Almost no organisation builds its own AI from scratch. That means almost every AI risk is, in part, a supplier risk.
The phrase AI supplier sounds like a single vendor — the one whose logo is on the contract. The reality is a stack. Underneath the application you bought sits a hosted model provider; underneath that, an infrastructure provider; alongside, a retrieval system fed by your own data; and, increasingly, an agentic layer that calls out to further third-party services. Each layer has its own incentives, its own data handling and its own incidents.
The Cloud Security Alliance has noted that this layered structure makes the AI supply chain materially harder to govern than traditional SaaS, because a single end-user action can result in data crossing three or four organisational boundaries within a second (CSA 2024).
1. Model providers. The organisation that trains and serves the underlying model — typically a foundation-model lab. Their terms govern what they may do with prompts, outputs and any fine-tuning data you provide.
2. Hosting and orchestration platforms. The platform that exposes the model to your applications — often a hyperscaler, sometimes a specialist. Their terms govern data residency, logging and isolation.
3. Application vendors. The SaaS you actually bought. Their terms govern your end-to-end relationship, but typically pass through the upstream providers' constraints.
4. Embedded AI features. The features that quietly appeared inside the tools your organisation already uses — note-takers, summarisers, copilots, smart-reply suggestions. These are the suppliers nobody assessed because nobody bought them. They deserve the most rigorous handling, not the least.
Most supplier security questionnaires were written for static SaaS. For AI you need additional questions, each of which has at least one wrong answer that should stop adoption.
The questions matter, but the contractual right to ask them and the operational rhythm of asking them matter more.
Contracts signed before 2023 generally predate the generative-AI era. They are silent on training data, on model change, on output liability and on regulator co-operation under the EU AI Act (European Parliament 2024). Three additions matter most.
Data use clauses that bind the supplier and any subcontractor not to train on customer data without explicit, contract-grade consent. The default needs to be off.
Change notification clauses that require advance notice of material changes to the model, hosting location, or fine-tuning posture. The minimum useful notice is enough time to test against your own evaluation set.
Audit and evidence clauses that grant the right to receive evaluation evidence, security attestations and incident records, not just SOC 2 letters. For high-risk uses, the right to participate in a regulator's investigation under the AI Act is increasingly relevant.
The most common 2024–2025 incident pattern is not the procured platform, it is the embedded feature. A meeting tool adds a transcription summariser. A CRM ships a generative email drafter. A code editor adds an autocomplete that ingests the whole codebase. None of these went through procurement; each of them now processes confidential material.
The remedy is procedural rather than technical: every existing supplier review cycle asks the additional question what AI features have you added since we last reviewed you? and treats the answer as a re-classification trigger. ISO/IEC 42001 Annex A includes explicit controls for this, but the discipline matters more than the standard reference (ISO/IEC 2023).
ISO-STANDARD.app keeps a live register of every AI supplier, the upstream model providers behind them and the embedded features you didn't buy — with the controls and contract terms each requires.
ISO-STANDARD.app ships a ready-to-adopt ISO 42001 workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.
Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.
