Third-Party Risk

The exposure arising from reliance on external data providers, model vendors, or service platforms that may introduce compliance or security vulnerabilities.

Definition

Involves due-diligence on vendors’ data-protection practices, security controls, and governance maturity. Contractual measures include SLAs, audit rights, and indemnification clauses. Governance teams maintain a third-party registry, conduct periodic risk assessments (e.g., SOC-2 reports), and monitor vendor performance. High-risk vendors trigger enhanced oversight: penetration tests, compliance audits, and contingency plans for vendor failure.

Real-World Example

A bank’s AI team evaluates a third-party fraud-detection API by reviewing its SOC-2 Type II report, conducting a security questionnaire, and running an ethical-AI audit of its model. The vendor is classified as “High Risk,” requiring quarterly re-audits and a fallback plan to switch to an in-house solution if standards slip.

Third-Party Risk

Definition

Real-World Example

Maximize AI Adoption. Minimize AI Risk.

Overview

Solutions

Learn