Glossary term
Glossary term
Governance and Compliance
AI capability provided through vendors, SaaS platforms, APIs, embedded product features, managed services, or outsourced business processes. It still requires internal governance because the organization remains accountable for use and outcomes. Due diligence should cover model purpose, data use, training rights, logging, subprocessors, performance claims, explainability, and exit strategy.
Microsoft Copilot, Google Workspace Gemini, and Salesforce Einstein are third-party AI services that enterprises must govern through vendor risk management.
Cloud Security Alliance's STAR registry and AICPA SOC 2 Type II reports are commonly used to assess third-party AI providers.
The Shared Assessments Standardized Information Gathering (SIG) questionnaire added AI sections in 2024 to support third-party AI due diligence.