As hospitals accelerate their adoption of AI tools, governance committees face an overwhelming challenge: how to efficiently, consistently, and responsibly assess the true risk and benefit of each AI vendor’s Use Case.
Most teams already have InfoSec and Privacy reviews in place. But AI is different — it’s not just about network vulnerability or PHI exposure. AI tools touch clinical decisions, population equity, regulatory compliance and financial risk. The stakes are higher. The risk vectors are more complex.
Onboard AI has been fortunate to work with healthcare organizations ranging from small community hospitals to large multi-state hospital systems. In most cases, the Onboard AI team has found distinct gaps in the questionnaires in use. Constructing and consistently leveraging a comprehensive, holistic and broad set of AI Risk controls is critical to establishing a baseline AI Governance program.
In this post, we’ll walk through:
From Jared Augenstein, Senior Managing Director at Manatt Health
In my work advising health systems on AI strategy and procurement, my experience is that most AI vendor reviews break down long before the RFP is signed. Teams cast a wide net, then slog through unstructured notes, ad-hoc demos, and one-off questionnaires—guaranteeing inconsistent results. The wrong tools slip into the funnel while the right ones get stalled, simply because there’s no disciplined triage early in the assessment flow. Even when the right vendors make it through, reviewers ask different questions in different orders—or skip entire domains—so the “findings” reflect who happened to be in the room, not how the product actually performs.
Onboard AI flips that script. It automates rigorous, front-loaded triage so only the right tools enter the deep-dive, then drives every review with the same, targeted prompts—so results are comparable by design. Critical domains aren’t forgotten: bias and safety, ROI and time-to-value, post-deployment behavior (drift, monitoring, support) are built into the workflow. Committees stop chasing answers over email threads; Onboard captures evidence once and shares it everywhere. The outcome isn’t just a list of problems—it’s prescriptive: where a vendor falls short, Onboard proposes actionable mitigations or alternatives, turning evaluation from passive scoring into a repeatable path to a safer, higher-ROI decision.
Without clear vendor expectations, the burden falls on the committee to interpret incomplete responses, hunt down missing evidence, and define the risk & benefit manually. Without clearly laid out steps and requirements, the work ends up falling on you.
A robust AI risk assessment doesn’t just check boxes — it covers the full risk landscape and drives better decision-making. A good framework includes the following domains:
This list isn’t a “yes/no” exercise — it’s a lens through which to view and triage vendor risk consistently and meaningfully.
No AI tool is risk-free. A good assessment surfaces which risks are present, how to manage them and what it would mean to move forward with deploying this AI tool into the real world. It's a question of if your organization is willing to accept the risks and mitigate them operationally.
Example:
A vendor has not undergone real-world bias & fairness testing, but the vendor agrees to complete one within 6 months and limits use to decision support only. A contract clause ensures compliance milestones are met before broader deployment.
Example:
The tool lacks subgroup performance reporting. The hospital commits to conducting an internal fairness audit before system-wide rollout.
The point is not to block innovation — it’s to manage risk intelligently and transparently. As one hospital system CIO put it,
“Just because there’s a human-in-the-loop doesn’t mean the risk is mitigated. It just means you’ve shifted all the liability from the vendor to your own providers.”
A questionnaire is a discovery tool. It asks open-ended or binary questions such as “Do you evaluate your model for bias?” or “Describe how your model handles drift.” While questionnaires help surface information, they leave a great deal of interpretation to the reviewer, who must read the narrative response, judge whether it is sufficient, identify gaps, and determine what follow-up is needed. Because the respondent can answer in many different ways, the quality and clarity of responses can vary. Questionnaires tell you what the vendor says they do, but not whether it meets a defined standard.
A risk assessment, by contrast, is rule-based. It uses predefined controls—explicit requirements that define what “acceptable” or “safe” AI practice looks like. Instead of asking, “Do you evaluate your model for bias?”, a control requires the applicant to prove compliance with a specific expectation, for example: “Vendor must conduct bias testing across race, gender, and age groups, using statistically valid methods, and provide evidence of results and remediation steps.” The reviewer no longer interprets a narrative—they verify whether the evidence meets the standard.
In practice, questionnaires gather information, while risk assessments evaluate that information against a consistent, authoritative benchmark. Questionnaires help you understand; risk assessments help you decide.
Our free AI Vendor Risk Assessment Template is designed to be used by both vendors and reviewers.
Vendors complete the assessment directly and embed evidence from their existing documentation. The form aligns with the domains listed above, with optional fields for scoring and justifications.
Governance teams review the submitted responses, highlight any gaps or deviations from control expectations, and generate:
If you're an Onboard AI user, this entire process is automated:
If you already utilize an AI Questionnaire, or something similar, use this template to do a quick gap analysis. Are we missing some really important risk domains?
Download the template in your preferred format:
Ready to standardize and scale your AI vendor evaluations?
Onboard AI gives you a dynamic, living version of this template — complete with evidence mapping, automated scoring, and automated workflows.
Book a demo or try it with your next vendor for free
It’s a comprehensive and structured evaluation of an AI tool’s clinical, technical, ethical, and regulatory risks — designed to protect patients and health systems before deployment.
AI risk includes model fairness, clinical effectiveness, explainability, and societal impact — beyond the scope of traditional IT or InfoSec reviews.
Yes. The downloadable version is fully editable (Excel, Sheets, PDF) and can be adapted to your committee’s unique criteria.
