Home · Synthesis · cl-ai-supplier-management

AI supplier management — third-party AI systems and components

EU AI ActISO 42001NIST AI RMF

Primary statement

AI supplier management per ISO 42001 A.3.2 + Clauses 5 + 9 + EU AI Act Art 99 penalty awareness + Art 9 risk management for HRAIS providers + NIST AI RMF. Supply chain AI risks — purchased models, third-party SaaS, API AI — increasing as AI adoption broadens.

Audit-fatigue payoff

A unified AI supplier programme — RACI + risk management + penalty awareness + performance evaluation — satisfies AI supplier requirements across all 3 contributing frameworks.

Strictness matrix

Scope
Scope: HRAIS providers operating continuous iterative risk management. For deployers consuming third-party HRAIS, supplier risk management is layered. Ceiling source: eu_ai_act:Art.9 Rationale: EU AI Act Art 9 continuous iterative scope is comprehensive.
Threshold
Threshold: penalty awareness — up to EUR 35M / 7% turnover (prohibited) and EUR 15M / 3% (operator). Penalty drives supplier qualification. Ceiling source: eu_ai_act:Art.99 Rationale: EU AI Act Art 99 penalty exposure is the strictest commercial threshold.
Method
Method: AI supplier RACI + risk management for third-party AI (EU AI Act Art 9 + Art 25 re-classification screen) + AI-specific due diligence + penalty awareness + performance evaluation (ISO 42001 Cl.9). Ceiling source: iso42001:A.3.2 Rationale: ISO 42001 A.3.2 + EU AI Act Art 9 + Art 99 combined are most prescriptive.
Frequency
Supplier performance evaluation annual + on material change. Due diligence pre-engagement + ongoing. Ceiling source: iso42001:Cl.9 Rationale: Annual performance + continuous risk management is the cadence.
Evidence
Evidence: AI supplier inventory + risk assessments + due diligence + performance evaluation + EU AI Act role per supplier. Ceiling source: iso42001:A.3.2 Rationale: ISO 42001 A.3.2 evidence is comprehensive.

Auditor test pattern

Step 1: Inspect AI supplier inventory. Step 2: Sample one supplier; verify risk + due diligence. Step 3: Verify EU AI Act role determination. Step 4: Verify performance evaluation.

Common findings

Common findings: (1) AI suppliers not separately inventoried; (2) Generic vendor risk assessment applied; (3) EU AI Act role determination absent; (4) Performance evaluation ignored.