myctrl.tools
Compare

E006Conduct vendor due diligence

>Control Description

Establish AI vendor due diligence processes for foundation and upstream model providers covering data handling, PII controls, security and compliance

Application

Mandatory

Frequency

Every 12 months

Capabilities

Universal

>Controls & Evidence (1)

Operational Practices

E006.1
Documentation: Vendor due diligence

Core - This should include:

- Defining assessment criteria for foundational or upstream AI models. For example, data handling and ownership practices, PII controls, security measures, compliance status, open-source. - Conducting documented assessments. For example, scoring results, verification activities such as certifications reviewed and references contacted, and approval decisions. - Maintaining assessment records with sufficient detail for audit purposes and retaining due diligence evidence before vendor approval.

Typical evidence: Vendor assessment records showing evaluation criteria, scoring results, verification activities, approval decisions with accountable leads, and retained evidence supporting the assessment. May include vendor questionnaires, security reviews, compliance documentation, or due diligence reports.
Location: Vendor Contracts, Internal processes

>Cross-Framework Mappings

NIST AI RMF

GOVERN-2.1
GOVERN-2.2
GOVERN-3.1

OWASP Top 10 for LLMs

LLM03
Compare

Ask AI

Configure your API key to use AI features.