On this page
TL;DR
Per IDC's 2025 Worldwide AI Spending Guide, enterprise AI software spend will pass USD 232 billion in 2026, with most of that flowing through SaaS line items rather than dedicated AI budgets. CFOs are now asking finance, procurement, and the CISO for a single AI vendor list that explains who has AI exposure, where the spend lives, what data leaves the perimeter, and which contracts give the company an exit. This guide is the practical build. Source: IDC Worldwide AI Spending Guide, March 2025. Updated 2026-05-20.
Why CFOs are asking for this list in 2026
The AI vendor inventory question moved from CISO desks to CFO desks during 2025. Three forces converged: AI line items started materially affecting renewal economics (every major SaaS vendor added an AI tier or AI SKU), audit committees began asking how AI risk was reflected in 10-K filings, and AI-driven incidents started producing real losses that interrupted forecasted savings. By the start of 2026, most public-company CFOs have either received an audit committee question on AI vendor exposure or are anticipating one in the next 90 days.
The pattern we see is consistent: finance can list every vendor invoiced over USD 10,000, security can list every approved SaaS tenant, procurement holds the signed contracts, but no one can answer the actual question - which of those vendors process company or customer data through AI models, and what are the controls. The list the CFO needs sits across all three of these systems and is owned by none of them.
The strategic takeaway is that the AI vendor list is now a CFO-grade artefact, not a security spreadsheet. It must satisfy three audiences simultaneously: the CFO and audit committee (who care about disclosure, spend, and contract risk), the CISO and risk owner (who care about data flow and incident exposure), and the procurement and legal teams (who care about commercial terms and termination rights). A list built only for one audience fails the other two on first questioning. The Areebi platform inventory and compliance hubs are built around this multi-audience model.
Scope: what counts as an AI vendor in 2026
The first reason most AI vendor lists fail is incorrect scope. Teams instinctively list the obvious frontier-model providers (OpenAI, Anthropic, Google) and stop. That captures perhaps 20 percent of true AI exposure in a typical mid-market enterprise. The correct scope question is: any vendor whose product touches company or customer data and uses AI for compute, classification, generation, prediction, or automation. That definition covers four distinct vendor classes that must each appear on the list.
Class 1: Frontier model providers
These are vendors whose primary product is a model or model-serving API. The roster is small and well known: OpenAI, Anthropic, Google (Gemini), Meta (Llama via hosting partners), Mistral, Cohere, AI21, Amazon Bedrock providers, Azure OpenAI Service, plus hosted open-source serving (Together, Anyscale, Replicate, Modal). Most enterprises use two to five of these directly. Each one must appear with model versions in use, data processing addendum (DPA) status, retention defaults, training opt-out status, region of inference, and named contract owner.
The audit committee question to anticipate: "Which of our frontier model contracts allow the provider to train on our inputs by default, and what overrides have we executed?" A vendor list that cannot answer this in writing fails the test.
Class 2: SaaS vendors with AI features
This is the largest class by count and the largest source of unexpected exposure. Every major SaaS category added AI features during 2024 and 2025: CRM (Salesforce Einstein, HubSpot Breeze), productivity (Microsoft 365 Copilot, Google Workspace Gemini, Notion AI), support (Zendesk AI, Intercom Fin, Front AI), HR (Workday AI, BambooHR AI), finance (Sage AI, Xero AI, Intuit AI), security (Crowdstrike Charlotte, Microsoft Security Copilot), and developer tooling (GitHub Copilot, Cursor, JetBrains AI). For each existing SaaS contract, the AI vendor list must record: which AI features are enabled, what data those features ingest, whether the data is used for cross-tenant model improvement, and which add-on SKUs have been licensed.
The most common surprise in this category is that many tier-1 SaaS contracts have AI features on by default with model-improvement consent embedded in the EULA. Procurement signed the master agreement two years ago; the AI features arrived in product updates; no one re-signed. Per IAPP's 2025 Privacy and AI Governance Report, this gap accounts for the majority of unexplained AI exposure in mid-market environments.
