We enhanced the well-established StarAudit questionnaire to include a comprehensive AI provider evaluation.

Outcome

In collaboration with our client, we have developed a practical questionnaire designed to qualify AI providers. This comprehensive questionnaire addresses the critical areas necessary for AI compliance. It is aligned with the structure of the AI Act, with a particular emphasis on the requirements for high-risk AI systems.

Numbers and facts

About StarAudit

StarAudit is designed and provided by EuroCloud Europe, an independent non-profit organization renowned for its extensive international network of accredited partners and experts. It represents an advanced certification tool as well as a comprehensive questionnaire for evaluating cloud services. This questionnaire addresses the increasingly complex demands for transparency, compliance, security, and data protection in Cloud usage. With StarAudit, Cloud services are evaluated across seven distinct areas using questions with predefined answer choices.

Why the new AI Area

Employing AI introduces numerous new challenges and risks for companies and organizations. With so much information available, losing track of what truly matters is easy. The new AI Area in StarAudit provides a structured framework to cover the most critical topics through targeted questions. This enables quick determination of whether a provider is mature enough and whether a use case is feasible. It thus helps to bring clarity to the complex AI risk landscape.

The process

Sourcing International partnered with a client to conduct a comprehensive assessment of risks and challenges associated with both current and planned AI use cases. The goal was to ensure legal, technical, and organizational compliance in alignment with international standards and the evolving AI Act. We began by mapping and consolidating multiple internationally recognized frameworks including the NIST AI Risk Management Framework, AIC4, IDW PS 861, and the EU AI Act into a unified and structured questionnaire. This allowed us to systematically evaluate provider maturity and service compliance across key dimensions. Recognizing that these frameworks do not fully address emerging legal risks and sector-specific nuances, we initiated a series of expert interviews with leading jurists from the International Network of Privacy Law Professionals (INPLP). Their insights were instrumental in shaping the legal depth and practical relevance of our questions. One of the main challenges was to harmonize differing terminologies and conceptual approaches across the various frameworks while bridging the gap between legal and technical interpretations. In addition, it was crucial to design the questionnaire in a way that made it both practical and sufficiently comprehensive for a wide range of stakeholders including procurement, legal, IT security, and business departments. To meet these requirements, we adopted an iterative development process, working closely with internal teams and external experts and integrating feedback in structured weekly review cycles. The finalized questionnaire underwent expert review by analysts from Gartner and Microsoft. Their valuable insights were integrated into the framework, further enhancing its rigor, practical relevance, and credibility as a robust tool for evaluating AI providers.