Vendor & third-party AI risk · a service line of the AI Security & Cyber Risk practice fixed-scope review  ·  senior-only bench
§ AI Security & Cyber Risk·Third-party risk·v2026.07

We assess the AI vendors and models your firm already uses — before your regulator does.

Your biggest AI exposure is usually a vendor's model, not your own. The Vendor & Third-Party AI Risk Review is a fixed-scope, senior-led AI vendor risk assessment of the third-party AI vendors, embedded models, and API-connected AI tools already running in your business — what data they touch, how their models are governed, and where the concentration and fourth-party risk sit. You get back a board-ready AI vendor risk register and a remediation roadmap you can defend to an examiner.

Part of the AI Security & Cyber Risk practice · fees fixed in writing after scoping — see engagement models.

§ What this is

This is a review, not an audit or a certification. DSE reviews your third-party AI risk posture and produces a risk register and remediation roadmap. We do not audit, attest to, certify, or penetration-test the vendor, and no engagement guarantees a regulatory or examination outcome. It is senior-led, fixed-scope readiness and advisory work — the responsibility for the vendor relationship, and for accepting or remediating the risks we surface, stays with you. We work alongside your counsel and your existing vendor-management program.

§A
The surface.
AI you buy · not just AI you build.

Every AI vendor you rely on is part of your attack surface.

A third-party AI risk management framework has to cover the AI inside the tools you buy, not only the models you train. We map the AI vendors and embedded models already in production, then pressure-test the risk posture of each one.

Third-party AI vendors

The vendors and their models

The AI vendors your teams already contracted — underwriting, fraud, KYC, servicing, marketing, and analytics. We review how each model is governed, validated, and monitored, what it was trained on, and what oversight and testing rights your contract actually secures.

Embedded & GenAI features

AI hiding inside your SaaS

The generative and embedded AI features switched on inside the SaaS you already run — copilots, assistants, and "AI" toggles in tools nobody scoped as an AI vendor. We surface them, classify the data they touch, and flag the GenAI-specific exposure your DDQ needs to cover.

Concentration & fourth parties

The models behind the models

The sub-processors and foundation models behind your vendors — the fourth-party risk and the concentration that appears when many of your vendors quietly depend on the same underlying model or host. We map the chain and the single points of failure.

§B
The deliverable.
A register and a roadmap.

A board-ready AI vendor risk register, not a binder.

The review ends in two artifacts your risk committee and your examiners can actually use — structured, prioritized, and owned.

§ You receive

A defensible, board-ready output your third-party-risk program can absorb the day the engagement closes:

  • An AI vendor risk register — every third-party AI vendor and embedded model inventoried, with the data it touches, a transparent risk tier, the concentration and fourth-party dependencies, and a named owner.
  • A remediation roadmap — the gaps ranked by severity, the contract rights and evidence to demand at renewal (audit and model-testing access, breach-notice commitments, exit terms), and a prioritized sequence for closing them.
  • A one-page brief for the board and the examiner that states, in plain language, what AI you depend on, where the risk concentrates, and what you are doing about it.
  • An ongoing-oversight cadence so the register stays current as vendors change models and add features — a starting operating rhythm, not a one-time snapshot.
§C
Who it's for.
The people who own vendor risk.

Built for the desk that answers for the vendors.

If a regulator, a board, or a client's procurement team asks how you govern the AI you buy, this review is scoped for you.

Third-party risk

Chief Risk Officer

You own the risk appetite and answer to the board for it. You need AI vendor exposure quantified, tiered, and folded into the third-party risk framework you already run — without a new silo.

Vendor management

VP, Third-Party / Vendor Management

You run the vendor lifecycle and the DDQs. You need the AI-specific questions, the right contract rights to demand at renewal, and a register that survives an examiner walking the file.

Compliance

Chief Compliance Officer — insurtech & fintech

You are scaling fast on vendor AI and cannot let oversight lag adoption. You need a defensible read on the models embedded in your stack before a partner bank, an insurer, or a regulator asks.

