SentriAI Feature

Vendor Risk for the AI in Your Stack

The model and tool providers behind your AI are third parties too. AI vendor risk management assesses their provenance, data handling, and approval - on the same control program as every other vendor.

Talk to usFree to start - no card required.
SentriAI · AI Vendor Risk
AI VENDORS
19
model + tool
REVIEWED
14
current
HIGH-RISK
3
data handling
Model provider - training-data termsreview
Tool vendor - no DPAflagged
Approved model, provenance on fileok
Sub-processor of an AI vendortracked
Screening → REG-001 + VND-002evidenced

Illustrative product view

AI vendors are third parties too

A model API, an embeddings provider, an agent-tooling vendor - each is a third party that can touch your data and shape your AI’s behavior, and each carries risk your vendor program should cover. AI vendor risk management extends the standard vendor process to these providers, adding the AI-specific questions: what happens to data sent to the model, what is the provenance of the model, and is it approved for use.

What to assess in an AI vendor

FactorWhat to checkWhy
Data handlingHow prompts and data are used and retainedData may train the vendor’s model
ProvenanceWhere the model comes fromSupply-chain trust
Approval stateWhether the model/tool is approvedFrom the AI-BOM
Sub-processorsWho the vendor relies onExtended third-party risk
ScreeningSanctions/regulatory statusREG-001 + VND-002 evidence
AI vendor risk factors

Assessing an AI vendor

  1. 1Identify the AI vendor from the AI-BOM or asset register
  2. 2Assess its data handling, retention, and training-data terms
  3. 3Confirm provenance and the model’s approval state
  4. 4Screen the vendor and map it to REG-001 and VND-002 controls
  5. 5Set a review cadence so the assessment stays current

How it connects

  • Runs on the same control program as vendor risk management
  • Draws provenance and approval from the AI-BOM and asset register
  • Screening actions map to REG-001 and VND-002 controls
  • Overdue AI-vendor reviews surface in continuous monitoring

Frequently asked questions

What is AI vendor risk management?

AI vendor risk management assesses the third-party providers behind your AI - model APIs, embeddings providers, agent-tooling vendors - for the risks specific to AI: how they handle and retain your data, the provenance of their models, and whether they are approved. It runs on the same vendor-risk control program as your other third parties.

How is AI vendor risk different from regular vendor risk?

It uses the same process and controls but adds AI-specific questions. Beyond the usual security review, you assess what happens to prompts and data sent to a model, the model’s provenance and approval state from the AI-BOM, and the vendor’s sub-processors - concerns that are unique or heightened for AI providers.

Why is data handling the key AI-vendor question?

Because data you send to an AI vendor may be used, retained, or even used to train the vendor’s models depending on the terms. That makes data handling and retention the central risk for an AI provider, so it is the first thing an AI-vendor assessment should establish.

How does screening an AI vendor produce evidence?

Screening an AI vendor - like any counterparty - is a governed action that maps to internal controls REG-001 and VND-002. So assessing and screening an AI provider both reduces risk and generates vendor and regulatory control evidence, and overdue reviews surface in continuous monitoring.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

Assess the vendors behind your AI

Cover model and tool providers on your existing vendor-risk program.

Talk to us