Your biggest AI exposure is usually a vendor's model, not your own. The Vendor & Third-Party AI Risk Review is a fixed-scope, senior-led AI vendor risk assessment of the third-party AI vendors, embedded models, and API-connected AI tools already running in your business — what data they touch, how their models are governed, and where the concentration and fourth-party risk sit. You get back a board-ready AI vendor risk register and a remediation roadmap you can defend to an examiner.
Part of the AI Security & Cyber Risk practice · fees fixed in writing after scoping — see engagement models.
This is a review, not an audit or a certification. DSE reviews your third-party AI risk posture and produces a risk register and remediation roadmap. We do not audit, attest to, certify, or penetration-test the vendor, and no engagement guarantees a regulatory or examination outcome. It is senior-led, fixed-scope readiness and advisory work — the responsibility for the vendor relationship, and for accepting or remediating the risks we surface, stays with you. We work alongside your counsel and your existing vendor-management program.
A third-party AI risk management framework has to cover the AI inside the tools you buy, not only the models you train. We map the AI vendors and embedded models already in production, then pressure-test the risk posture of each one.
The AI vendors your teams already contracted — underwriting, fraud, KYC, servicing, marketing, and analytics. We review how each model is governed, validated, and monitored, what it was trained on, and what oversight and testing rights your contract actually secures.
The generative and embedded AI features switched on inside the SaaS you already run — copilots, assistants, and "AI" toggles in tools nobody scoped as an AI vendor. We surface them, classify the data they touch, and flag the GenAI-specific exposure your DDQ needs to cover.
The sub-processors and foundation models behind your vendors — the fourth-party risk and the concentration that appears when many of your vendors quietly depend on the same underlying model or host. We map the chain and the single points of failure.
The review ends in two artifacts your risk committee and your examiners can actually use — structured, prioritized, and owned.
A defensible, board-ready output your third-party-risk program can absorb the day the engagement closes:
If a regulator, a board, or a client's procurement team asks how you govern the AI you buy, this review is scoped for you.
You own the risk appetite and answer to the board for it. You need AI vendor exposure quantified, tiered, and folded into the third-party risk framework you already run — without a new silo.
You run the vendor lifecycle and the DDQs. You need the AI-specific questions, the right contract rights to demand at renewal, and a register that survives an examiner walking the file.
You are scaling fast on vendor AI and cannot let oversight lag adoption. You need a defensible read on the models embedded in your stack before a partner bank, an insurer, or a regulator asks.
There is no single "AI vendor rule." The review organizes each finding under the third-party and service-provider obligations that already govern your institution, so the register speaks the language your examiner and your counsel use.
Depending on how your firm is supervised, we frame the register against the third-party and service-provider expectations that attach to it:
We map to these expectations as reference; the review is readiness and advisory work and does not certify compliance with any of them. Named references are the same verified framings used across our AI governance tools and guides.
Before you scope a review, build the questionnaire. Our free, 100% browser-local AI Vendor Due-Diligence Questionnaire generator assembles a tailored vendor due diligence AI model checklist — governance, model validation, data and security, third- and fourth-party risk, incident response, and ongoing monitoring — sized to your institution type. Nothing you enter leaves your browser. Bring the vendor's answers to a scoping call and we pick up from there.
What does it cost? The fee is fixed in writing after we scope the review together — it scales with the number of AI vendors and embedded models in scope, not your headcount. See the non-binding market-estimate ranges for this and every DSE engagement on the pricing page.
See engagement models →The things risk and vendor-management leaders ask before they scope an AI vendor risk assessment.
An AI vendor risk assessment is a structured review of the third-party AI vendors and embedded models an organization relies on — what data each touches, how the model is governed and validated, the concentration and fourth-party dependencies behind it, and the contract rights you hold to oversee it. DSE delivers this as a fixed-scope review that ends in an AI vendor risk register and a remediation roadmap. It is a review of risk posture, not an audit or certification of the vendor.
A workable third-party AI risk management framework covers governance and accountability, model development and validation transparency, data handling and security, third- and fourth-party (sub-processor and foundation-model) risk, incident response and breach notification, contractual oversight rights, and ongoing monitoring. The review organizes findings under those headings and maps each to the third-party and service-provider expectations that already govern your institution, so the output plugs into the vendor-management program you already run.
No. This is a review, deliberately named so. DSE reviews your third-party AI risk posture and produces a register and roadmap; we do not audit, attest to, certify, or penetration-test the vendor, and we do not guarantee any examination outcome. Responsibility for the vendor relationship and for accepting or remediating the risks we surface stays with you. We are not an accredited certification body, and we work alongside your counsel.
The free AI Vendor DDQ Generator is the self-serve starting point: it assembles a tailored vendor due diligence AI model checklist you can send a vendor, sized to your institution type, entirely in your browser. The review is where a principal pressure-tests the vendor's answers, maps them to the frameworks that govern you, and turns a questionnaire into a defensible register. Many teams run the free GenAI DDQ for financial services first, then scope the review when the answers come back thin.
For firms with EU exposure, the review maps a vendor's AI to where its system sits in your value chain and flags the EU AI Act third-party obligations that follow for financial services, generically — provider versus deployer duties, transparency, and the oversight you owe for a system you did not build. We do not cite specific article numbers as legal conclusions; that is a determination for your counsel, and the review is scoped to support that work, not replace it.
The fee is fixed in writing after a short scoping call and scales with the number of AI vendors and embedded models in scope, not your company size. We publish non-binding market-estimate ranges for every engagement, including this one, on the engagement models page.
Last reviewed: 2026-07-03 · Initial release. The Vendor & Third-Party AI Risk Review is a service line of the AI Security & Cyber Risk practice. All work is a review — readiness and advisory — not an audit, attestation, or certification. Framework references are the verified framings used across DSE's AI governance tools and re-checked quarterly.