Third-Party AI Risk Governance
Vendor Risk Checklist
- Data residency and retention guarantees
- Contractual restrictions on model training with customer data
- SOC 2 / ISO alignment and security attestations
- Incident notification and support SLAs
- Sub-processor transparency
Approval Flow
- Security and privacy review
- Legal and procurement review
- Pilot with restricted scope
- Production approval with quarterly revalidation
Continuous Monitoring
- Track vendor policy changes and incident disclosures.
- Reassess critical vendors quarterly.
- Suspend integrations when high-risk changes are unmitigated.