Overview & objectives

Third-party suppliers — including model providers, dataset vendors, API hosts, and cloud infrastructure — directly influence your organisation’s AI risk profile. The objective is to ensure every supplier is selected, monitored, and governed under a controlled, auditable process that maintains the same level of assurance expected within your own AIMS.

Supplier lifecycle & risk stages

1. Identification: AI, data, or infrastructure supplier proposed for use.
2. Due-diligence: assess technical, legal, ethical, and security capabilities.
3. Onboarding: formal approval, contractual controls, and record creation.
4. Active monitoring: regular performance, compliance, and incident review.
5. Off-boarding: ensure data return/destruction, access revocation, and lessons learned.

Due-diligence framework

• Use a structured DD questionnaire covering:
  • Governance & accountability (AI ethics board, policy ownership)
  • Risk management (bias, robustness, oversight)
  • Data governance (licensing, provenance, deletion controls)
  • Security posture (ISO 27001, SOC 2, encryption)
  • Legal & regulatory compliance (GDPR/AI Act readiness)
  • Incident history & response capability
• Score each category 1–5; define minimum acceptance threshold (e.g., ≥ 3 average).
• High-risk suppliers require onsite/remote audit and Authorising Officer sign-off.

Supplier risk categories

Contracts, SLAs & legal terms

• Ensure contracts include:
  • Explicit AI governance clauses (risk disclosure, bias reporting, transparency duties)
  • Security & privacy obligations (ISO 27001, GDPR, breach notification ≤ 72 h)
  • Right-to-audit & data-return clauses
  • Change-control notification before material AI system updates
  • Sub-processor approval & flow-down requirements
• Define measurable SLAs: uptime, accuracy, response, issue resolution, CAPA closure.

Ongoing monitoring & audits

• Annual reassessment or upon major model/dataset change.
• Monitor incidents, CAPA results, and audit findings from suppliers.
• Use supplier scorecards combining compliance (KPI), delivery (SLA), and incident metrics.
• Trigger escalation when risk score ≥ threshold or incidents unresolved > 30 days.

Integration with AIMS & risk register

• Each supplier record maps to Risk Register entries with residual risk ratings.
• Supplier non-conformities feed into CAPA tracker and Management Review.
• Supplier audits appear as evidence in surveillance and recertification audits.

Examples & case studies

• Example 1: Foundation-model provider updated embedding API → triggered risk re-assessment and SLA addendum.
• Example 2: Annotation vendor failed fairness metrics → supplier suspended pending retraining and CAPA verification.

Templates & tools

Supplier: ModelAPI Ltd   Category: Critical   Date: 2025-11-02
Reviewed by: Compliance Lead   Approval: AO 2025-11-04
Governance Score: 4.6/5   Security Score: 4.8/5   Overall Risk: Low
Controls: SLA (Bias ≤ 3%), quarterly fairness reports, right-to-audit.
Status: Active   Next Review: 2026-02-01   Evidence: /workdrive/supplier/DD_ModelAPI.pdf
  

Common pitfalls & mitigation

• No DD refresh: enforce annual or change-based reassessment.
• Undefined ownership: assign Supplier Owner per contract.
• Missing evidence: store DD forms and audit outputs in version-controlled repository.
• Unclear flow-downs: ensure sub-suppliers inherit main obligations contractually.

Implementation checklist

• Supplier Policy and DD procedure approved.
• All AI suppliers classified and risk-scored.
• Contracts updated with AI Act-aligned clauses and SLAs.
• Supplier audits and CAPA integrated into AIMS evidence set.
• Quarterly supplier scorecards and management review updates maintained.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 08 Nov 2025 • This page is general guidance, not legal advice.