Third-Party AI Risk Management
Vendor and third-party AI risk controls
Outcome: Assess and manage third-party AI risk with defensible due diligence and controls.
Due diligence, contracting considerations, and ongoing monitoring expectations.
Implementation Outcome
This course clarifies how to identify, assess, and control AI risk embedded in third-party products and services.
- Third-party AI due diligence questionnaire
- Contract/control clause guidance
- Ongoing monitoring and review cadence checklist
Controls & Evidence
- Designed for records retention, version control, and documented review cadence
- Supports internal control alignment and defensible oversight practices
- Produces an audit-reviewable evidence set suitable for internal audit request workflows
Data handling: No submission of sensitive or proprietary data is required to complete the program.
Risk Exposure
Lack of defensible policies or controls can result in significant, unmitigated enterprise risk exposure. This program addresses the risk areas most relevant to this capability.
- Unvetted vendor AI use affecting enterprise data
- Opaque model behavior or change without notice
- Insufficient contractual protections and audit rights
- No ongoing monitoring of third-party AI controls
Deliverables
Due Diligence Questionnaire
Data, model, security, and governance questions for vendors.
Contract & Control Guidance
Control expectations, audit rights, and change notification clauses.
Ongoing Monitoring Plan
Review cadence, evidence requests, and issue tracking.
Risk Acceptance Template
How to document exceptions and residual risk decisions.
Governance Lifecycle Integration
- Baseline: Establish policy-aligned use patterns and minimum control expectations across affected teams.
- Oversight: Assign accountable owners, decision rights, and escalation paths for AI-assisted activities.
- Monitoring: Define review cadence, metrics, and control checks aligned to operational reality.
- Documentation: Maintain version-controlled artifacts and evidence suitable for records retention and review.
- Audit Review: Enable internal audit and leadership review with traceable controls, decisions, and evidence.
Buyer Questions
Does this require sharing confidential data with the provider?
No. The program is designed for policy, controls, and safe-use practices. Participants can complete the program without submitting sensitive or proprietary data.
Who should attend?
Risk, legal, procurement
What evidence is produced for audit review?
Version-controlled artifacts (policy templates, oversight workbook outputs, and control-aligned documentation) suitable for internal audit requests and governance reviews.
How is it deployed?
On-demand delivery with enterprise licensing options. LMS and SSO integration can be included in rollout scoping.
How are artifacts maintained over time?
Artifacts are designed for version control and periodic review. Organizations can align updates to internal change management and records retention requirements.
Request Enterprise Pricing
For rollout scoping (seat counts, deployment model, LMS/SSO integration, and licensing options), request enterprise pricing and deployment scope.