Vendor risk assessment

Overview

Vendor risk assessment evaluates the risks that come from relying on third-party providers for AI capabilities. When you use external AI services, models, or platforms, you inherit risks from those relationships — risks that are different from those of systems you build and control internally.

Third-party AI introduces dependencies that can affect your compliance, security, and operations. A vendor security breach could expose your data. A vendor going out of business could disrupt your services. Changes to a vendor's model could alter your system's behavior in unexpected ways. Understanding and managing these risks is essential for responsible AI governance.

Why assess vendor risks?

Vendor risk assessment helps you:

• Maintain compliance: Under regulations like the EU AI Act, you remain responsible for AI systems even when using third-party components
• Protect sensitive data: Understanding what data flows to vendors helps you make informed decisions about data sharing
• Ensure business continuity: Identifying critical vendor dependencies helps you prepare contingency plans
• Prioritize oversight: Risk scores help you focus review efforts on the vendors that matter most

Scorecard dimensions

VerifyWise assesses vendor risk across four key dimensions:

Assessing data sensitivity

Higher data sensitivity increases vendor risk. Classify the most sensitive data shared with the vendor:

1. None: No sensitive data (lowest risk)
2. Internal only: Internal business data
3. PII: Personally identifiable information
4. Financial: Financial data or records
5. Health: Health-related information
6. Model weights: Proprietary model parameters (highest risk)

Assessing business criticality

Evaluate how dependent your operations are on this vendor:

• Low: Non-essential services; alternatives readily available
• Medium: Important but not critical; disruption would be manageable
• High: Critical to operations; disruption would significantly impact business

Consider these factors when assessing criticality:

• Number of projects depending on this vendor
• Availability of alternative vendors
• Time required to switch providers
• Revenue impact if vendor services are unavailable

Recording past issues

Document any historical incidents with the vendor to inform future risk decisions:

• None: No known issues (best)
• Minor incident: Small issues that were resolved satisfactorily
• Major incident: Significant incidents affecting operations or compliance

Tracking regulatory exposure

Identify which regulations apply to your relationship with this vendor:

• GDPR — European data protection requirements
• HIPAA — US healthcare data requirements
• SOC 2 — Security and availability controls
• ISO 27001 — Information security management
• EU AI Act — European AI regulation
• CCPA — California consumer privacy

More regulatory exposure means higher risk and greater oversight requirements. Ensure vendors can demonstrate compliance with all applicable regulations.

Understanding risk scores

VerifyWise calculates an overall risk score based on the scorecard inputs. Higher scores indicate greater risk. Factors that increase the score include:

• Higher data sensitivity levels
• High business criticality
• History of past issues
• Multiple regulatory exposures

Acting on risk scores

Use risk scores to guide vendor oversight intensity:

• Low scores: Annual reviews; standard monitoring
• Medium scores: Semi-annual reviews; enhanced monitoring
• High scores: Quarterly reviews; active oversight and mitigation planning

Risk review workflow

Use the vendor review workflow to track risk assessments:

1. Assign a reviewer to conduct the assessment
2. Update review status to "In review"
3. Complete the scorecard fields based on current information
4. Document findings in the review result
5. Set status to "Reviewed" or "Requires follow-up"