Este artigo está disponível apenas em inglês no momento.
Third-Party AI Controls: The Vendor Management Framework for AI Risk
Most enterprise AI risk is third-party AI risk — AI embedded in software you buy, not AI you build. Vendor AI governance requires specific controls beyond standard vendor management. Here is the framework.
Key Takeaways
The majority of enterprise AI risk is third-party AI risk — AI embedded in ERP systems, HR platforms, customer service software, fraud detection tools, and CRM systems that organisations buy rather than build. Standard vendor management was not designed for this risk.
Third-party AI controls must address the full lifecycle: pre-procurement (AI capability assessment, bias audit review, governance programme evaluation); contracting (AI-specific contract provisions); deployment (integration governance); and ongoing (vendor monitoring, annual requalification).
The 'right to audit' clause is the most important AI-specific contract provision. Without the contractual right to request and receive AI governance documentation — bias audit results, model validation summaries, incident reports — ongoing vendor AI oversight is impossible.
Training data restrictions are the second most important contract provision. Standard SaaS terms typically allow vendors to use your data to train or improve their AI models. For confidential client data, commercially sensitive data, and personal data subject to GDPR, this must be explicitly prohibited unless you have made a deliberate decision that it is acceptable.
Vendor AI incident notification: contracts should require vendors to notify you of material AI incidents affecting their systems — including incidents that may not directly affect your deployment but indicate systemic governance failures. Vendors who do not agree to this provision are treating their AI governance as proprietary, which is itself a risk signal.
Annual AI vendor requalification: AI systems change. A vendor's AI governance in year one of a contract may be significantly different from year three. Annual requalification — reviewing governance documentation, bias audit results, and any incidents from the past year — should be standard for any vendor whose AI is used in consequential decisions.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
Why vendor AI risk is different from vendor IT risk
Traditional vendor management focuses on: financial stability (will the vendor still exist next year?); security (can they protect the data you share with them?); contractual compliance (are they delivering what they promised?); and business continuity (what happens if they fail?). These remain relevant for AI vendors, but AI creates additional risk dimensions that standard vendor management does not address.
AI-specific vendor risks include: training data contamination (your data is used to train the vendor's AI model, potentially creating confidentiality and IP issues); AI model degradation (the vendor's AI model degrades over time without your knowledge, producing worse outcomes); demographic bias (the vendor's AI model produces biased outcomes for your customers that create your regulatory and reputational risk); AI-specific security vulnerabilities (prompt injection, adversarial attacks, model inversion); and AI governance failures at the vendor level creating regulatory exposure for you as the deployer.
Pre-procurement AI assessment
Before selecting an AI vendor, the assessment should go beyond standard vendor risk questionnaires to specifically address AI governance. Key questions: Does the product use AI? If so, for what functions? What training data was used to train the AI? Do the vendor's terms allow them to use your data to train their AI models? Has the AI been independently validated or bias-audited? Can the vendor provide validation or bias audit documentation? Does the vendor have an AI governance framework? Who is responsible for AI ethics and safety within the vendor organisation? What is the vendor's process when AI incidents occur?
Vendors who cannot or will not answer these questions clearly are providing a signal about their AI governance maturity. A vendor that responds "that's proprietary" to questions about AI bias testing is effectively telling you that you cannot assess the AI risk you are taking on.
AI-specific contract provisions
Right to audit: the contract should give you the right to request AI governance documentation on reasonable notice — bias audit results, model validation summaries, training data descriptions, and incident reports. Without this right, you have no mechanism for ongoing vendor AI oversight.
Training data restrictions: explicitly prohibit the vendor from using your data (customer data, employee data, confidential business data) to train or fine-tune their AI models without your prior written consent. This must survive contract termination — the vendor should not be able to continue using data from your former relationship after you have ended the contract.
AI incident notification: require the vendor to notify you within a defined timeframe of material AI incidents — including incidents that may not directly affect your deployment. Define "material AI incident" in the contract rather than leaving it undefined.
Model change notification: require the vendor to notify you before deploying material changes to AI models that affect your deployment. "Material" should be defined to include changes that could affect accuracy, demographic fairness, or outputs in your use case.
Liability for AI errors: define liability allocation for AI errors that cause loss. Standard SaaS limitation of liability clauses cap liability at the contract value — which may be wholly inadequate if a vendor's AI model error causes significant customer harm or regulatory sanction.
Ongoing vendor AI monitoring
Vendor AI monitoring should be a defined responsibility with a named owner. Monitoring activities should include: reviewing vendor notifications about AI changes and incidents; periodically reviewing AI output quality and comparing against baseline; tracking customer complaints that may indicate vendor AI problems; and conducting annual requalification. Annual requalification should involve requesting updated governance documentation, reviewing the vendor's AI incident record for the past year, and reassessing whether the vendor's AI governance remains adequate for the risk level of the use case.