SH
SHELL
AI Powered Learning Portal
Module 19 Lesson 4: AI Vendor Risk
·AI Security

Module 19 Lesson 4: AI Vendor Risk

Who are you trusting? Learn how to evaluate the security of AI vendors (OpenAI, Anthropic, Midjourney) before integrating them into your business.

vendor-risktprmthird-partydue-diligence

Module 19 Lesson 4: Third-party risk management for AI vendors

When you use ChatGPT, you aren't just using a tool; you are extending your "Trust Boundary" to OpenAI's servers.

1. The AI Vendor Questionnaire

Before signing a contract with an AI vendor, you must ask:

  1. Do you train on our data?: (The answer must be a clear "NO" for enterprise accounts).
  2. Where is the data stored?: (Does it cross international borders?).
  3. How do you log our prompts?: (Who at your company has access to these logs?).
  4. How do you handle prompt injection?: (What built-in filters do you provide?).

2. Reviewing SOC2 and ISO Reports

Check the vendor's security certifications.

  • SOC2 Type II: Proves they have "Operating Effectiveness" for security, availability, and privacy over a long period (not just a single day).
  • Special Note: Look for AI-specific audits (like the NIST AI RMF compliance statement).

3. The "Downstream" Risk

If your vendor (e.g., a "Customer Support AI" startup) uses another vendor (e.g., OpenAI) to process the data:

  • The Risk: You now have "Fourth-party" risk. If OpenAI is hacked, your startup vendor is hacked, and your company is hacked.
  • The requirement: Your contract must state that the vendor must notify you of any breach in their own supply chain.

4. Financial Stability of AI Vendors

AI is a "Hype" market. Startups go bankrupt every day.

  • The Risk: If your AI vendor goes out of business tomorrow, what happens to the Fine-tuned weights you paid to create?
  • Always have a "Backup Plan" or a way to export your data and models.

Exercise: The Vendor Analyst

  1. You are evaluating a new "AI Image Generator" for your marketing department. What is your #1 security question?
  2. Why is a "Startup" AI company riskier than a "Large Provider" (like Azure)?
  3. What is an "Escrow" agreement for model weights?
  4. Research: What is "VSA" (Vendor Security Alliance) and does it cover AI-specific risks?

Summary

Third-party risk management is about Trust, but Verify. By performing deep due diligence on your AI vendors, you ensure that you aren't "Importing" vulnerabilities into your own organization.

Next Lesson: Passing the test: Preparing for AI audits and certifications.

Previous LessonModule 19 Lesson 3: AI Security Policy
Next LessonModule 19 Lesson 5: Passing an AI Audit

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn