AI Vendor Management Procedure
Procedure for managing AI vendors and third-party AI components including due diligence, risk assessment, and ongoing monitoring.
40 min
Read Time
Level
STD-AI-001: AI System Classification Standard, STD-AI-002: AI Risk Management Standard, STD-AI-009: Quality Management Standard
[To be filled]
[To be filled]
Purpose
This procedure establishes the requirements for managing third-party AI system vendors throughout the vendor lifecycle, ensuring that procured AI systems comply with the EU AI Act and organizational requirements. This includes vendor selection, due diligence, contracting, ongoing management, and termination. **Key EU AI Act Articles:** - **Article 26:** Obligations of deployers of high-risk AI systems (including when using third-party systems) - **Article 16:** Obligations of providers of high-risk AI systems - **Article 25:** Responsibilities along the AI value chain - **Article 28:** Obligations of distributors, importers, deployers, and other third parties
Applies To
- Procurement of off-the-shelf AI systems and components
- AI system development by third-party vendors
- AI-as-a-Service (AIaaS) subscriptions
- AI model providers and foundation model APIs
- AI infrastructure and platform providers
- AI consultants and integrators providing AI capabilities
- Sub-processors of AI vendors
Does Not Apply To
- Internally developed AI systems (see AI Development Lifecycle Procedure (PROC-AI-DEV-001))
- Non-AI software procurement
- Hardware-only procurement without AI components
36
Procedure Steps
7
Roles Defined