GOVERN-6.2—Contingency processes are in place to handle failures or incidents in third-party data or AI systems deemed to be high-risk.

To mitigate the potential harms of third-party system failures, organizations may implement policies and procedures that include redundancies for covering third-party functions.

Organizations can document the following

• To what extent does the plan specifically address risks associated with acquisition, procurement of packaged software from vendors, cybersecurity controls, computational infrastructure, data, data science, deployment mechanics, and system failure?
• Did you establish a process for third parties (e.g. suppliers, end users, subjects, distributors/vendors or workers) to report potential vulnerabilities, risks or biases in the AI system?
• If your organization obtained datasets from a third party, did your organization assess and manage the risks of using such datasets?

AI Transparency Resources

• GAO-21-519SP: AI Accountability Framework for Federal Agencies & Other Entities.
• WEF Model AI Governance Framework Assessment 2020.
• WEF Companion to the Model AI Governance Framework- 2020.
• AI policies and initiatives, in Artificial Intelligence in Society, OECD, 2019.

Bd. Governors Fed. Rsrv. Sys., Supervisory Guidance on Model Risk Management, SR Letter 11-7 (Apr. 4, 2011)

“Proposed Interagency Guidance on Third-Party Relationships: Risk Management,” 2021.

Off. Comptroller Currency, Comptroller’s Handbook: Model Risk Management (Aug. 2021).