MAP-4.2—Internal risk controls for components of the AI system including third-party AI technologies are identified and documented.

In the course of their work, AI actors often utilize open-source, or otherwise freely available, third-party technologies – some of which may have privacy, bias, and security risks. Organizations may consider internal risk controls for these technology sources and build up practices for evaluating third-party material prior to deployment.

Organizations can document the following

• Can the AI system be audited by independent third parties?
• To what extent do these policies foster public trust and confidence in the use of the AI system?
• Are mechanisms established to facilitate the AI system’s auditability (e.g. traceability of the development process, the sourcing of training data and the logging of the AI system’s processes, outcomes, positive and negative impact)?

AI Transparency Resources

• GAO-21-519SP: AI Accountability Framework for Federal Agencies & Other Entities.
• Intel.gov: AI Ethics Framework for Intelligence Community - 2020.
• WEF Model AI Governance Framework Assessment 2020.
• Assessment List for Trustworthy AI (ALTAI) - The High-Level Expert Group on AI - 2019. LINK, .

Office of the Comptroller of the Currency. 2021. Comptroller's Handbook: Model Risk Management, Version 1.0, August 2021. Retrieved on July 7, 2022.

Proposed Interagency Guidance on Third-Party Relationships: Risk Management, 2021.

Kang, D., Raghavan, D., Bailis, P.D., & Zaharia, M.A. (2020). Model Assertions for Monitoring and Improving ML Models. ArXiv, abs/2003.01668.