Class 3: Embedded AI in business-critical platforms
This class catches vendors where AI is not marketed prominently but is embedded in workflows that touch sensitive data. Examples include payroll providers using AI for fraud scoring, expense management tools using AI for receipt classification, contract management tools using AI for clause extraction, and observability vendors using AI for anomaly detection. The vendor list must include these because incident exposure is real even when the marketing material does not lead with AI.
The discovery method that works: ask each vendor in writing whether any AI or machine learning model processes company data, whether models are trained on customer data, and whether AI-generated outputs are presented to users. Treat a non-response or vague response as a high-risk signal and follow up. Per Gartner's 2025 Magic Quadrant for Third-Party Risk Management, AI-specific vendor questionnaires are now standard practice at 78 percent of large enterprises, up from 31 percent in 2023.
Class 4: Unsanctioned AI tools (shadow AI)
Shadow AI is the class no one wants on the list because no one wants to admit it exists. It must be on the list anyway, with a discovery date, current user count, business unit, data exposure assessment, and remediation status. Discovery sources include browser extension telemetry, SSO logs, expense reimbursements with AI vendor names, and email gateway logs showing welcome emails from AI products.
The CFO's audit committee will eventually ask: "How do we know we have a complete list?" The answer requires evidence of continuous discovery, not a point-in-time survey. Our shadow AI guide covers the discovery mechanics, and the Areebi DLP layer captures unsanctioned AI traffic as it leaves the perimeter.
Classification: the four-by-four schema that holds up in audit
A vendor list without classification is a phone book - useful for nothing the CFO is asking. The classification scheme that holds up across audit, finance, security, and procurement reviews is four-by-four: four vendor classes (above) crossed with four risk tiers. Every vendor on the list lands in exactly one cell, and the cell determines the controls, the documentation depth, and the review cadence.
Per NIST SP 800-161 Revision 1 (May 2022), supply-chain risk management requires tiered classification with documented criteria. Areebi's model supply chain security guide covers the technical control mapping; the schema below is the finance- and audit-ready overlay.
| Risk tier | Definition | Examples | Required documentation | Review cadence |
|---|---|---|---|---|
| Tier 1 - Critical | Processes regulated data (PHI, PCI, PII at scale), or AI output materially affects a regulated decision | Underwriting AI, clinical decision support, frontier models on customer data | DPA, BAA where applicable, SOC 2 Type II, ISO 42001 or NIST AI RMF attestation, executed model card, indemnification clause, exit clause with data deletion SLA | Quarterly |
| Tier 2 - High | Processes confidential business data or affects employee decisions | HR AI, finance AI, code assistants, CRM AI Tier 1 | DPA, SOC 2 Type II, named-feature configuration record, training opt-out evidence, executed exit clause | Semi-annual |
| Tier 3 - Standard | Processes internal business data, low data sensitivity | Marketing AI, productivity AI on internal docs | DPA, SOC 2 Type I or II, AI feature inventory | Annual |
| Tier 4 - Light | No customer or sensitive data, internal-only | Brainstorming tools on public-only data, generic copy assistants | EULA review, acceptable use policy reference | Annual |
The trap to avoid is letting business units self-classify. Self-classification consistently produces tier creep downward (everything becomes Tier 3 because it makes the paperwork lighter). The CISO or AI governance committee must own the classification decision, with the business unit providing input only on the use case and data flow.
Spend visibility: where the AI line items actually live
The CFO question that exposes most AI vendor lists is: "What did we spend on AI in the last 12 months?" Three patterns produce a defensible answer.
Pattern 1: Tag the contracts, not the invoices. Attempting to extract AI spend from invoices is hopeless because most AI line items are embedded in master SaaS subscriptions. Instead, tag each vendor on the list with an AI spend share (often expressed as a percentage of the master subscription or a flat add-on amount where the AI SKU is line-itemed). Sum the tagged contracts quarterly. This is the number that should appear in board materials. Per Gartner's 2025 IT Key Metrics, AI-specific spend grew at 3.4x the rate of overall IT spend in 2024-2025, which means the line item is large enough to merit its own roll-up.
