How are your teams managing vendors with AI capabilities?
I work at a financial institution regulated by the OCC, for context. We have a GenAI review group and a somewhat half-baked process for approving AI capabilities. It works reasonably well for new vendor relationships, but it does not adequately address existing vendor relationships where AI capabilities or features are introduced after onboarding-that is, during the course of the relationship.
We recently ran into this issue with a vendor, which was onboarded and risk-rated appropriately early last year. At some point earlier this year, They released a new AI capability and sent a notification to users announcing the feature and its effective date. The internal vendor owner did not raise the new functionality to our GenAI review group in accordance with policy. As a result, we now have an audit recommendation to enhance our oversight process.
We will, of course, reinforce training for vendor owners, and we also have an annual process in place to check in with vendor owners about new features. That said, those are still point-in-time controls and do not fully solve the problem.
I would be very interested to hear what others in the community are doing. How are you monitoring vendors with AI capabilities, and how are you identifying new AI deployments or features that arise after the initial onboarding and review process?
Thank you in advance for any thoughts or examples you would be willing to share.
Best,
Tiffany