この記事は現在英語でのみご利用いただけます。
AI Third-Party Risk Management: The Vendor Assessment Checklist
Most organisations' AI risk comes from the AI tools they buy, not the AI they build. This is the practical vendor assessment checklist — what to ask AI vendors, what the answers mean, and what to put in contracts.
Key Takeaways
For most organisations, third-party AI is a larger governance challenge than internally developed AI — the tools bought from vendors process more data, affect more decisions, and are less transparent than AI built in-house.
The EU AI Act's deployer obligations cannot be transferred to AI vendors through contract — as the deployer, your organisation is responsible for compliance regardless of what the vendor contract says. Vendor assessment is about risk management, not liability transfer.
The three red flags that should stop an AI vendor assessment: the vendor cannot explain how their AI makes decisions at a meaningful level ('it's proprietary' is not acceptable for high-risk AI), the vendor refuses to provide data processing terms that satisfy your legal obligations, or the vendor has had enforcement actions or significant incidents without satisfactory remediation.
Contract essentials for AI vendors: data processing agreement (GDPR/Privacy Act), data training restrictions (vendor cannot train on your data without consent), model change notification (30 days for significant changes), audit rights (right to receive performance and security reports), and incident notification (24-hour notification of material incidents).
Ongoing vendor monitoring matters as much as initial assessment — AI vendors update their models, change their data practices, and alter their terms. Quarterly monitoring of material AI vendor relationships is the minimum for high-risk AI vendor relationships.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
The assessment framework: five categories
Category 1 — Governance and organisation. Does the vendor have a documented AI governance framework? Who is responsible for AI governance in the vendor organisation? Has the vendor had any AI-related regulatory investigations, enforcement actions, or material litigation? What is the vendor's incident history for AI systems, and how were incidents handled? A vendor that cannot answer these questions has not built AI governance and cannot demonstrate that their AI is managed responsibly.
Category 2 — Data and privacy. What data does the vendor's AI process? Where is that data stored and processed? Does the vendor use customer data to train their AI models? What are the vendor's data retention and deletion practices? Is the vendor ISO 27001 certified or equivalent? For regulated industries, does the vendor hold relevant certifications (SOC 2 Type II, HIPAA BAA, PCI DSS)? The data and privacy questions often reveal the most significant risks — vendors whose data processing practices are unclear or inadequately documented create compliance exposure for the organisations that use their products.
Category 3 — Technical AI governance. How is the vendor's AI validated before deployment? What bias testing has been conducted, using what methodology? What monitoring does the vendor conduct for AI performance in production? How does the vendor manage model changes — what is the change management process and how are customers notified? Has the vendor conducted adversarial testing or red-teaming of their AI? What is the vendor's explainability capability for AI decisions — can the AI provide explanations adequate for your regulatory context?
Category 4 — Regulatory compliance. Which AI regulations apply to the vendor's products, and how does the vendor track compliance? For EU AI Act high-risk AI — has the vendor conducted conformity assessment, and can they provide the technical documentation? For GDPR/Privacy Act — can the vendor execute a data processing agreement that satisfies your legal obligations? What are the vendor's obligations under applicable sector-specific regulation, and how are they meeting them?
Category 5 — Operational stability and resilience. What is the vendor's financial stability? What is the service level agreement for AI system availability? What is the vendor's business continuity plan for AI systems that support your critical operations? What happens to your data and your access to the AI system if the vendor is acquired, goes into administration, or discontinues the product? For high-risk AI vendor relationships, the operational stability assessment is not optional — a vendor failure that disrupts critical operations creates CPS 230 and equivalent regulatory risk.