Cyber & IT Supervisory Forum - Additional Resources

GOVERN 6 Policies and procedures are in place to address AI risks and benefits arising from third-party software and data and other supply chain issues. GOVERN 6.1 Policies and procedures are in place that address AI risks associated with third-party entities, including risks of infringement of a third party’s intellectual property or other rights. About Risk measurement and management can be complicated by how customers use or integrate third-party data or systems into AI products or services, particularly without sufficient internal governance structures and technical safeguards. Organizations usually engage multiple third parties for external expertise, data, software packages (both open source and commercial), and software and hardware platforms across the AI lifecycle. This engagement has beneficial uses and can increase complexities of risk management efforts. Organizational approaches to managing third-party (positive and negative) risk may be tailored to the resources, risk profile, and use case for each system. Organizations can apply governance approaches to third-party AI systems and data as they would for internal resources — including open- source software, publicly available data, and commercially available models. Suggested Actions Collaboratively establish policies that address third-party AI systems and data. Establish policies related to: Transparency into third-party system functions, including knowledge about training data, training and inference algorithms, and assumptions and limitations. Thorough testing of third-party AI systems. (See MEASURE for more detail)

44