Pattern 2: Force AI SKUs to a separate cost centre. Where the vendor offers a separately invoiced AI add-on (Microsoft 365 Copilot, Salesforce Einstein Copilot, GitHub Copilot Enterprise), require procurement to allocate the AI SKU to a dedicated AI cost centre. This gives the CFO a clean monthly burn number without rebuilding finance systems. It also enables ROI conversations at the SKU level, which is where the next wave of CFO scrutiny is going.
Pattern 3: Surface model usage costs from cloud consumption. For frontier-model spend that flows through cloud accounts (Bedrock, Azure OpenAI, Vertex AI), enable native cost tags at the workload level. Most enterprises discover that 60 to 80 percent of their frontier-model spend was previously buried in a generic "AI/ML services" cloud cost line that nobody could attribute. Per Flexera's 2025 State of the Cloud Report, AI consumption surprises are now the most common reason for unbudgeted cloud overages, accounting for 27 percent of incidents.
See Areebi in action
Get a 30-minute personalised demo tailored to your industry, team size, and compliance requirements.
Get a DemoContract essentials: BAAs, DPAs, exit clauses, indemnification
For each vendor on the list, the contract file must include named clauses that survive specific audit questions. The minimum set is four documents and four clauses.
Document 1: Data Processing Addendum (DPA). Required for any vendor processing personal data. Must specify the lawful basis, the data categories, the retention period, the sub-processor list, the data transfer mechanism (SCCs, adequacy decision), and the rights of the data subject. AI-specific addendum language must address whether inputs are used for model training and on what basis. Per IAPP's 2025 DPA Best Practice Guide, AI-specific DPA addenda are now expected for any vendor whose product offers AI features, regardless of whether AI is the primary use case.
Document 2: Business Associate Agreement (BAA). Required wherever the vendor will process protected health information (PHI) covered by HIPAA. Frontier model providers offer BAAs but typically only under specific contract tiers (OpenAI Enterprise, Anthropic Enterprise, Azure OpenAI Service with HIPAA-eligible terms, Google Cloud with HIPAA BAA). A BAA must be executed before any PHI is exposed to the AI surface; a retroactive BAA does not cure prior exposure. Healthcare CISOs - see our healthcare AI governance guide for the full BAA matrix.
Document 3: Subprocessor list with notice and objection rights. AI vendors typically rely on multiple cloud and inference subprocessors. The contract must list subprocessors at the time of signing, give advance notice of changes, and grant an objection right (typically 30 days). The audit committee will increasingly ask whether the company exercised any subprocessor objection - track this even when the answer is no.
Document 4: Executed exit plan with data deletion SLA. Termination clauses that promise "deletion of customer data" without timeline, format, or attestation are not exit plans. The clause must specify a deletion deadline (typically 30 to 90 days), a format for any data returned, and a certificate of deletion that names which systems were purged. Tier 1 and Tier 2 vendors must have an exit plan rehearsed at least once during the contract term.
Clause set: indemnification, IP, output ownership, and liability cap. Areebi's standard contract review checks four clauses for every Tier 1 and Tier 2 AI vendor: (1) indemnification for IP infringement from model outputs, (2) clear customer ownership of inputs and outputs, (3) liability cap calibrated to a multiple of annual contract value rather than a fixed sub-USD-100,000 cap (which is the 2022-era default and is now considered inadequate for AI vendors processing regulated data), and (4) AI-specific incident notification (48 to 72 hours typical) layered on top of the standard data breach notification clause. At Areebi, we publish the redlines we use against our own vendors so customers can adopt them - they live in the resources library.
Operating cadence: who runs the list, how often, with what evidence
A vendor list that is built once and not refreshed is a finance and audit liability rather than an asset. The operating cadence that we observe holds up across mid-market and enterprise programmes has three layers.
Monthly: continuous discovery. Automated discovery from network telemetry, SSO logs, expense reimbursements, browser extension data, and DLP signals feeds new candidate vendors into the list. Tier 4 candidates are auto-classified and confirmed by a procurement reviewer; Tier 3 and above require a CISO sign-off before becoming a permanent inventory entry.
