Overview & objectives

This policy establishes a structured approach to evaluate, approve, and monitor third-party AI suppliers. It ensures that external systems and services meet Zen AI Governance’s ethical, security, and regulatory standards. The policy applies to vendors providing AI models, APIs, datasets, consulting services, cloud hosting, and AI tooling.

Governance framework

• AI Supplier Governance forms part of the AIMS and Procurement Policy framework.
• Oversight provided by the Compliance Lead and Procurement Manager.
• Supplier risk register maintained in AIMS repository and reviewed quarterly.
• All suppliers must sign Zen AI Governance’s Supplier Code of Conduct.

Due diligence & risk assessment

• Evaluate suppliers on ethical, technical, and legal criteria before contract award.
• Assess AI risk classification (Annex III – EU AI Act) for each solution.
• Review evidence of security certifications (e.g., ISO 27001, SOC 2).
• Require bias, fairness, and robustness test reports for AI models.
• Perform data protection impact assessment (DPIA) when personal data involved.
• Document assessment in Supplier Evaluation Form and store in AIMS evidence folder.

Contractual & SLA controls

• Contracts must include the following clauses:
  • AI ethics and responsible use obligations.
  • Data ownership, processing, and deletion rights.
  • Right to audit AI systems and development processes.
  • Incident notification within 24–48 hours of discovery.
  • Sub-processor approval requirements and traceability.
• Service Level Agreements (SLAs) must define availability, response times, and ethics KPIs (e.g., bias threshold ≤ 1%).
• All contracts approved by Legal and Compliance before execution.

Ongoing monitoring & audit

• Annual supplier audits covering technical, ethical, and data governance controls.
• Review incident logs, bias tests, and performance KPIs.
• Non-compliances tracked through CAPA process and reviewed by AI Governance Board.
• Supplier performance scored against compliance criteria and contract KPIs.

Third-party AI systems integration

• Integrations require technical and security testing before go-live.
• Register all third-party AI models in the Model Registry with version and risk classification.
• Monitor API outputs for drift, bias, or unexpected behaviour.
• Suppliers must provide change-notification prior to model updates or retraining.

Termination & off-boarding

• Trigger exit when supplier fails audit or violates contractual terms.
• Securely delete data and revoke system access within 30 days of termination.
• Archive contract records and audit evidence for ≥ 5 years.
• Conduct post-termination risk review to identify replacement controls.

Templates & examples

Supplier: AICloud Analytics Ltd.  |  Service: Model Hosting & Monitoring  
Risk Level: High (uses live decision AI)  
Certifications: ISO 27001, ISO 42001 (pending)  
Bias Testing: Performed Q3 2025 | Result: Pass (<1.5%)  
Data Processing Agreement: Signed (Ref DPA-2025-043)  
Audit Right: Granted (annual)  |  Next Review: Feb 2026  
Status: Approved ✅
  

Common pitfalls & mitigation

• No ongoing monitoring: Implement quarterly performance audits.
• Weak contracts: Mandate AI-specific clauses and audit rights for all vendors.
• Shadow AI tools: Maintain inventory of all external AI services in use.
• No evidence of compliance: Store due-diligence records in AIMS repository.

Implementation checklist

• Supplier Governance Policy approved and integrated into Procurement process.
• Supplier Evaluation Form completed for all vendors.
• Contracts contain AI ethics and data protection clauses.
• Annual audits and performance reviews scheduled.
• Evidence stored for audit and management review.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 10 Nov 2025 • This page is general guidance, not legal advice.