Pricing
About UsContactPress
Start FreeLog in
AI System Inventory
6 min readUpdated 2026-02-15

Vendor & Model Provider Tracking

Track third-party AI vendors, SaaS providers, and foundation model providers — essential for deployer due diligence and supply chain transparency under the EU AI Act.

Vendor & Model Provider Tracking

Most SMEs are deployers — they use AI systems built by third-party vendors. Under the EU AI Act, deployers remain responsible for how they use AI, even when the system is provided by someone else. This means tracking your vendors and their AI capabilities is essential.

Why Vendor Tracking Matters

As a deployer, you must:

  • Use AI according to provider instructions (Article 26) — you need access to those instructions
  • Ensure adequate logging — does your vendor provide logs? What format? What retention?
  • Monitor for issues — can you get performance data from the vendor?
  • Report incidents — does the vendor have an incident notification path?
  • Demonstrate due diligence — auditors will ask what you know about your AI vendors

    • Linking Vendors to AI Systems

    During the AI System Wizard (Step 2), you can:

  • Select an existing vendor from your vendor registry
  • Create a new vendor on the fly — enter name, website, contact info
  • Attach contract documentation — upload the agreement PDF or paste a URL
  • Note the foundation model — if the vendor uses a specific model (e.g., "GPT-4 via Azure OpenAI"), capture this in the Foundation Model field

    • Each AI system can be linked to one vendor. A single vendor can be linked to multiple AI systems.

    Vendor Registry

    Navigate to Vendors in the sidebar to see all tracked vendors. Each vendor profile includes:

  • Basic Information: Name, website, primary contact, country
  • Linked AI Systems: All systems using this vendor
  • Contract Details: Agreement type, start/end dates, renewal dates
  • Attestations: EU AI Act-related statements and certifications
  • Due Diligence Status: Checklist completion level
  • Evidence: All documentation linked to this vendor

    • Foundation Model Tracking

    If your vendor uses a foundation model (e.g., an LLM), capture:

  • Model name and version: "GPT-4 Turbo", "Claude 3.5 Sonnet", "Gemini Pro"
  • GPAI classification: Is it a general-purpose AI model? If so, GPAI obligations may apply to the provider
  • Transparency information: Has the model provider published a model card or summary?
  • Systemic risk: Is the model classified as having systemic risk? (relevant for very large models)

    • This information helps you assess supply chain risk and supports Article 26 compliance.

    Vendor Change Management

    When a vendor changes (new vendor, model upgrade, contract renewal):

  • Update the vendor record in Klarvo
  • The platform prompts a reassessment of linked AI systems
  • Review whether the classification changes
  • Update evidence (new contract, updated security docs)
  • Create tasks for any new due diligence items

    • Best Practices

    📋 Centralize vendor data: Use Klarvo as the single source of truth for AI vendor information
    🔄 Track renewals: Set contract renewal dates and get advance reminders
    📄 Collect proactively: Request AI-specific documentation from vendors at procurement time
    🏷️ Note model providers: Even if your direct vendor is a SaaS company, note the underlying model provider
    ⚠️ Vendor changes = reassessment: Any material vendor change should trigger a review of linked AI system classifications