Vendor Risk Management
Assessing and monitoring third-party suppliers of AI components or services to identify and mitigate potential compliance, security, or ethical risks.
Definition
A lifecycle process of vendor due-diligence—issuing security and ethics questionnaires, reviewing third-party audit reports (SOC-2, ISO certifications), conducting on-site or virtual assessments, and integrating vendor risk profiles into an enterprise registry. Ongoing monitoring includes periodic reassessments, performance‐and‐compliance SLAs, and contingency planning (fallback vendors) to address vendor failure or non-compliance.
Real-World Example
An insurance firm engages a third-party model-hosting provider. Before contracting, they review the provider’s SOC-2 report, run a security questionnaire, and conduct an ethics audit of its model-training data. The vendor is classified as “medium-risk,” triggering quarterly reassessments and a contractual right to audit, ensuring continuous oversight of third-party AI services.
.svg)
