# Vendor commitment drift register

Last reviewed: 2026-05-21

AI Vendor Packet organizes review evidence and workflow support. This template is not legal advice.

## Who this is for

Teams that need one place to track potential vendor commitment drift from source change to final review outcome.

## What this template is for

Use this register as the working list for vendor changes that may affect customer promises. It is not a risk score. It is a way to avoid quiet drift.

## When to use it

- As the main tracker for an AI vendor review packet.
- When findings come from source changes, customer questions, or internal tool changes.
- Before closing a vendor review cycle.

## Commitment drift register

| Record | Signal to watch | Commitment affected | Next step |
| --- | --- | --- | --- |
| Training statement | AI data-use or model training source changed. | Customer data is not used to train provider models. | Review product scope, settings, and customer wording. |
| Retention statement | Retention source, logging setting, or storage workflow changed. | Customer data is retained only as long as needed. | Compare vendor retention with internal logs and exports. |
| Subprocessor statement | Subprocessor page changed or new integration added. | Subprocessors are reviewed and disclosed where required. | Run subprocessor checklist and decide notice path. |
| DPA statement | DPA, terms, or agreement path changed. | Customer data is processed under the right agreement. | Use DPA worksheet and route wording changes to legal. |
| Security statement | Security evidence, product setting, or service scope changed. | Security controls described to customers remain accurate. | Update evidence, questionnaire answer, or owner note. |

## How to fill it out

- Create a row for each commitment that could drift.
- Keep the source signal separate from the final review decision.
- Close rows only after customer-facing evidence is updated or explicitly unchanged.

## Common mistakes

- Tracking vendor changes without naming the customer commitment affected.
- Closing a finding because the vendor changed only a little.
- Mixing source facts with legal conclusions in the same field.

## Example drift record

Microsoft 365 Copilot privacy source reviewed; Trust Center AI policy mentions Microsoft 365 Copilot but not tenant scope; owner assigned to narrow wording and attach source date.

## Generate this automatically

Use the AI Vendor Packet scanner to generate this template from selected vendors, customer data categories, and customer-facing commitments.