Responsible AI for intranets starts with smart AI vendor risk assessment

Responsible AI is the practice of designing, deploying, and using AI systems in ways that are ethical, transparent, fair, secure, and accountable to the people they impact. Responsible AI matters because AI tools also introduce new risks and dynamics that need to be thoughtfully considered. 

The four key components of responsible AI are:

1. Data privacy: How your data is collected, used, and protected
2. Security architecture: How systems prevent breaches and unauthorized access
3. Governance and oversight: How AI use is controlled and monitored
4. Accuracy and transparency: How reliable outputs are and whether sources are visible

Without thoroughly understanding these four AI vendor risk factors, AI may create more problems than it solves. 

When conducting any AI vendor risk assessment, the vendor should be clear and transparent on their AI governance and ethics to help you make an informed decision. ThoughtFarmer’s approach focuses on clear rules that reduce risk. These rules guide how we ideate and build any AI features and how they operate inside our platform. 

Learn more about ThoughtFarmer’s approach to AI in our recent session AI for Intranets: Beyond the Hype

What is AI vendor risk assessment?

AI vendor risk assessment is the process of asking the right questions to evaluate how an AI provider handles data privacy, security, governance, and model behavior before adoption.

What questions should you ask AI vendors during risk assessment?

1. Will your AI train on our data?

Some AI systems use customer interactions to improve their models. That can introduce significant privacy risks and data leakage. A responsible AI vendor should clearly state whether customer data is used for training or reinforcement learning.

2. Where is our data processed and stored?

This question should give you a clear understanding of:

• Geographic data regions
• Infrastructure providers
• Cross-region processing rules
• Retention policies

This is particularly important for companies operating under regional compliance frameworks.

3. How is customer data isolated?

Multi-tenant software must ensure that data from different organizations remains strictly separated. For example, intranet AI should only be able to pull on information contained in your own intranet. Vendors should be able to clearly explain their database architecture and how they prevent cross-customer exposure.

4. How are permissions enforced?

Most software platforms have pre-existing permissions to ensure the right staff can access the appropriate content and perform tasks at the right level. Ensuring these permissions are respected is essential. AI tools should never bypass these existing security controls. 

5. How are AI answers grounded?

One of the biggest risks with generative AI is hallucinated responses, which means the AI “made up” answers. You should ask AI vendors how they ensure answers come from trusted internal sources rather than generic training data that may produce unreliable results.

Download the AI Vendor Checklist for over 35 questions you should be asking AI vendors

ThoughtFarmer’s answers to AI vendor questions

At ThoughtFarmer, we take a strong stance on AI and its role in the future of work. Security and practicality are the two building blocks of our AI features. We deploy AI in ways that make a tangible difference in the lives of users without adding security risk.

Question	ThoughtFarmer answer
Does ThoughtFarmer AI train on customer data?	No. ThoughtFarmer does not use customer data to train or reinforce AI models. This prevents sensitive information from being incorporated into broader AI training datasets.
Where does ThoughtFarmer AI process and store data?	AI requests are processed through AWS infrastructure using private subnets and encrypted connections. Requests are processed in memory and are not logged by the AI provider.
How does ThoughtFarmer isolate customer data?	Each customer’s data is stored in separate databases and search indexes. This prevents cross-customer data exposure.
How does ThoughtFarmer ensure permissions are maintained and enforced?	The AI assistant can only generate answers using information the user already has permission to access. If an employee cannot see a page on the intranet, the AI assistant cannot reference it.
How are ThoughtFarmer AI answers grounded?	The AI assistant provides links back to the content it used to generate an answer. This allows employees to verify the information and review the original source.

Download the AI Vendor Checklist to learn more about ThoughtFarmer’s answers to 35+ vendor AI questions.

How to assess AI vendor risk

The key steps to assessing AI vendor risk are:

1. Reviewing how the vendor handles data training and retention
2. Evaluating infrastructure and data storage locations
3. Confirming data isolation and multi-tenant protections
4. Testing how permissions are enforced
5. Verifying how AI answers are generated and sourced

There are also AI vendor signals that can indicate whether a product has been built responsibly. Green flags are a positive indicator. Red flag signals are warning signs that the AI vendor may not be taking security seriously enough. 

AI vendor green flags

• Clear statement that customer data is not used for training
• Explicit retention and logging policies
• Permission-aware architecture
• Source citations for AI answers

AI vendor red flags

• Vague explanations of how data is used
• Statements such as “data may be used to improve models”
• Lack of transparency around infrastructure or sub-processors
• AI responses that cannot be traced to source material

What are AI governance best practices?

In addition to conducting thorough AI vendor checklists, you should develop your own AI governance best practices within your organization. AI governance policies should cover:

• Acceptable data usage
• Approved tools and use cases
• Human review expectations
• Escalation paths for questions or issues

Knowing there your organization stands on these four topics will help you decide if a vendor’s responses to the questionnaire meet your standards.

Why is AI powerful for intranets?

AI is most powerful when it has access to the right information. This is why intranets are well suited for responsible AI. They provide a trusted knowledge base that can ground AI responses. While public AI models are trained on general internet data, intranet AI has much-needed context. 

Intranet AI contains:

• Your organization’s policies and procedures
• Onboarding documentation
• Internal project updates
• Operational knowledge 

Final key takeaways for evaluating AI vendors

• Always confirm whether your data is used for training
• Ensure data is securely processed and stored
• Verify strict data isolation between customers
• Confirm AI respects user permissions
• Require answers to be grounded in trusted sources

AI has enormous potential to improve how employees work. But organizations should not adopt it blindly. By asking the right vendor questions and prioritizing transparency, privacy, and governance, companies can introduce AI in a way that strengthens trust instead of weakening it.

At ThoughtFarmer, responsible AI is not an afterthought. It is the foundation for how we build intranet tools that organizations can confidently use every day. Book a demo to explore ThoughtFarmer’s AI features.

Download the AI Vendor Checklist