Quarterly: tiered reviews. Each tier follows its review cadence. The CFO and CISO jointly receive a quarterly AI vendor report covering: new additions, tier changes, deletions, contract renewals due in the next 90 days, expiring DPAs or BAAs, and the AI spend roll-up. Audit committees are now expecting this report - per Deloitte's 2025 CFO Signals survey, 62 percent of large-cap audit committees have requested an AI vendor inventory briefing at least once in the past 12 months.
Annual: full revalidation. Each Tier 1 and Tier 2 vendor undergoes a full revalidation: refreshed risk assessment, refreshed DPA and BAA where applicable, refreshed model card, refreshed sub-processor list, refreshed control attestation. Tier 1 vendors must demonstrate that they remain aligned with NIST AI RMF, ISO/IEC 42001, or an equivalent recognised framework. The output feeds the company's 10-K AI risk disclosure where applicable.
Common mistakes that fail the audit committee question
Three patterns of failure show up repeatedly when CFOs receive their first AI vendor list.
Mistake 1: One list, multiple owners, no source of truth. Finance maintains an AI vendor spreadsheet, security maintains an approved SaaS list, procurement maintains a contract repository, and the three never reconcile. The CFO asks one question and receives three different vendor counts. Avoid this by designating a single AI vendor inventory owner (typically the CISO with finance as co-owner), one canonical system, and a documented exception process when other systems must override.
Mistake 2: Tier 1 classification without enforcement. The list correctly classifies a frontier model provider as Tier 1, but the controls (DLP, audit logging, model card review) are not in place. The classification creates audit liability without delivering control benefit. Avoid this by tying tier assignment to an enforcement checklist that must be green before the vendor can move to production. The Areebi policy engine and audit log are designed to ship this evidence as a byproduct of normal operation.
Mistake 3: Contract renewal as a procurement-only event. AI vendor contracts come up for renewal and procurement extends on existing terms because no one provides an updated risk view. Avoid this by routing every Tier 1 and Tier 2 AI vendor renewal through the AI Governance Committee at least 60 days before the renewal date, with a refreshed risk memo as the input.
What to do next
The list is a one-week build once you have the data sources. The sequence that works:
- Week 1 - Extract candidate vendors from finance (all SaaS over USD 10,000 ARR), procurement (active contracts), security (approved SSO tenants), and DLP (unsanctioned AI traffic).
- Week 2 - Classify each candidate against the four-by-four schema. Send a written AI exposure questionnaire to any vendor not clearly Tier 4.
- Week 3 - Reconcile contracts: locate DPA, BAA, sub-processor list, exit plan, indemnification clause for each Tier 1 and Tier 2 vendor. Identify gaps and assign remediation owners.
- Week 4 - Brief the CFO and CISO. Publish the operating cadence and the quarterly report template. Charter the discovery telemetry that keeps the list current.
The Areebi AI Governance Assessment generates the first version of this list as part of its standard output, drawing on the inventory and DLP telemetry inside the platform. The build an AI governance programme guide explains how this list fits into a broader operating model, and the build vs buy guide covers the make-or-purchase decision for the underlying inventory system.
Sources
- NIST SP 800-161 Revision 1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, May 2022. csrc.nist.gov/pubs/sp/800/161/r1/final
- IDC Worldwide AI Spending Guide - March 2025 release projecting USD 232 billion in 2026 enterprise AI software and services spend. idc.com
- IAPP Privacy and AI Governance Report 2025 - International Association of Privacy Professionals, annual benchmark on AI-specific DPA practice. iapp.org/resources
- Gartner Magic Quadrant for Third-Party Risk Management 2025 - Coverage of AI-specific vendor questionnaire adoption. gartner.com
- Deloitte CFO Signals 2025 Q3 - Quarterly survey of large-cap CFOs covering audit committee AI vendor inquiries. deloitte.com/us/cfo-signals
- Flexera 2025 State of the Cloud Report - Annual benchmark on cloud cost surprises including AI consumption. flexera.com
Frequently Asked Questions
What counts as an AI vendor for the CFO's list?
