Third-party products and risk
Less visibility never means less responsibility. Third-party AI splits into two contexts - integrated into business operations (needs the more comprehensive assessment) and off-the-shelf employee tools. Five risks ride along, chiefly data lineage and traceability issues, managed through a structured screening strategy.
Less visibility never means less responsibility. Deployers of Third-party AI must still assess risk in the context of their own use cases.
- Context 1 - Integrated into business operations → backend operations like an external vendor screening résumés in HR, or AI features embedded into the organisation's own product or service → requires the more comprehensive risk assessment.
- Context 2 - Off-the-shelf employee tools → LLM chat tools (ChatGPT, Gemini), image generators, Grammarly, Copilot variants, and tools not obviously AI-based → employee outputs may become client-facing, consumer-facing or operational, so visibility into risk still matters.
Data lineage and traceability issues (ambiguity over training-data origin) · downstream issues that may force the model offline (e.g., copyright lawsuits) · model output ownership and control (set by the licensing agreement) · data handling and security risks from the development environment · quality and performance that may not fit the task.
Have clear AI guidance generally, then delineate the categories of vendor services in use → per category, define the screening capability → ask vendors for testing results and product safety rules or restrictions → confirm they meet internal requirements to limit liability and risk. Expand existing vendor screening to cover AI-specific risks and review vendor acceptable use policies. Keep policies, assessments and contracts regularly updated and adaptable.