Your company plans to adopt a third-party AI vendor to process regulated customer data. The vendor offers strong contractual indemnification but declines to share model documentation. What should the security leader do FIRST?
A. Negotiate stronger audit rights into the contract
B. Perform a vendor risk assessment against organizational risk appetite
C. Require the vendor to obtain independent AI certification
D. Pilot the tool with anonymized data to evaluate performance