Policy, Program and Procedures

 View Only

  • 1.  Managing Vendors with New AI Capabilities After Onboarding

    Posted 04-02-2026 12:56 PM

    How are your teams managing vendors with AI capabilities?

    I work at a financial institution regulated by the OCC, for context. We have a GenAI review group and a somewhat half-baked process for approving AI capabilities. It works reasonably well for new vendor relationships, but it does not adequately address existing vendor relationships where AI capabilities or features are introduced after onboarding-that is, during the course of the relationship.

    We recently ran into this issue with a vendor, which was onboarded and risk-rated appropriately early last year. At some point earlier this year, They released a new AI capability and sent a notification to users announcing the feature and its effective date. The internal vendor owner did not raise the new functionality to our GenAI review group in accordance with policy. As a result, we now have an audit recommendation to enhance our oversight process.

    We will, of course, reinforce training for vendor owners, and we also have an annual process in place to check in with vendor owners about new features. That said, those are still point-in-time controls and do not fully solve the problem.

    I would be very interested to hear what others in the community are doing. How are you monitoring vendors with AI capabilities, and how are you identifying new AI deployments or features that arise after the initial onboarding and review process?

    Thank you in advance for any thoughts or examples you would be willing to share.

    Best,
    Tiffany

     



  • 2.  RE: Managing Vendors with New AI Capabilities After Onboarding

    Posted 04-15-2026 07:31 AM

    Hi Tiffany,

    Great question! We recently updated our Risk Classification Questionnaire (RCQ), which by the way is a stand-alone Excel. We added 2 questions to address the issues you ask about.

    Whenever there is a new agreement for review, whether it be MSA, SOW, Invoice, Quote, Proposal, etc. a new RCQ is required, which bring us to the first new question:

    Service: Is it New, Changed or No Change?

    Here are the answer choices:

    - This RCQ is for an existing service and there has been no change to the service.

    - This RCQ is for an existing service, but the scope and nature of the service is changing. Therefore, I have provided an updated detailed description of the service, noting what is changing.

    - This RCQ is for a new service. I have provided a detailed description of all aspects of the new service.

    As for understanding the AI, the second new question is:

    In providing the product or service, will the vendor utilize Artificial Intelligence (AI)? Note: If the product or service provides multiple AI uses, please select the highest number choice applicable.

    We believe AI uses fall into 3 general buckets, each of which carries a higher risk rating because of the compliance requirements.  The answer choices are:

    No, the vendor's product or service does not utilize AI.

    1-Yes, the vendor's product or service does utilize AI in the analysis of data or problem solving to increase productivity.

    2-Yes, the vendor's product or service does utilize AI in communications with members.

    3-Yes, the vendor's product or service does utilize AI in application, fraud, pricing, collections or credit decisioning.

    I hope this helps you. Please feel free to reach out to me if you want to discuss further.

    Thanks!




  • 3.  RE: Managing Vendors with New AI Capabilities After Onboarding

    Posted 04-15-2026 07:31 AM

    Tiffany,

     

    What you're describing is one of the more challenging issues in TPRM right now, and I don't think training or annual check-ins will fix it on their own. Not because they aren't valuable, but because the bigger gap is timing.

    Vendors are releasing AI capabilities on their own schedules, notifying users through the same channel as a routine update, and by the time you receive it, the AI feature is already live.

     

    Here's where I'd focus:

    If your vendor agreements don't currently require prior notice of material changes, prioritize it at contract renewal or renegotiation. I would prioritize your higher-risk relationships, as it can be challenging to change all your contracts at once.

     

    Beyond contracts, training alone doesn't address the root issue, which is that many vendor owners don't know what warrants escalation. Give them a short, specific decision rule: if a vendor introduces or modifies an AI or automated decisioning feature, escalate to the GenAI review group before enabling the functionality.

     

    Have conversations with your vendors, as well. Ask them directly if they've introduced or modified any AI or machine learning capabilities since the last review. Ask if they have any planned in the next 12 months. Documented vendor attestations create a paper trail and shifts the accountability.

     

    Monitor the vendor's release notes and product communications proactively. This requires some operational lift but is a necessity for your higher-risk vendors. Someone on your team, or through your TPRM platform, should track product release communications.

     

    Happy to keep the conversation going. This is an area where sharing what's working across the community helps everyone's programs.

    -------------------------------------------



  • 4.  RE: Managing Vendors with New AI Capabilities After Onboarding

    Posted 04-16-2026 07:54 PM

    Hannah,

    Thank you for the thoughtful response. Vendor attestations are not something I had considered before, so I really appreciate the recommendation.

    We can absolutely incorporate language into our onboarding platform, Zip, through the vendor portal and capture responses there. Is that something you are currently doing on your side? I would be interested to hear what that looks like in practice.

    I also completely agree that vendor release notes and product communications should be monitored on a periodic basis. The challenge for us is that we do not currently have a TPRM platform, and my team consists of only three people. I generally view that type of ongoing monitoring as the vendor owner's responsibility, but I would be open to centralizing that responsibility if there were an efficient way to do it.

    Realistically, we may not have a TPRM platform in place for another year, and more likely two, if we are fortunate. It is difficult to effectively monitor these relationships and mitigate risk as vendor engagements continue to grow without the proper tools and resources. In the meantime, we are doing our best to make the current process work while also building the internal case for why these tools and additional support would be valuable and ultimately beneficial to the firm.

    Thank you again for the helpful suggestions. I would love to hear more about how you are approaching this on your end.

    Best,

    Tiffany