User guideRisk managementVendor management
Risk management

Vendor management

Evaluate and monitor third-party AI vendors and suppliers.

Overview

Vendor management is the practice of tracking, evaluating, and overseeing your relationships with third-party providers. For AI governance, this means maintaining visibility into who supplies your AI capabilities, what data they access, and how their services affect your compliance obligations.

Modern AI systems often rely on external providers for models, training data, compute infrastructure, or complete AI services. Each of these relationships introduces dependencies that need to be understood and managed. Without proper vendor management, you may not know which vendors have access to sensitive data, which use cases depend on which services, or how a vendor change could impact your operations.

Why manage AI vendors?

Effective vendor management helps you:

  • Maintain visibility: Know exactly which vendors support your AI systems and what they provide
  • Manage dependencies: Understand which use cases rely on which vendors and plan for changes
  • Control data flows: Track what data is shared with each vendor and ensure appropriate protections
  • Support compliance: Document vendor relationships for regulatory audits and assessments
  • Reduce risk: Identify and address vendor-related risks before they become problems
Under the EU AI Act, organizations using third-party AI systems remain responsible for compliance. Proper vendor management is essential to demonstrate due diligence.

The vendor registry

Access the Vendor Registry from the sidebar to view and manage all your AI vendors. The registry displays:

  • Complete list of registered vendors
  • Risk scores and review status
  • Assignee responsible for each vendor
  • Use case associations
Vendor list page showing a table with vendor names, assignees, status, risk scores, scorecards, and review dates
The vendor registry displays all registered AI vendors with their risk scores and review status.

Adding vendors

To register a new vendor, click "Add vendor" and provide the following information:

  1. Vendor name: The official company or product name
  2. Vendor provides: Description of what the vendor supplies
  3. Assignee: Person responsible for managing this vendor relationship
  4. Website: Vendor's official website URL
  5. Vendor contact person: Primary contact at the vendor
Add new vendor modal with fields for vendor name, use cases, website, contact person, assignee, description, review status, reviewer, review date, and result
Register new vendors with complete contact and review information.

Review workflow

VerifyWise includes a built-in review workflow for vendor assessments:

Not started

Vendor has been added but review has not begun.

In review

Vendor assessment is currently in progress.

Reviewed

Vendor assessment has been completed.

Requires follow-up

Review identified issues that need additional attention.

Each review captures:

  • Reviewer: The person conducting the assessment
  • Review date: When the review was performed
  • Review result: Findings and conclusions from the review

Vendor scorecard

VerifyWise uses a scorecard approach to assess vendor risk. Each vendor is evaluated across multiple dimensions:

Data sensitivity

Classify the sensitivity of data shared with or processed by the vendor:

  • None: No sensitive data is shared
  • Internal only: Internal business data only
  • PII: Personally identifiable information
  • Financial: Financial data or records
  • Health: Health-related information
  • Model weights: Proprietary model parameters
  • Other: Other sensitive data types

Business criticality

Rate how critical this vendor is to your operations:

  • Low: Vendor is non-essential; easy to replace
  • Medium: Vendor supports important but not critical functions
  • High: Vendor is critical to core business operations

Past issues

Document any historical incidents with the vendor:

  • None: No past incidents
  • Minor incident: Small issues that were resolved
  • Major incident: Significant incidents affecting operations

Regulatory exposure

Track which regulations apply to this vendor relationship:

  • GDPR — General Data Protection Regulation
  • HIPAA — Health Insurance Portability and Accountability Act
  • SOC 2 — Service Organization Control 2
  • ISO 27001 — Information Security Management
  • EU AI Act — European AI Regulation
  • CCPA — California Consumer Privacy Act

Risk score

Based on the scorecard inputs, VerifyWise calculates an overall risk score for each vendor. Higher scores indicate greater risk requiring more attention and oversight.

Best practice
Regularly update scorecard values as your vendor relationship evolves. Changes in data sharing, criticality, or regulatory requirements should trigger a scorecard review.

Linking vendors to projects

Associate vendors with the projects that use their services. This creates visibility into:

  • Which projects depend on which vendors
  • Impact assessment when vendor issues arise
  • Vendor concentration across your portfolio
Important
When a vendor experiences an incident or regulatory action, review all linked projects to assess potential impact.

Related articles

Vendor risk assessment

Assess and track vendor-specific risks

Managing model inventory

Link vendors to your AI models

Evidence collection

Store vendor due diligence documentation

PreviousRisk mitigation strategies
NextVendor risk assessment
Vendor management - Risk management - VerifyWise User Guide