Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI governance and third-party risk: where are controls falling short?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: AI adoption is exposing a gap between traditional third-party risk reviews and continuously changing AI systems, with the source arguing that governance must unite security, privacy, risk, legal, engineering, and the business around shared controls. Static assessments are no longer enough when vendors can introduce AI features quietly and models drift over time.

NHIMG editorial — based on content published by OneTrust: Uniting AI Governance, Risk Management to Accelerate Responsible Growth

By the numbers:

Questions worth separating out

Q: How should organisations govern AI usage when employees use unapproved tools?

A: Organisations should start with visibility, not enforcement.

Q: Why do static third-party risk reviews fail for AI systems?

A: Static reviews assume the system and its data flows stay stable after approval, but AI systems can change behavior, outputs, and exposure over time.

Q: What do security teams get wrong about AI access risk?

A: Many teams focus on the model while ignoring the identity path that reaches it.

Practitioner guidance

  • Build an AI intake control for vendor and internal tools Require teams to disclose whether a product uses AI, what data enters the system, whether outputs are human-reviewed, and whether model behavior can change after deployment.
  • Extend third-party risk questionnaires to AI-specific change signals Add questions about model updates, feature drift, training data use, customer data retention, and notification timing when the vendor modifies AI functionality.
  • Define decision rights for AI use cases before production Assign who approves acceptable use, who can block high-risk deployments, and which functions must remain human-reviewed.

What's in the full article

OneTrust's full blog covers the operational detail this post intentionally leaves for the source:

  • How the AI governance committee is structured across privacy, legal, security, engineering, and business functions.
  • Specific intake and assessment questions for AI vendors, including data use, model updates, and transparency requirements.
  • The step-by-step governance lifecycle for intake, assessment, and monitoring as AI features change over time.
  • How organisations can use governance to support responsible scaling instead of slowing down adoption.

👉 Read OneTrust’s analysis of AI governance and third-party risk management →

AI governance and third-party risk: where are controls falling short?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

AI governance debt is becoming a real operational risk: organisations that rely on static third-party reviews are building up unresolved exposure as AI features change faster than intake processes can track. The article’s core point is that AI risk is dynamic, so governance has to become a living control plane rather than a periodic compliance exercise. For practitioners, the lesson is that unmanaged AI visibility will quickly turn into unmanaged accountability.

A question worth separating out:

Q: Who should own accountability for AI data access risk?

A: Accountability should sit with the teams that own identity, data governance, and security operations together. If AI can access enterprise data, then ownership must cover entitlement design, monitoring, and incident response across the full workflow. The governance gap is not just technical, because without a named owner, no one can prove who approved or contained the access.

👉 Read our full editorial: AI governance must evolve beyond static third-party risk reviews



   
ReplyQuote
Share: