Risk Management: Vendor Use of AI
by
February 25, 2025
Venminder recently published its “State of Third Party Risk Management” report, which presents the results of a survey of organizations in a range of industries, including financial services, fintech, retail, healthcare, insurance, and IT. Participants in the survey ranged from small businesses with fewer than 100 employees to large organizations with over 5,000 employees. Vendor use of AI was one of the top concerns expressed by survey participants, and this excerpt discusses how they’re approaching this issue:
Vendor use of artificial intelligence is another top concern, with organizations allotting more vendor management resources to mitigating this risk. In 2024, 37% of organizations weren’t managing AI risk. That number has fallen dramatically in 2025 to just 23% — a 38% decline.
Organizations are using or planning to use many of the tools in their TPRM arsenal to assess and monitor vendor AI risk. They are adding language to vendor contracts (40%), documenting risks (39%), and verbally communicating with vendors (38%). Contract management, vendor risk assessments, and speaking with vendors about how their AI use might impact an organization are essential for any organization that is worried about vendor AI risk — but there is a control for mitigating vendor AI risk that organizations have been slower to adopt: collecting vendor documentation.
Collecting documentation is critical to the due diligence process — an essential step in the vendor risk management lifecycle. Examples of documents that can help assess vendor AI risk include policies detailing how the vendor ensures ethical AI usage, accountability, and decision-making oversight and documentation offering insights into model development and training (i.e. data sources and quality standards), algorithmic decision making, and security.
The survey also addresses a variety of other TPRM related issues, including organizational perceptions of TPRM, what TPRM programs and policies look like today, and approaches to “fourth party” and cybersecurity risks. It closes by offering recommendations and suggested best practices based on survey responses.