PursuitAgent
Menu

Field notes

April DDQ patterns, a year later

A field note on the questionnaires that landed this week — what's repeating from last April, what's new, and the two categories that are quietly eating the most response time.

PursuitAgent 2 min read Procurement

This week’s inbound DDQ pile included 38 questionnaires across seven customers. We ran them through the classifier and looked at how the shape of the stack has shifted from April 2025, when we started keeping this tally.

Four patterns stood out.

AI governance sections are now routine

A year ago, “AI governance” appeared in about 12% of security questionnaires that crossed our desk. This week, it was in roughly 60% — and the depth has changed. Last year’s questions were one-liners: “Do you use generative AI in your product?” This year’s are clusters of 15–25 items that probe model provenance, training-data policy, retention, tenant isolation for prompts, and the logging stance on customer content sent to third-party model APIs. Safe Security documented this shift mid-2025; the enterprise curve has caught up.

Privacy sections are shrinking

Privacy sections are 30–40% shorter than this time last year. Not because privacy matters less — because the DPAs, SCCs, and TIA templates have standardized. Buyers now link to a reference contract and ask for three things: a signed DPA, a sub-processor list, and the security addendum. The rest is incorporated by reference.

Vendor-management overlap keeps growing

Roughly a third of this week’s DDQs asked the same 8–10 questions a SIG Lite or CAIQ would ask. The duplication is not going away. It’s growing. Enterprise vendor-management teams build their own questionnaires because their legal review wants answers in their schema, not the industry-standard one. The result is that a single-vendor response stack is a multi-format output problem — we publish the same evidence in four shapes.

The “AI red-team summary” is the new boilerplate

Seven of 38 asked, in some form: “Provide a summary of your most recent red-team or adversarial evaluation for AI features.” This did not exist a year ago. The buyers asking are not the largest ones — they are the mid-market firms whose counsel is catching up with last year’s advisories.

We’ll publish the full April volume cut at the end of the week. If your stack looks different from this, we’d like to see the delta. The product’s DDQ classifier ships a summary export now — see the grounded-summary export changelog from April 3.

Sources

  1. 1. Safe Security — vendor security questionnaire best practices
  2. 2. Arphie — how AI is changing security questionnaire processes
Tagged ddq procurement field-note