Organizations have spent years building third-party risk management programs — vendor questionnaires, SOC 2 reviews, contract reviews, annual reassessments. But those programs were built for a world where the third party was a company. Today, the third party is also a model.
When your organization integrates an LLM API, deploys an AI-powered SaaS tool, or connects an agentic workflow to a vendor's AI backend, you're not just onboarding software. You're inheriting risk from training data you can't audit, model updates you won't be notified about, and prompt injection vulnerabilities your questionnaire has never asked about.
This session delivers a practical AI vendor assessment framework that GRC teams can use today. Using examples from manufacturing and healthcare environments, we'll walk through the questions your vendor questionnaires are missing, how to map AI supply chain risk to NIST SP 800-161 and ISO 27001, and what a mature AI vendor risk program actually looks like.
Attendees will leave with five questions to add to every AI vendor assessment immediately — and a framework for building a repeatable AI supply chain risk process from the ground up.