Skip to main content
Back to all posts
Cover image for "Vendor Risk When Your Third Parties Are All Doing AI"

Vendor Risk When Your Third Parties Are All Doing AI

The SIG questionnaire was built for SaaS. It's not built for vendors that quietly added GenAI to their feature set last quarter.

Roughly 60% of enterprise SaaS vendors shipped a GenAI feature in the last 12 months. Your TPRM program almost certainly did not refresh its questionnaires to match. Three patches that close the gap fast.

Add an AI rider

Five questions: model provider, data residency for inference, training data opt-out, output content filtering, and incident notification SLA for model-related defects. Attach as a rider to your existing questionnaire, require renewal-time refresh.

Re-segment your vendor population

A "low-risk" file-storage vendor that added a "summarise this document" button is now processing your data through a third-party LLM. Re-segment on data flow, not on the cover product.

Demand a model card or equivalent

For any vendor whose feature uses an LLM on your data, the standard ask is now a model card or a written attestation that covers (a) which model, (b) how data is logged or retained, (c) what evaluation was done.

If a vendor can't answer those three, the answer to onboarding is no.