Due Diligence and Ongoing Monitoring

I'm wondering if any users have begun monitoring or tracking their vendors relative to their use of AI.   If so, are you inquiring via Questionnaire or other means and how is your organization incorporating that into your vendor management and risk assessment process?

We started asking questions about use of AI/LLM in third party tools earlier this year, but we have now decided to stop. We expect all companies have or will have some form of AI embedded in their products and we decided what matters most is still that they have controls in place to protect our data. We also decided that ultimately we care most about third parties not using our company data to train their models so our focus has shifted to getting contract terms to that effect with any third party software moving forward. Interested to hear what others are doing as well!

We have not implemented anything specific to AI as yet but the approach you describe is definitely what we have been leaning toward adopting in the short term.  There are however a couple of AI use cases that I struggle with a little:

• Customer service such chat bots, its direct customer interaction so I get concerned about UDAAP among other things.  If that kind of interaction was with a real person, I would obtain information on hiring and training practices etc.  I question what the equivalent due diligence or control review would be for AI.
• Appraisals.  With all the focus on fair and equitable appraisals, I question what the appropriate due diligence is to understand any AI impact to the appraisal process.  I am thinking its in understanding and documenting how the model has been trained.  On the surface AI would seem to pose less risk of bias but it's all in the training data so evidencing that somehow.