AI increases both the number of external dependencies and the speed at which those dependencies change. That creates more opportunities for data exposure, overbroad access, and opaque automation by suppliers. When external tools can generate, classify, or act on information, the enterprise needs stronger evidence, tighter boundaries, and faster revalidation.
Why This Matters for Security Teams
Third-party risk becomes more serious with AI because suppliers no longer just process data or provide software. They may also generate outputs, classify sensitive content, trigger actions, and chain into other services through APIs, plugins, or agents. That expands the attack surface from ordinary vendor access to machine-speed decision-making, where a weak control can quickly become a business-impacting event.
Security teams should treat AI vendors as both software suppliers and operational actors. That means checking what data is ingested, where outputs go, what the model can call, and whether the provider can change behavior without notice. Current guidance suggests that traditional due diligence alone is not enough when an external system can infer, transform, or act on enterprise information. This is especially relevant for NHI governance, because supplier-issued API keys, service accounts, and automation tokens often become the real control boundary.
NHIMG research on The 52 NHI breaches Report shows how often machine identities are involved when external trust is overextended. In practice, many security teams only discover third-party AI exposure after a supplier integration has already handled sensitive data or executed an action outside the original approval scope.
How It Works in Practice
AI changes third-party risk in three practical ways. First, it increases dependency density: a single AI feature may rely on model providers, vector databases, orchestration tools, logging services, and browser or code-execution plugins. Second, it increases change velocity: prompts, models, safety filters, and tool permissions can be updated frequently, sometimes without a formal security review. Third, it weakens observability: an external system may make decisions that are hard to explain, reproduce, or attribute after the fact.
For security and governance teams, that means reviewing AI suppliers through a control lens, not just a procurement lens. The OWASP Non-Human Identity Top 10 is useful here because many AI integrations rely on secrets, workload identities, and service-to-service permissions that are easy to overgrant. Pair that with the NIST Cybersecurity Framework 2.0 to structure supplier oversight across governance, protection, detection, and recovery.
Operationally, teams should require:
- Inventory of every external model, plugin, API, and agentic tool in use.
- Clear data-flow mapping for prompts, retrieval content, logs, and training retention.
- Scoped, short-lived credentials for all non-human identities tied to suppliers.
- Evidence of testing for prompt injection, data leakage, and unsafe tool invocation.
- Revalidation after model updates, policy changes, or permission expansion.
NHIMG coverage of the Shai Hulud npm malware campaign and the JetBrains Marketplace AI Plugin Campaign illustrates a recurring pattern: AI-adjacent supply chains often expose secrets, identity tokens, or implicit trust relationships faster than review processes can keep up. These controls tend to break down when suppliers can change permissions dynamically or when local teams cannot see how one AI service chains into another.
Common Variations and Edge Cases
Tighter supplier control often increases integration overhead, requiring organisations to balance faster AI adoption against stronger assurance. There is no universal standard for this yet, so current guidance suggests risk-tiering vendors by data sensitivity, execution authority, and autonomy rather than applying one blanket review process.
Some cases are especially tricky. A low-risk chatbot may still become high-risk if it can access internal knowledge bases. A monitoring or summarisation tool may appear passive but still exfiltrate sensitive context through logs, embeddings, or retained prompts. A provider that claims not to train on customer data can still create exposure if its subcontractors, support access, or telemetry pipelines are not contractually bounded. For agentic systems, the biggest risk is not just output quality but delegated action without sufficient human or policy controls.
For NHI governance, the practical question is whether the supplier is holding secrets, issuing tokens, or acting under enterprise credentials. If so, the trust boundary is no longer just the vendor contract. It is the identity architecture around the vendor. That is why AI-related third-party review should include permission ceilings, revocation testing, and incident playbooks that assume compromise of an external automation path.
Where the environment includes regulated data, critical workflows, or autonomous tool use, security teams should treat AI suppliers as part of the control plane, not just the application stack.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, MITRE ATLAS and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.SC-1 | Third-party AI risk requires supplier governance and accountability. |
| OWASP Non-Human Identity Top 10 | NHI-1 | AI suppliers often rely on exposed service identities and secrets. |
| NIST AI RMF | GOVERN | AI vendors can change behavior and require formal oversight. |
| MITRE ATLAS | AML.TA0001 | Prompt injection and model abuse are common third-party AI attack paths. |
| OWASP Agentic AI Top 10 | A01 | Autonomous tools increase exposure through overbroad actions and delegation. |
Scope and rotate supplier credentials, and restrict each non-human identity to the minimum needed.