AI Vendor Concentration Risk Assessment
Assess and manage the risk arising from organizational dependence on a small number of AI vendors or underlying model providers, and maintain a documented supplier redundancy posture to ensure operational continuity if a primary vendor is disrupted, suspends access, or becomes unavailable.
Objective
Prevent operational disruption and governance gaps from over-reliance on a single AI vendor by identifying and quantifying concentration exposure, and establishing vendor redundancy or contingency plans proportionate to the criticality of the dependent workflows.
Maturity Levels
Initial
AI vendor dependencies are not tracked systematically. The organization may not know how many critical workflows depend on a single provider or model.
Developing
Key AI vendors are known, but concentration risk is not formally assessed. There are no documented fallback plans for vendor disruption.
Defined
An annual AI vendor concentration risk assessment inventories vendor dependencies, quantifies the business impact of disruption for each critical dependency, and identifies workflows with single-vendor exposure. Concentration risk above a defined threshold triggers a documented contingency plan.
Managed
Concentration risk is tracked in the vendor risk register and reviewed when new AI vendor relationships are established. Contingency plans for high-concentration dependencies are tested annually. The organization has established at least one qualified alternative for its highest-criticality AI vendor relationships.
Optimizing
Vendor concentration limits are defined as a governance policy (e.g., no more than 60% of critical AI workflows dependent on a single provider). New AI procurement is assessed against concentration limits before approval. Concentration risk metrics are reported to the board AI governance committee.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Annual AI vendor concentration risk assessment covering all critical AI workflows, with quantified concentration metrics and business impact estimates.
- —Contingency plans for all dependencies classified as high-concentration and high-criticality, including identified alternatives and switching procedures.
- —Evidence that qualified alternatives have been evaluated under vendor due diligence criteria.
- —Annual review records confirming contingency plans remain current.
Implementation Notes
Why concentration risk is distinct from vendor due diligence
Vendor due diligence (PRC-001) assesses whether a specific vendor is an acceptable partner. Concentration risk assessment addresses a different question: what happens if an acceptable vendor becomes unavailable, regardless of the reason?
The risk is not limited to vendor insolvency or service outage. The June 2026 U.S. export control directive requiring Anthropic to suspend Fable 5 and Mythos 5 for foreign nationals demonstrated that government action can make a specific model unavailable across an entire customer base overnight, with no advance notice and no defined restoration timeline. Organizations that had built critical workflows on these models faced operational disruption that their existing incident response plans, designed for technical failures and vendor outages with SLAs, were not equipped to handle.
Concentration risk at the model layer is particularly acute because:
- Many enterprise AI products are built on a small number of underlying model providers (Anthropic, OpenAI, Google DeepMind). A vendor that appears distinct may use the same underlying model as other vendors in the portfolio.
- Switching costs are real: re-evaluation, re-tuning, and re-testing of a different model for an established workflow takes time the organization may not have in an emergency.
- Regulatory risk is directional: the U.S. export control directive is unlikely to be the last government action affecting AI model access. Organizations with significant concentration should treat geopolitical AI access risk as a named category, not a tail event.
Assessing concentration
For each production AI workflow, document:
- Primary vendor and model.
- Underlying model provider (if the vendor's product is built on a third-party model).
- Business criticality: what is the impact of a 24-hour, 72-hour, and 30-day disruption?
- Qualified alternative: is there another model or vendor that could substitute? Has it been evaluated?
- Switching time: how long would it take to switch to the alternative? What re-testing is required?
Calculate concentration metrics:
- What fraction of critical workflows depend on a single vendor?
- What fraction depend on models from a single underlying model provider?
- What is the aggregate revenue or operational exposure if the top vendor were unavailable for 30 days?
Contingency planning for high-concentration dependencies
For every dependency classified as high-concentration and high-criticality:
-
Identify and qualify at least one alternative. The alternative should be assessed under the same criteria as the primary vendor (PRC-001, PRC-003). Do not defer this until disruption occurs.
-
Document the switching procedure. What steps are required to redirect the workflow to the alternative? Who authorizes the switch? How long does it take?
-
Test the contingency. At minimum, verify the alternative model can handle the relevant workflows in a staging environment. For the highest-criticality workflows, run a live pilot on the alternative.
-
Maintain currency. Alternatives go stale: models are deprecated, vendors change terms, and organizational workflows change. Re-verify alternatives annually.
Example Implementation
AI Vendor Concentration Risk Register (excerpt)
Assessment date: 2026-06-01 | Next review: 2027-06-01
| Workflow | Primary vendor | Underlying model provider | Criticality | 30-day disruption impact | Qualified alternative | Switching time estimate | Contingency status |
|---|---|---|---|---|---|---|---|
| Customer support AI | VendorCo (Claude API) | Anthropic | High | Revenue impact: ~$2M/month; 40% reduction in support capacity | Internal deployment of open-weight model (Llama 3.1 70B) | 3-4 weeks (re-testing required) | Alternative evaluated; runbook drafted |
| Contract review assistant | OpenAI API (GPT-4o) | OpenAI | High | Legal team throughput reduced 60%; manual review backlog accumulates | Anthropic API (Claude 3.7 Sonnet) | 1-2 weeks | Alternative tested in staging; API keys provisioned |
| Internal code review bot | GitHub Copilot | OpenAI | Medium | Developer velocity impact; not revenue-critical | Continue without AI assistance (process documented) | Immediate | Degraded-mode process documented |
| Competitive intelligence digest | Perplexity API | Mixed | Low | Report delays only | Manual research process | Immediate | No contingency required |
Concentration summary:
- 2 of 4 critical workflows depend on OpenAI as underlying model provider (either directly or via vendor).
- 1 of 4 depends on Anthropic.
- Concentration threshold (>60% critical workflows on one provider) not breached.
- No workflows lack a documented contingency plan.