Any vendor whose product touches company or customer data and uses AI for compute, classification, generation, prediction, or automation. That definition spans four classes: frontier model providers (OpenAI, Anthropic, Google, Amazon Bedrock partners), SaaS vendors with AI features (Microsoft 365 Copilot, Salesforce Einstein, etc.), embedded AI in business-critical platforms (payroll fraud scoring, expense classification), and unsanctioned shadow AI tools surfaced via discovery telemetry.
How is this different from the security team's approved-SaaS list?
Scope, classification, and audience. A security approved-SaaS list captures the SSO tenants the company has provisioned. The CFO's AI vendor list adds embedded AI features that ride inside existing tools, shadow AI traffic that never reached SSO, frontier model spend that lives in cloud cost reports, and contract-level fields (DPA status, BAA, exit clause, indemnification, spend share) that the security list does not carry. The CFO list is designed to answer audit-committee questions, not just security questions.
What is the right tier for OpenAI or Anthropic on the Enterprise API?
Tier 1 for any organisation that sends regulated data (PHI, PCI, PII at scale) or whose AI outputs materially affect regulated decisions. Tier 2 for companies using the API on confidential business data without regulated content. The classification is driven by data sensitivity and output use, not by the vendor's reputation. Required documentation at Tier 1 includes DPA, BAA (where applicable), SOC 2 Type II, executed training opt-out, ISO 42001 or NIST AI RMF attestation, indemnification clause, and exit plan with data deletion SLA.
Do we need a BAA with every AI vendor?
Only where the vendor will process protected health information covered by HIPAA. Frontier model providers offer BAAs but only under specific tiers (OpenAI Enterprise, Anthropic Enterprise, Azure OpenAI Service with HIPAA-eligible terms, Google Cloud with HIPAA BAA). For other vendors a Data Processing Addendum (DPA) covers personal data under GDPR, UK GDPR, and most US state privacy laws. A retroactive BAA does not cure prior PHI exposure, so the BAA must be executed before any PHI flows to the AI surface.
How do we answer 'what did we spend on AI last year' when AI is buried inside SaaS subscriptions?
Tag the contracts, not the invoices. For each vendor on the inventory, attach an AI spend share (a percentage of the master subscription or a flat add-on amount). Force AI add-on SKUs to a separate cost centre at procurement time. Enable cloud cost tags at the workload level for Bedrock, Azure OpenAI, and Vertex AI consumption. Sum the tagged values quarterly. Per Gartner's 2025 IT Key Metrics, AI-specific spend grew at 3.4x the rate of overall IT spend in 2024-2025, which is large enough to merit its own board-level roll-up.
How often should the AI vendor list be refreshed?
Continuous discovery monthly (automated telemetry adds candidate vendors), tiered reviews quarterly (CFO and CISO joint report covering additions, tier changes, expiring DPAs and BAAs, contract renewals within 90 days, AI spend roll-up), and a full annual revalidation for every Tier 1 and Tier 2 vendor with refreshed risk assessment, DPA, BAA, model card, sub-processor list, and control attestation. Tier 1 and Tier 2 vendor renewals should be routed through the AI Governance Committee at least 60 days before the renewal date.
Related Resources
- Areebi Platform
- DLP Controls
- Policy Engine
- Audit Log
- Compliance Hubs
- Resources Library
- AI Governance Assessment
- Shadow AI Guide
- Model Supply Chain Security
- Build AI Governance Program
- Build vs Buy AI Governance Platform
- Healthcare AI Governance CISO Guide
- AI Governance ROI Business Case
- AI Compliance Checklist Enterprise
Stay ahead of AI governance
Weekly insights on enterprise AI security, compliance updates, and governance best practices.
Stay ahead of AI governance
Weekly insights on enterprise AI security, compliance updates, and best practices.
About the Author
Areebi Research
The Areebi research team combines hands-on enterprise security work with deep AI governance research. Our analysis is informed by primary sources (NIST, ISO, OECD, federal registers, IAPP) and the operational realities of CISOs running AI programs in regulated industries today.
Ready to govern your AI?
See how Areebi can help your organization adopt AI securely and compliantly.