Vendors

Third-party AI service risk management, supply chain security, and vendor assessments.

📖
Vendors Domain Handbook (v3.0)
Full v3.0 practitioner reference, Parts I–V, all 12 practices, 108-question assessment workbook with scoring methodology and improvement roadmap
Read the Handbook →

⚖ Governance

Strategy & Metrics (SM)

Stand up a Vendor AI Assurance program that discovers, inventories, and strategically governs all AI/HAI tools and services provided by vendors, with shadow AI prevention as the primary L1 outcome.

☑ Questionnaire

Explore →

Policy & Compliance (PC)

Publish the priority policies and compliance map that make a Vendor AI Assurance program enforceable, so adoption of AI/HAI tools from vendors is gated, attributable, and defensible to auditors, regulators, and customers. Shadow AI prevention is the primary L1 outcome.

☑ Questionnaire

Explore →

Education & Guidance (EG)

Give the workforce the literacy to recognize AI/HAI vendors in their day-to-day tools and route them through the intake gate, and give the small reviewer population (Security, Procurement, Legal/Privacy, TPRM) the specific skills to run AI-vendor reviews consistently. Shadow AI reduction via awareness is the primary L1 outcome.

☑ Questionnaire

Explore →

⚒ Building

Threat Assessment (TA)

Build the foundational AI-vendor threat library that lets every intake produce a fast, consistent threat snapshot, and give shadow AI its own explicit threat surface. Primary L1 outcome: no AI vendor enters the environment without a documented threat view in under 30 minutes.

☑ Questionnaire

Explore →

Security Requirements (SR)

Define the minimum, reusable security requirements pack for AI vendors that the intake gate enforces, translating the threats from TA-Vendors and the policies from PC-Vendors into specific, testable requirements the vendor must meet (or the org must compensate for) before approval.

☑ Questionnaire

Explore →

Security Architecture (SA)

Publish the reference architectures for safely consuming each AI vendor archetype, so teams integrating an AI vendor have a vetted "green path" that already implements the SR-Vendors requirements, and teams deviating from it do so knowingly and explicitly.

☑ Questionnaire

Explore →

✓ Verification

Design Review (DR)

Operate a lightweight design checkpoint between intake approval and production rollout for every AI vendor integration, confirming the team picked a reference pattern, covered the SR requirements, and accepted only the residual risks the program can live with.

☑ Questionnaire

Explore →

Implementation Review (IR)

Verify, at the point of deployment and on a recurring cadence, that the actual AI vendor integration configuration matches the design approved at DR, closing the gap between what was designed and what is running.

☑ Questionnaire

Explore →

Security Testing (ST)

Exercise the AI vendor integration end-to-end with foundational tests that directly target the top archetype threats (data egress, prompt injection, permission-boundary abuse, logging completeness, shadow-AI discovery), so reviewed configurations are not only correct on paper but observed to behave correctly.

☑ Questionnaire

Explore →

⚙ Operations

Issue Management (IM)

Run a single backlog and a single incident playbook for AI-vendor issues, so that findings from TA snapshots, SR requirement gaps, DR conditions, IR drifts, ST failures, and ML detections all flow into one prioritized queue with named owners, SLAs, and a clear path to vendor-breach notification.

☑ Questionnaire

Explore →

Environment Hardening (EH)

Harden the organization's perimeter against AI-vendor data leakage and shadow AI, using controls already present in most enterprise stacks (SSO/IdP, DLP, browser management, egress control, endpoint management, SaaS admin governance) tuned specifically for AI vendor behavior.

☑ Questionnaire

Explore →

Monitoring & Logging (ML)

Provide the detection and evidence foundation for the Vendor AI Assurance program, the logs that prove EU AI Act deployer duties and GDPR processor obligations, and the detections that surface shadow AI, data-egress anomalies, agent-tool abuse, and vendor-side behavior changes.

☑ Questionnaire

Explore →