The 80-Question Wall: What Enterprise AI Security Questionnaires Actually Demand

The AI feature your team shipped in March is unsellable to half your pipeline, and the engineering org doesn't know it yet. Somewhere in account-executive Slack, a deal at 80% probability just got kicked from forecast because the prospect's CISO sent over a 92-question security review with an AI addendum. Question 31 asks for your training data provenance documentation. Question 47 asks whether prompts are logged, where, for how long, and who can read them. Question 63 asks whether your inference can be region-pinned to the EU. Question 78 asks for your prompt-injection resistance rate against the OWASP LLM Top 10 corpus, with measured numbers, by model version. The deal team has 72 hours to respond. Nobody on the AI team has written down the answer to any of these.

This is the new wall. Fortune 500 procurement teams now run AI-feature-specific security reviews that didn't exist in 2023, and the answers your engineering org needs aren't hard to produce — they're just nobody's job. The questions are concrete, the frameworks are public, and yet most AI products are quietly unsellable to regulated enterprises because the answers were never written down.

The frustrating part is that none of this is mysterious. The questionnaires are templated. The expected answers are documented. The real failure mode is that AI features were shipped on the assumption that the existing SOC 2 report would carry the same enterprise-deal weight it carried for the last decade — and it doesn't.

What changed: the AI addendum is now standard

Three things happened in the last 18 months that the engineering side hasn't fully internalized.

First, the Cloud Security Alliance shipped an AI extension to its Consensus Assessments Initiative Questionnaire — the AI-CAIQ — which adds 47 AI-specific questions on top of the existing CAIQ. The same buyers who've been sending you the 261-question CAIQ for years are now appending the AI section, and "we don't know" is the wrong answer to any of them.

Second, the SIG questionnaire — the dominant template in financial services, insurance, and healthcare — added AI domains covering model lifecycle management, training data governance, model risk, transparency, and incident response. SIG Lite versions that used to fit on a single afternoon now run two weeks because every AI question requires sourcing an answer from a person who's never been asked it before.

Third, ISO/IEC 42001 — the first certifiable AI management system standard — became a "preferred" or "required" line item in enterprise procurement templates. The OWASP LLM Top 10 became the de facto reference framework procurement teams cite when scoring vendors. NIST AI RMF alignment shows up in RFPs from regulated buyers. None of these existed as procurement signals two years ago.

The combined effect is that the security-review surface for an AI feature is roughly 30% larger than for a non-AI SaaS product, and the questions probe areas — training data, prompt logs, model versioning, refusal behavior — that nobody on a typical engineering team has historically owned.

The seven question clusters that show up everywhere

The questionnaires vary by buyer, but the AI sections converge on seven clusters. If you can answer these confidently, you'll clear 80% of what regulated enterprises throw at you.

Training data provenance. Where did the data come from? Do you have rights to use it? Is customer data used for training? If yes, can it be excluded? If no, how is that enforced? An AI Bill of Materials — a machine-readable inventory of datasets, models, and components — is the artifact that closes this category. Vendors who can't produce one are scoring lower than vendors who can, and the gap is widening as ISO 42001 audits start landing in 2026.

Prompt and output logging. What's logged, where is it stored, who can read it, how long is it retained, and is it included in training? The answer "we log everything for 30 days for debugging" is fine for a hobby project and unsellable to a regulated enterprise. The expected answer is granular: tenant-segregated storage, encryption at rest with customer-managed keys for the top tier, configurable retention with a documented default, role-based read access with audit trails, and explicit contractual exclusion from training corpora.

Model and tenant isolation. Does a prompt from Tenant A's user ever share a model context window with Tenant B's data? In multi-tenant inference, the textbook failure mode is one tenant's RAG context bleeding into another tenant's response. The expected answer covers context isolation at the request level, separate KV caches per tenant where applicable, ephemeral context destruction after each session, and — for the highest-tier customers — dedicated model deployments rather than shared inference.

Regional pinning. Where does inference happen, geographically? For EU buyers under GDPR and the AI Act, "we route to whichever region has capacity" fails the question. The expected answer is region-pinned inference with documented data flow diagrams, no cross-border training data movement, and contractual commitments that survive provider switches.

Refusal calibration and harmful-content policy. What does the model refuse, and why? What's the policy document, who approved it, when was it last reviewed, and is it auditable? Enterprises increasingly want to see an explicit refusal taxonomy mapped to their internal risk categories — not "the model is safe" but "here are the 14 categories we refuse, here's the policy that defines them, here's the eval that measures refusal accuracy, here's the change log."

Prompt-injection detection coverage. What's your quantified injection-resistance rate, by model version, against a published corpus? "We have prompt-injection defenses" is no longer an answer; "our injection-blocking rate against the OWASP LLM01 evaluation set is 94.2% on the v3.1 model release as of March 2026" is. Procurement teams are starting to ask for these numbers with version timestamps because they've watched vendors quietly regress between releases.

