>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

MANAGE-3.1AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented.

>Control Description

AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented.

>About

AI systems may depend on external resources and associated processes, including third-party data, software or hardware systems. Third parties’ supplying organizations with components and services, including tools, software, and expertise for AI system design, development, deployment or use can improve efficiency and scalability. It can also increase complexity and opacity, and, in-turn, risk. Documenting third-party technologies, personnel, and resources that were employed can help manage risks. Focusing first and foremost on risks involving physical safety, legal liabilities, regulatory compliance, and negative impacts on individuals, groups, or society is recommended.

>Suggested Actions

  • Have legal requirements been addressed?
  • Apply organizational risk tolerance to third-party AI systems.
  • Apply and document organizational risk management plans and practices to third-party AI technology, personnel, or other resources.
  • Identify and maintain documentation for third-party AI systems and components.
  • Establish testing, evaluation, validation and verification processes for third-party AI systems which address the needs for transparency without exposing proprietary algorithms .
  • Establish processes to identify beneficial use and risk indicators in third-party systems or components, such as inconsistent software release schedule, sparse documentation, and incomplete software change management (e.g., lack of forward or backward compatibility).
  • Organizations can establish processes for third parties to report known and potential vulnerabilities, risks or biases in supplied resources.
  • Verify contingency processes for handling negative impacts associated with mission-critical third-party AI systems.
  • Monitor third-party AI systems for potential negative impacts and risks associated with trustworthiness characteristics.
  • Decommission third-party systems that exceed risk tolerances.

>Documentation Guidance

Organizations can document the following

  • If a third party created the AI system or some of its components, how will you ensure a level of explainability or interpretability? Is there documentation?
  • If your organization obtained datasets from a third party, did your organization assess and manage the risks of using such datasets?
  • Did you establish a process for third parties (e.g. suppliers, end users, subjects, distributors/vendors or workers) to report potential vulnerabilities, risks or biases in the AI system?
  • Have legal requirements been addressed?

AI Transparency Resources

  • Artificial Intelligence Ethics Framework For The Intelligence Community.
  • WEF - Companion to the Model AI Governance Framework – Implementation and Self-Assessment Guide for Organizations.
  • Datasheets for Datasets.

>References

Office of the Comptroller of the Currency. 2021. Proposed Interagency Guidance on Third-Party Relationships: Risk Management. July 12, 2021.

>AI Actors

Third-party entities
Operation and Monitoring
AI Deployment

>Topics

Third-party
Supply Chain

>Cross-Framework Mappings

ISO/IEC 42001

via Microsoft/NIST AI RMF to ISO 42001 Crosswalk
B.10.3
Compare
B.10.2
Compare

ISO/IEC 23894

via INCITS/AI AI RMF to ISO 23894 Crosswalk
6.3.4.2
Compare
6.4.2.3
Compare
6.4.4.2
Compare
6.6.2.2
Compare
6.6.3.2
Compare

EU AI Act

Art. 12
Compare

Ask AI

Configure your API key to use AI features.