Governance guidance
1. Identify whether the vendor product uses AI materially
AI may be hidden inside analytics dashboards, fraud tools, customer engagement platforms, HR tools, productivity suites, cyber products, credit workflows, or operational automation. Institutions should ask vendors to disclose AI features, model purpose, data processing, customer impact, and future AI roadmap changes.
- Add AI-specific questions to procurement and renewal reviews.
- Identify embedded AI features in existing critical and important vendors.
- Record whether the tool informs, recommends, automates, or decides.
Governance guidance
2. Review data flows, confidentiality, and security controls
Vendor AI risk becomes material when institutional, customer, employee, transaction, or confidential data enters external systems. Assessment should clarify what data is processed, where it is stored, whether it trains models, who can access it, and how security controls are evidenced.
- Confirm whether client or confidential data is used for model training or improvement.
- Review data residency, access, retention, deletion, and encryption arrangements.
- Assess subcontractors, support access, incident notification, and audit rights.
Governance guidance
3. Define accountability, monitoring, and change control
The institution remains accountable for governed use even when AI capability is provided by a vendor. Contracts and operating procedures should define performance monitoring, issue reporting, model or feature changes, human oversight, service continuity, and exit options.
- Assign an internal business owner for each material vendor AI capability.
- Require notification and assessment of material AI model, feature, or data-use changes.
- Define performance, bias, accuracy, security, availability, and incident indicators where relevant.
Governance guidance
4. Integrate vendor AI into the AI inventory
Vendor AI should not sit outside the institution’s AI governance inventory. The same overview used for internal AI should show vendor AI use cases, owners, risk ratings, approvals, data sensitivity, monitoring expectations, and next review dates.
- Include vendor AI in use-case inventories and committee reporting.
- Map vendor AI to outsourcing, cyber, privacy, model-risk, and operational-resilience controls.
- Escalate high-risk vendor AI for senior-management visibility.