DSI 001 · For procurement, third-party and vendor risk

You can assess a vendor’s SOC 2

You cannot yet assess whether its system is governed. DSI 001 gives procurement, risk and legal teams a portable, system-level governance signal to decide whether an AI-enabled vendor is adequate for the use case, and on what conditions.

The asymmetry in vendor risk

What you can assess today

Organisation-level assurance

Necessary, but not specific to the autonomous system in your use case.

What you cannot yet assess

System governance

Whether that system’s autonomy, liability allocation and oversight are adequate for the decisions it will make in your business.

A decision, not a label

The GBI band supports a procurement decision. The buyer still owns the decision; the score reduces the need to reconstruct the vendor’s governance from first principles.

GBI band	Classification	Procurement posture it supports
At or below 1.75	Certified	Accept; treat as a governed dependency, monitor at cadence
At or below 2.50	Compliant	Accept with conditions; set terms and reassessment triggers
Above 2.50	Assessed	Require remediation, or defer, with a re-test before approval
Unclassified	None	Reconstruct governance yourself, or decline

The questions the GBI answers about a vendor

D1Autonomy. How much does the vendor decide without your staff approving it?

D2Data. What of your data does it touch, on what basis?

D3Contract. Does the contract allocate liability for autonomous actions?

D4Liability. Who absorbs the loss when an autonomous action fails?

D5Leverage. How hard is the vendor to exit if governance fails?

D6Stability. Will governance keep pace with model changes?

For APRA-regulated buyers

Some AI providers or embedded AI-dependent vendors may meet the material service provider threshold depending on the service, its criticality and the buyer context. CPS 230 contract compliance is due 1 July 2026. (Regulatory position as at [25 June 2026].)

Put a GBI in your vendor submissions

Require a classification in AI-vendor submissions, or assess a vendor you are evaluating.

Require a GBI Read the framework

Status and limits. A GBI score carries evidential value only when issued by an accredited DSI 001 assessor against the methodology; self-scored or indicative figures are not DSI 001 results. DSI 001 does not determine legal compliance, regulatory approval, insurability, creditworthiness, or the discharge of fiduciary duties. It provides a scoped governance classification and evidence record that may be relevant to those analyses.