AI third‑party risk debate

Companies buying artificial intelligence tools are being pushed to treat vendors as part of their own risk perimeter, not as a box-checking procurement step. (nist.gov) The shift shows up in current guidance as well as in industry debate. On April 15, 2026, the Health Sector Coordinating Council released a guide on third-party artificial intelligence risk and supply chain transparency for healthcare organizations buying outside AI tools. (aha.org) That guide says buyers need more than a standard vendor questionnaire because third-party AI can change over time, depend on hidden subcontractors, and process sensitive data in ways customers cannot easily see. It calls for stronger disclosure, governance, and risk management around outside AI systems and vendors. (healthsectorcouncil.org) The core problem is simple: a company can outsource software, but it does not outsource accountability for what that software does. If an AI vendor leaks data, produces unsafe outputs, or changes a model after deployment, the customer still faces the legal, security, and operational fallout. (kpmg.com) That is why newer frameworks are folding AI into governance, cybersecurity, privacy, ethics, and resilience at the same time. NIST’s Artificial Intelligence Risk Management Framework and its Generative Artificial Intelligence Profile both tell organizations to govern, map, measure, and manage risks across the life cycle, not only at purchase. (nist.gov, nist.gov) In practice, that changes the questions procurement teams ask. Instead of stopping at financial stability and basic security controls, buyers are asking how a model was trained, what data it keeps, whether customer prompts can be reused, how performance is monitored, and what happens when the vendor updates the system. (pwc.com) Contract terms are moving too. Guidance for AI procurement from the World Economic Forum says organizations should spell out accountability, transparency, data strategy, and governance before adoption, rather than trying to bolt those controls on after deployment. (weforum.org, weforum.org) Sector-specific pressure is adding urgency. The Health Sector Coordinating Council framed third-party AI risk as a supply-chain issue in healthcare, where hidden dependencies and weak disclosures can affect clinical operations, patient data, and cyber defense at the same time. (govinfosecurity.com, healthsectorcouncil.org) Consultants and standards groups are converging on the same message from different angles. ISACA published a lifecycle framework for risk practitioners in April 2026, while firms including PwC and KPMG have argued that AI vendor reviews now need to cover bias, privacy, security, and operational continuity together. (isaca.org, pwc.com, kpmg.com) The debate is no longer whether third-party risk applies to AI. It is whether companies can keep using old vendor checklists for systems that learn, change, and act on data long after the contract is signed. (nist.gov, healthsectorcouncil.org)