§D
The lens.
We map to what governs you.

The framework that already applies to your vendors.

There is no single "AI vendor rule." The review organizes each finding under the third-party and service-provider obligations that already govern your institution, so the register speaks the language your examiner and your counsel use.

§ The oversight expectations we map to·by institution type

Depending on how your firm is supervised, we frame the register against the third-party and service-provider expectations that attach to it:

We map to these expectations as reference; the review is readiness and advisory work and does not certify compliance with any of them. Named references are the same verified framings used across our AI governance tools and guides.

Start free · client-side

Start with our free AI Vendor DDQ Generator.

Before you scope a review, build the questionnaire. Our free, 100% browser-local AI Vendor Due-Diligence Questionnaire generator assembles a tailored vendor due diligence AI model checklist — governance, model validation, data and security, third- and fourth-party risk, incident response, and ongoing monitoring — sized to your institution type. Nothing you enter leaves your browser. Bring the vendor's answers to a scoping call and we pick up from there.

What does it cost? The fee is fixed in writing after we scope the review together — it scales with the number of AI vendors and embedded models in scope, not your headcount. See the non-binding market-estimate ranges for this and every DSE engagement on the pricing page.

See engagement models
§E
Questions.
Straight answers.

Common questions.

The things risk and vendor-management leaders ask before they scope an AI vendor risk assessment.

What is an AI vendor risk assessment?+

An AI vendor risk assessment is a structured review of the third-party AI vendors and embedded models an organization relies on — what data each touches, how the model is governed and validated, the concentration and fourth-party dependencies behind it, and the contract rights you hold to oversee it. DSE delivers this as a fixed-scope review that ends in an AI vendor risk register and a remediation roadmap. It is a review of risk posture, not an audit or certification of the vendor.

What does a third-party AI risk management framework include?+

A workable third-party AI risk management framework covers governance and accountability, model development and validation transparency, data handling and security, third- and fourth-party (sub-processor and foundation-model) risk, incident response and breach notification, contractual oversight rights, and ongoing monitoring. The review organizes findings under those headings and maps each to the third-party and service-provider expectations that already govern your institution, so the output plugs into the vendor-management program you already run.

Do you audit or certify the vendor?+

No. This is a review, deliberately named so. DSE reviews your third-party AI risk posture and produces a register and roadmap; we do not audit, attest to, certify, or penetration-test the vendor, and we do not guarantee any examination outcome. Responsibility for the vendor relationship and for accepting or remediating the risks we surface stays with you. We are not an accredited certification body, and we work alongside your counsel.

How does this relate to your free AI Vendor DDQ Generator?+

The free AI Vendor DDQ Generator is the self-serve starting point: it assembles a tailored vendor due diligence AI model checklist you can send a vendor, sized to your institution type, entirely in your browser. The review is where a principal pressure-tests the vendor's answers, maps them to the frameworks that govern you, and turns a questionnaire into a defensible register. Many teams run the free GenAI DDQ for financial services first, then scope the review when the answers come back thin.

What about EU AI Act third-party obligations for financial services?+

For firms with EU exposure, the review maps a vendor's AI to where its system sits in your value chain and flags the EU AI Act third-party obligations that follow for financial services, generically — provider versus deployer duties, transparency, and the oversight you owe for a system you did not build. We do not cite specific article numbers as legal conclusions; that is a determination for your counsel, and the review is scoped to support that work, not replace it.

How much does the review cost?+

The fee is fixed in writing after a short scoping call and scales with the number of AI vendors and embedded models in scope, not your company size. We publish non-binding market-estimate ranges for every engagement, including this one, on the engagement models page.

Last reviewed: 2026-07-03 · Initial release. The Vendor & Third-Party AI Risk Review is a service line of the AI Security & Cyber Risk practice. All work is a review — readiness and advisory — not an audit, attestation, or certification. Framework references are the verified framings used across DSE's AI governance tools and re-checked quarterly.