Are third parties putting your AI program at risk?

While AI is becoming a critical component in many companies’ daily workflow, not many organizations are creating those AI systems themselves. More often, companies will rely on third-party vendors to integrate AI into their operations.

So how can you make sure you’re doing holistic assessments of those third-party vendors? And how can AI governance help you mitigate the risks associated with them? Let’s get into it.

What is this? 

Third-party risk management (TPRM) isn’t a new idea, and most companies will already have some TPRM workflows in place for other, non-AI vendors. These practices are usually focused on more traditional aspects of third-party risk, like privacy, security, ethics, business continuity and resilience, etc.  

But now with AI in the mix, taking a siloed approach to TPRM won’t work. Instead, a holistic approach to vendor assessments will help account for the use of AI, and make sure you’re not leaving any risks unattended.  

How does it affect your company? 

The benefits of taking a more holistic vendor assessment approach extend beyond just “check the box” compliance. Avoiding the potential legal and ethical pitfalls that come along with using third parties that use AI will help you build trust with your customers and within the larger vendor ecosystem.  

How can you put it into practice? 

By now you know how critical AI governance practices are in responsible AI usage, but that extends even beyond your internal usage. It’s becoming more and more important to evaluate your vendor’s AI governance frameworks, so you can understand if they’re meeting your ethics and compliance standards.  

This may sound overwhelming, but you don’t have to start this process from scratch; you can adapt your existing TPRM workflows to account for AI. Download our TPRM for AI checklist to see what kinds of questions you can add to your assessments for AI adoption.  

Timeline: AI's emerging trends and journey

• We started Prompt when the European Parliament agreed on the EU AI Act, and we’ve been tracking its progress since then. Last month, the Presidents of the Parliament and Council signed the AI Act. It will enter into force 20 days after publication in the EU Official Journal, with some exceptions. 

• Apple's new AI-powered features won't arrive in Europe until 2025. The company announced a partnership with OpenAI, which will result in new features coming in the US in the fall. The company cites regulatory uncertainties due to the EU's Digital Markets Act (DMA). 

• Delaware’s about to have its own AI Commission. A bill passed the House and is awaiting the governor’s signature. The Commission must hold its first meeting no later than August 1, 2024. Will other states follow? 🤔   

• The OECD has published a report pointing out the lack of cooperation between IA and privacy groups, which raises the possibility of silos, increasing the risk of inconsistent policy responses and misunderstanding owing to differences in terminology and regulatory approaches. See the OECD recommendations here. 

• Meta’s changing its "Made with AI" label to "AI Info" after complaints from photographers for mislabeling edited real photos. Oops. The label is activated when users indicate the use of AI tools or when Meta detects hints of industry-standard AI images.
• Global INDIAai Summit concluded with a new integrated OECD and GPAI partnership and the GPAI's consensus on their future vision. Learn more. 

Your AI 101: What are...?

No, not that kind. AI hallucinations refer to instances where AI systems generate false or misleading information that appears plausible – but isn’t grounded in reality.  

They can be a result of incomplete or biased training data, the model's attempt to fill gaps in knowledge, or errors in understanding the context.  

These hallucinations highlight the importance of human oversight and verification when using AI-generated content to ensure reliability and accuracy. 

We all hope that when we use AI to generate something, whether it’s an answer to an email or draft a document, we’ll get something that appropriately answers the prompt we gave it. But sometimes, that’s not actually the output we receive. That's why human in the loop and fact-checking everything AI generates is so important.

Follow this human

Amaka Ibeji, FIP, AIGP, CIPM, CISA, CISM, CISSP, DDN QTE is a digital trust leader in the world of privacy engineering, AI governance, leadership, and security. She shares resources to help organizations create a culture of privacy and help them protect people’s personal information.