TL;DR: As organisations embed third-party AI into core operations, traditional vendor risk questionnaires no longer capture model lineage, autonomy, data provenance, and oversight requirements, according to OneTrust. The shift turns AI vendor review into a governance and accountability problem, not just a privacy or security checklist.
NHIMG editorial — based on content published by OneTrust: Third-party AI risk and vendor assessment
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
Questions worth separating out
Q: How should organisations assess third-party AI risk in vendor contracts?
A: Organisations should assess third-party AI risk by combining standard vendor checks with AI-specific review of model lineage, training data provenance, autonomy, human oversight, and change control.
Q: Why do traditional vendor questionnaires miss AI governance gaps?
A: Traditional questionnaires are usually designed to capture policy existence, not runtime behaviour.
Q: What do security teams get wrong about AI oversight dashboards?
A: Teams often mistake visibility for control.
Practitioner guidance
- Expand vendor assessments for AI behaviour Add questions on model ownership, training data provenance, versioning, autonomy level, and human oversight to third-party questionnaires so AI is assessed as a runtime capability, not a feature checkbox.
- Tie AI vendor approval to access scope Require explicit review of what systems, datasets, and workflows a third-party AI can touch, and document that scope in the same approval record used for privileged access decisions.
- Make AI monitoring continuous Recheck AI vendor behaviour after deployment, especially after model updates, data changes, or workflow expansion, because the original assessment quickly goes stale.
What's in the full article
OneTrust's full article covers the operational detail this post intentionally leaves for the source:
- A practical checklist of questions to add to existing vendor assessments for AI-specific risk review
- The article’s breakdown of dataset and model attributes that should be documented before deployment
- How OneTrust suggests integrating AI governance into existing third-party risk management workflows
- The vendor’s framing of how AI governance supports compliance, transparency, and trust across supplier relationships
👉 Read OneTrust's analysis of third-party AI risk and vendor assessment →
Third-party AI risk: what it means for vendor governance?
Explore further
Third-party AI risk is now an identity governance issue, not just a procurement issue. When a vendor’s AI system can read data, influence decisions, or trigger actions, it behaves like a delegated digital actor inside the enterprise. That creates a governance problem that sits alongside classic supplier risk, because identity, privilege, and accountability are now part of the vendor assessment. Practitioners should treat AI-enabled suppliers as systems with runtime authority, not static software packages.
A question worth separating out:
Q: Who is accountable when an AI system makes a harmful decision?
A: Accountability should follow the identity chain that authorized, configured, or triggered the action, including the human owner, the platform team, and any delegated agent or tool account. If the organisation cannot name that chain, the governance model is too weak for regulated AI use.
👉 Read our full editorial: Third-party AI risk is becoming an AI governance problem