Third-Party AI Risk Assessment

Traditional vendor risk assessment evaluates security posture, uptime SLAs, data handling practices, and financial stability. These remain important for AI vendors, but they miss the risks unique to AI services. An LLM provider can change model behavior overnight through a version update, degrading the quality of your application without any change to your code. A computer vision API can produce biased outputs that create legal liability for your organization, not the vendor. A model provider can use your input data to train their models, potentially leaking your proprietary information into outputs served to other customers.

The shared responsibility model for AI is immature. When a traditional SaaS vendor's service fails, responsibility is clear: the vendor is responsible for uptime, you are responsible for how you use the output. With AI services, the line is blurred. If the vendor's model produces a discriminatory output that you serve to your users, who is liable? If the vendor's training data includes copyrighted material that appears in outputs you distribute, who bears the legal risk? These questions must be addressed contractually before integration, not after an incident.