Third-party risk management (AI)

The identification, assessment, monitoring, and mitigation of risks arising from an organization’s use of AI systems, models, data, or services provided by external vendors, partners, or service providers.

Source: AIEOG AI Lexicon (Feb 2026), adapted from OCC 2013-29, NIST AI 100-1, and FFIEC guidance

Third-party risk management for AI is the process of evaluating and overseeing the AI tools, models, and data services your organization gets from outside vendors. When a bank uses a vendor’s credit scoring model, a fintech embeds a third-party fraud detection API, or an insurer relies on an external data provider’s risk scores — all of these create third-party AI risk.

The core challenge is that third-party AI introduces risks you cannot fully control. You did not build the model, you may not fully understand how it works, and you may have limited visibility into changes the vendor makes. Yet regulators hold your institution — not the vendor — accountable for the outcomes these systems produce.

Third-party AI risk management extends traditional vendor management frameworks to address the unique risks that AI systems bring: model opacity, data quality dependencies, algorithmic bias, performance drift, and the complexity of validating systems you did not build.

Third-party AI adoption is accelerating across financial services, and regulatory scrutiny is intensifying:

• OCC 2013-29 and interagency guidance. Federal regulators have long required institutions to manage third-party risks commensurate with the level of risk involved. AI systems that affect customers, compliance, or financial condition are considered critical activities requiring enhanced due diligence.
• SR 11-7 applies to vendor models. The Fed’s model risk management guidance explicitly states that institutions must apply the same MRM standards to vendor-provided models as to internally developed ones. Using a third-party model does not reduce your governance obligations.
• CFPB scrutiny of fintech partnerships. The CFPB has repeatedly emphasized that supervised institutions cannot outsource compliance obligations through third-party arrangements. When a vendor’s AI model produces unfair or discriminatory outcomes, the institution faces the enforcement action — not the vendor.
• EU AI Act supply chain requirements. The Act imposes obligations on both providers and deployers of AI systems. Financial institutions deploying third-party high-risk AI systems must ensure the provider has met the Act’s requirements.
• Concentration risk. As a small number of AI vendors serve large portions of the financial services industry, systemic risk concerns are growing. A failure or bias in a widely used vendor model could affect multiple institutions simultaneously.

• AI as a service (AIaaS) — the delivery model for many third-party AI systems
• AI risk assessment — the broader evaluation framework that includes third-party risks
• Model risk — the specific risk category most relevant to third-party AI models
• Validation — the process of independently evaluating model performance, including vendor models
• AI governance — the organizational framework that encompasses third-party AI oversight