Incident response and notification. When the model produces harmful output that reaches a user, what's the escalation path? Who gets paged, what's the SLA, what's the customer-notification policy, and is it written into the contract? Most AI vendors have an incident-response plan for the API but not for the model behavior itself, and that gap is exactly what the questionnaire is probing.

SOC 2 isn't the answer, but it's still the prerequisite

A common engineering response to all this is "we have SOC 2 Type II, what more do they want?" The answer: SOC 2 wasn't designed to evaluate AI-specific risk. It doesn't address training data provenance, model bias, adversarial robustness, refusal calibration, or behavior under prompt injection. The Trust Services Criteria cover confidentiality, processing integrity, and privacy in ways that apply to AI systems, but the AI-specific questions are above and beyond.

SOC 2 remains the prerequisite — without it, you're not getting through the front gate at most enterprise buyers — but it's no longer the finish line. The pattern that's emerging is SOC 2 Type II plus an ISO 42001 alignment statement plus a CAIQ AI addendum response plus a published trust center with the artifacts above. The buyers who've moved fastest on AI procurement now treat this as the table stakes bundle, and the buyers who haven't are about 12 months behind.

The deal-cycle math is brutal

The economics of getting this wrong are concrete enough to make a CFO pay attention. Enterprise security reviews for AI features now take four to eight weeks longer than equivalent non-AI reviews, and roughly 75% of vendors either fail to respond or respond late on at least one question. If your average enterprise ACV is $250K and your security review extends from one week to six because nobody can answer the AI section, a single quarter of slow turnaround can push $400K to $800K of revenue into the next quarter — or, more likely, lose it to a competitor whose answers were ready.

That math gets worse as the questionnaire volume scales. Enterprise security teams now field 500-plus vendor questionnaires per year per buying org, and the AI-feature questions are the ones that bottleneck the queue because they require sourcing an answer from a person — usually an ML engineer — who's never been asked it before. Without a prepared answer set, every deal hits the same bottleneck and the sales-engineering team becomes a manual question-routing layer.

This is where the sales-engineering bridge role has emerged in AI companies that have figured this out: a person whose entire job is owning the AI-questionnaire response pipeline, maintaining the answer library, and translating between procurement-speak and engineering-speak. It's a job that didn't exist three years ago and is now the difference between closing a regulated enterprise deal in six weeks and losing it in twelve.

The trust center pattern: turn the wall into a self-serve doc

The vendors who've gotten ahead of this aren't faster at filling out questionnaires — they're publishing the answers preemptively. A trust center is the artifact: a public, always-current portal that contains the SOC 2 report, the ISO 42001 statement, the AI-BOM, the data-flow diagrams, the refusal policy, the prompt-injection eval results, the regional inference map, and the contract templates. When the prospect's CISO asks for a security review, the answer is "here's the URL, search for what you need, NDA-gated docs are behind this form."

The economics shift dramatically when you can do this. A multi-week back-and-forth questionnaire becomes a same-day review for a CISO who can self-serve the answers. The sales-engineering hours that used to go into questionnaire response go into actual technical wins. The questionnaire-as-bottleneck becomes the questionnaire-as-confirmation: the buyer reads the trust center first, sends a 12-question subset to confirm specifics, and signs.

Building this trust center is mostly a documentation problem, not an engineering problem — but it's a documentation problem that nobody's job is. The team that owns the AI feature is heads-down on quality and latency. The compliance team owns SOC 2 but not the AI specifics. The sales-engineering team owns answers but not source documents. The bridge role exists because somebody has to own the seam.

The architectural realization

The deeper pattern here is that AI features have moved a security-review surface that used to be entirely about infrastructure (who has access to the database, how is data encrypted in transit, what's the patching cadence) into the model layer itself (what does the model know, what does it remember, what does it refuse, what does it leak). The enterprise buyers who matter for revenue have caught up to that. The engineering teams who build AI features mostly haven't.

The work of answering an enterprise AI security questionnaire isn't a sales activity tacked on at the end of a deal — it's the externalization of architectural decisions that should have been made when the feature was designed. If you can't answer "is customer data used for training," it's because you didn't design the data flow with that question in mind. If you can't answer "what's your injection-resistance rate," it's because you didn't build an eval suite that measures it. If you can't answer "is inference region-pinned," it's because the routing was done by whichever provider had capacity.

The questionnaire is asking, in 80 questions, whether you architected the AI feature on the assumption that an enterprise CISO would ever have to approve it. Most teams didn't. The fix isn't a faster sales-engineering team — it's making "can we answer the questionnaire" a design constraint that lands in the spec before the model is fine-tuned, before the prompts are written, before the first eval is run. The teams treating that as a Q4 project will find themselves locked out of regulated enterprises through 2027. The teams treating it as an upstream design discipline will find their deals close in days instead of months, and that gap will compound.