-day and 12-month commitments
  • · Strategic recommendation on optimisation, expansion, remediation, renegotiation, or replacement
  • · Approval and sign-off record for DPS Defensibility evidence

Owner

General Counsel + Legal Operations

Telemetry & Observability

Telemetry-ready

Key Takeaways

  • Run a Metric 0 pre-check before every quarterly vendor review to confirm security, policy, and risk register currency.

  • Score vendors across five weighted dimensions to produce a defensible 1–5.0 overall rating with SLA context.

  • Apply the Agentic Tier Governance Assessment to any Level 4 autonomous AI tools and block production use if controls fail.

  • Map vendor exposure to all Risk Taxonomy 2026 classes, with explicit escalation for High Class 6 Shadow AI contribution.

  • Retain completed reviews, SLA dashboards, and governance records for 5–7 years as DPS Defensibility evidence.

  • Use the action plan section to define 30-, 90-, 180-day and 12-month improvement and partnership commitments.

  • Align strategic recommendations (optimise, expand, remediate, or replace) directly to the weighted performance results.

Get This Module

This module is available as part of an Advanta Advisory engagement.

Explore Advisory

Module Details

Type

Pillar

P8

Layer

E · Execution

Duration

3–4 hours per vendor per quarter once established

Advisory

Yes

Access

Member access

Certification

Practitioner

Maturity Bands

FoundationalOperationalIntegratedOptimisedDefensible

Risk Classes Mitigated

Available Through

Related Resources

P8 · SustainingModule Library →Take the Free Baseline Diagnostic →

Governance

Methodology
v2026.1
Last reviewed
23 May 2026
Verified
23 May 2026

ADVISORY

Need help implementing this — and the 49 modules around it?

Advanta Advisory works with legal departments to deploy the full Legal AI OS framework — governance design, implementation roadmap, and team capability — structured around your maturity baseline.

Explore Advisory →Run the Diagnostic first
← Back to Module Library