Frequently asked questions

The contractual, data-governance, privacy, and regulatory exposure that builds up across your AI vendor relationships. It shows up before you sign, after you sign, while the relationship is running, and after termination. Under GDPR, DPDP, and the EU AI Act, this exposure sits with the enterprise. It does not transfer to the vendor.

Standard vendor risk frameworks assess whether a vendor is reliable and secure. Inherited AI Liability addresses what the enterprise contractually agreed to carry at signature. A vendor can be technically excellent while its contract assigns all AI liability to you, grants unlimited subprocessor rights, and provides no audit rights over algorithmic decisions. Standard frameworks were not designed to detect this.

No. Most of it comes from traditional software vendors — CRM, HR, document management, productivity suites — that added AI features to products already under contract. You did not procure them as AI relationships. The AI arrived through product updates. The contracts still reflect the pre-AI product.

The enterprise, as the data controller. You remain accountable for processing by vendors and their subprocessors, including subprocessors you may not have known existed. Where an AI vendor has introduced features not covered by the existing DPA, you carry the gap.

The DPDP Act 2023 establishes the enterprise as a Data Fiduciary. That accountability does not transfer to the vendor by contract. Operationalised from November 2025. Every AI vendor relationship involving personal data of Indian data principals is a Data Fiduciary obligation.

No. What the vendor’s contract says about the vendor’s own exposure is not a defence to a regulatory investigation. The regulator investigates the enterprise as the controller, fiduciary, or deployer.

A data protection audit validates documentation. An IAIL assessment identifies the gap between documentation and reality. The DPA written before the product became an AI product is identified as a governance gap, not confirmed as compliant.

Probably. Most enterprises that completed data protection audits still carry Stop Conditions in vendor contracts the audit did not examine, DPAs written before the products they govern became AI products, and deletion clauses that do not cover what AI creates. The audit confirmed the documentation. The IAIL assessment identifies what the documentation misses.

Single vendor: two weeks. Portfolio (up to ten): four weeks. Enterprise (full landscape): six to eight weeks.

A 45-minute briefing. No obligation. Then, if it makes sense, a single-vendor assessment: one vendor, all nine dimensions, all seven output documents, two weeks. It creates the first evidence record and shows whether the pattern warrants going broader.

It means the independence is built into how the business operates. No vendor revenue. No referral fees. No partnerships. Every assessment enterprise-funded only. The assessor has no financial incentive to soften any finding.

They maintain commercial relationships with the AI vendors whose products you use. That constrains their findings. Individual advisers may be objective. The incentive architecture of the organisation is not. The relevant test is not whether the assessor intends to be objective. It is whether the enterprise has any reason to doubt the finding.

Yes. IAIL Framework v1.2, Assurance Protocol v1.0, Signal Protocol v1.0, Monitor Protocol v1.0, and Exit Protocol v1.0 are all published at inheritedailiability.com. Permanently archived. No version withdrawn.