← Back to AI Governance Templates

Legal and Compliance

AI Vendor Risk Policy

Extends third-party risk reviews with AI-specific clauses.

Owner: Vendor Risk Manager

Purpose

Ensures every AI vendor, model provider, API service, or external AI platform is evaluated, approved, and continuously governed in a consistent way to protect data, customers, and regulatory standing.

Scope

Applies to any vendor that provides one or more of the following services. This includes open-source providers and free usage tiers.

  • AI inference APIs or hosted model endpoints
  • Model hosting, fine-tuning platforms, or vector databases
  • AI agents, copilots, or autonomous decision systems
  • AI data labeling or synthetic data generation services
  • SaaS platforms embedding AI-driven decision making

Vendor Risk Evaluation Framework

Classify each AI vendor as High, Medium, or Low risk using these dimensions.

  • Sensitivity of data processed or stored
  • Criticality of the business process the vendor supports
  • Degree of automation or autonomy in decisions
  • Regulatory and contractual obligations triggered
  • Security posture maturity and independent attestations

Mandatory Vendor Risk Requirements

Before approval, document the following requirements and capture evidence in the vendor file.

  • Detailed vendor security posture plus audit evidence (e.g., SOC, ISO, penetration tests)
  • Privacy documentation covering retention, deletion, jurisdiction, and lawful use
  • Purpose binding that limits vendor use of company data
  • Model transparency information such as model family, version history, and release notes
  • AI safety guardrails or model safety maturity evidence
  • SLAs for incident reporting, outages, and model regressions
  • Sub-processor disclosures and data transfer approach
  • Exit capabilities: ability to export, delete, or transfer data and switch vendors with reasonable effort
  • High-risk vendors require Legal, Security, and AI Governance approval before activation

Ongoing Monitoring

After onboarding, monitor vendors for material change and re-evaluate when necessary.

  • Performance drift, reliability degradation, or SLA breaches
  • Major model version updates that could change behavior
  • Changes to Terms of Service, privacy policies, or sub-processors
  • Regulatory or jurisdictional changes impacting vendor obligations
  • Newly discovered safety concerns or public incidents

Vendor Offboarding

If a vendor becomes non-compliant or exceeds risk tolerance, execute the offboarding plan.

  • Export required datasets, logs, and configuration artifacts
  • Confirm deletion or return of company data per contract
  • Identify and activate alternate vendors or contingency solutions
  • Terminate production connections and credentials

Enforcement

No team may bypass classification or approval. Violations can lead to access removal, procurement cancellation, or disciplinary action depending on impact. This policy is reviewed annually and whenever regulations evolve.

AI Vendor Risk Policy | VerifyWise AI Governance Templates