Contingency processes are in place to handle failures or incidents in third-party data or AI systems deemed to be high-risk.
About
To mitigate the potential harms of third-party system failure, organizations should implement policies and procedures that include redundancies for covering third-party functions.
Actions
Establish policies for handling third-party system failures to include consideration of redundancy mechanisms for vital third-party AI systems.
Verify that incident response plans address third-party AI systems.
Transparency and Documentation
Organizations can document the following:
To what extent does the plan specifically address risks associated with acquisition, procurement of packaged software from vendors, cybersecurity controls, computational infrastructure, data, data science, deployment mechanics, and system failure?
Did you establish a process for third parties (e.g. suppliers, end-users, subjects, distributors/vendors or workers) to report potential vulnerabilities, risks or biases in the AI system?
If your organization obtained datasets from a third party, did your organization assess and manage the risks of using such datasets?
