Vendor Risk for the AI in Your Stack
The model and tool providers behind your AI are third parties too. AI vendor risk management assesses their provenance, data handling, and approval - on the same control program as every other vendor.
Illustrative product view
AI vendors are third parties too
A model API, an embeddings provider, an agent-tooling vendor - each is a third party that can touch your data and shape your AI’s behavior, and each carries risk your vendor program should cover. AI vendor risk management extends the standard vendor process to these providers, adding the AI-specific questions: what happens to data sent to the model, what is the provenance of the model, and is it approved for use.
What to assess in an AI vendor
| Factor | What to check | Why |
|---|---|---|
| Data handling | How prompts and data are used and retained | Data may train the vendor’s model |
| Provenance | Where the model comes from | Supply-chain trust |
| Approval state | Whether the model/tool is approved | From the AI-BOM |
| Sub-processors | Who the vendor relies on | Extended third-party risk |
| Screening | Sanctions/regulatory status | REG-001 + VND-002 evidence |
Assessing an AI vendor
- 1Identify the AI vendor from the AI-BOM or asset register
- 2Assess its data handling, retention, and training-data terms
- 3Confirm provenance and the model’s approval state
- 4Screen the vendor and map it to REG-001 and VND-002 controls
- 5Set a review cadence so the assessment stays current
How it connects
- Runs on the same control program as vendor risk management
- Draws provenance and approval from the AI-BOM and asset register
- Screening actions map to REG-001 and VND-002 controls
- Overdue AI-vendor reviews surface in continuous monitoring
Frequently asked questions
What is AI vendor risk management?
AI vendor risk management assesses the third-party providers behind your AI - model APIs, embeddings providers, agent-tooling vendors - for the risks specific to AI: how they handle and retain your data, the provenance of their models, and whether they are approved. It runs on the same vendor-risk control program as your other third parties.
How is AI vendor risk different from regular vendor risk?
It uses the same process and controls but adds AI-specific questions. Beyond the usual security review, you assess what happens to prompts and data sent to a model, the model’s provenance and approval state from the AI-BOM, and the vendor’s sub-processors - concerns that are unique or heightened for AI providers.
Why is data handling the key AI-vendor question?
Because data you send to an AI vendor may be used, retained, or even used to train the vendor’s models depending on the terms. That makes data handling and retention the central risk for an AI provider, so it is the first thing an AI-vendor assessment should establish.
How does screening an AI vendor produce evidence?
Screening an AI vendor - like any counterparty - is a governed action that maps to internal controls REG-001 and VND-002. So assessing and screening an AI provider both reduces risk and generates vendor and regulatory control evidence, and overdue reviews surface in continuous monitoring.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
Assess the vendors behind your AI
Cover model and tool providers on your existing vendor-risk program.
Talk to us