AI Vendor Governance

Most organizations deploy AI through third parties: foundation model APIs, packaged AI products, and AI-enabled SaaS platforms. This creates a governance problem. The organization is responsible to regulators and customers for AI behavior, but the model, training data, and safety controls belong to the vendor.

The EU AI Act creates specific obligations for organizations deploying AI built on third-party models, including due diligence requirements and contractual provisions. Financial regulators have updated third-party risk management guidance to cover AI vendors. Procurement teams are beginning to require AI transparency reports and audit rights as standard contract terms.

This hub tracks the regulatory requirements, contractual frameworks, and practitioner guidance for governing AI vendors and third-party AI systems.

9 items

ResearchUS2026-06-19

Harvard Law Review Identifies Fiduciary Blind Spots in Frontier AI Board Structures at OpenAI and Anthropic

A January 2025 Harvard Law Review article analyzes how unconventional board structures at frontier AI companies such as OpenAI and Anthropic create unresolved fiduciary and accountability gaps. The article argues that mission-driven governance models and atypical stakeholder control mechanisms may fail to constrain "amoral drift" in corporate AI decision-making. Enterprise compliance teams relying on these companies as critical AI vendors should treat the analysis as a vendor governance risk signal.

corporate governance frontier AI vendor risk fiduciary duty board oversight

ResearchCanada2026-06-16

Canada's New AI Strategy Puts Workforce Literacy and Sovereign Infrastructure at the Center of Enterprise Compliance Risk

A June 2026 analysis by Canadian law firm BD&P examines Canada's new national AI strategy, identifying workforce AI literacy, sovereign AI infrastructure, and trusted partnership standards as the pillars with the most direct compliance implications. The commentary highlights that Canadian enterprises face governance obligations spanning employee training programs, vendor oversight, and participation in emerging standards development. Compliance teams with Canadian operations should treat this as an early signal to audit existing AI governance programs against the strategy's priorities.

Canada AI policy AI literacy vendor risk standards development enterprise compliance

InsightUnited States2026-06-13

Fable 5 and Mythos 5 Suspended by U.S. Export Control Directive: Three Governance Gaps Enterprise AI Programs Have Not Planned For

On June 12, 2026, a U.S. government export control directive required Anthropic to suspend all access to Fable 5 and Mythos 5 for foreign nationals, effectively disabling the models for all customers overnight. The immediate trigger was a narrow code-analysis jailbreak technique, but the directive exposes deeper gaps: most enterprise AI governance programs have no continuity plan for government-mandated model suspension, no process for nationality-based access controls, and no export control review in their AI vendor assessment workflow.

export controls Anthropic Fable 5 Mythos 5 frontier models national security foreign national access vendor risk business continuity cybersecurity government directive model access geopolitical risk

ResearchUS2026-05-03

Anthropic's Safety Board Structure Among Frontier AI Governance Mechanisms Analyzed in Harvard Law Review

A March 2026 Harvard Law Review article examines how frontier AI companies such as OpenAI and Anthropic have adopted governance structures designed to counterbalance commercial profit pressures with safety-oriented accountability. The analysis focuses in particular on Anthropic's charter mechanism, which grants Class T shareholders the right to elect three of five board directors either after May 24, 2027 or eight months following the receipt of $6 billion in investment capital, whichever occurs first. These trustees are empowered to prioritize safety considerations, structurally limiting the influence of purely profit-driven incentives at the board level. The research classifies these arrangements as prosocial corporate governance tools and situates them within broader stakeholder-focused approaches to managing AI development risks. For enterprise compliance teams, the analysis provides a framework for evaluating whether AI vendors' internal governance structures credibly constrain high-risk development practices, which is increasingly relevant to third-party risk assessments and AI procurement due diligence. While the article is not a binding instrument, its articulation of concrete governance benchmarks offers practical reference points for assessing AI suppliers against emerging standards.

Anthropic OpenAI corporate governance board structure AI safety frontier AI accountability procurement third-party risk United States

Corporate PolicyGlobal2026-05-01

Safety Pause Commitment Dropped from Anthropic's Responsible Scaling Policy Version 3.0

Anthropic released version 3.0 of its Responsible Scaling Policy (RSP) in February 2026, eliminating the company's original commitment to pause AI development if safety could not be guaranteed in advance. The safety pause provision had been a defining feature of Anthropic's voluntary governance framework since the company introduced the RSP in 2023. The removal marks a material shift in how Anthropic's self-imposed development constraints are structured, moving away from a precautionary halt mechanism toward an updated framework whose specific replacement controls have not been fully detailed in public reporting. For enterprise compliance teams, this change is relevant to vendor risk assessments and third-party AI governance reviews, as Anthropic's RSP has been cited by organizations as evidence of supplier-level safety commitments when procuring or integrating Claude-based products. Compliance teams that reference Anthropic's published governance commitments in internal risk documentation, procurement due diligence, or regulatory disclosures should review whether those references remain accurate under the new policy version.

Anthropic Claude responsible scaling frontier AI safety vendor risk procurement corporate AI policy third-party governance risk management United States

Corporate PolicyGlobal2026-04-19

Cybersecurity Concerns Trigger Restricted Rollout of Claude Mythos Preview, Anthropic Says

Anthropic has applied deployment restrictions to Claude Mythos Preview, a model in its Claude series with advanced reasoning capabilities comparable to the Opus and Sonnet lines, citing cybersecurity safety concerns identified during red-teaming evaluations. The restricted rollout reflects a deliberate governance decision to limit access before broader release, following internal safety testing that flagged potential cybersecurity risks associated with the model's capabilities. For enterprise compliance teams, this action signals that leading AI developers are operationalizing pre-deployment safety gates that can delay or constrain commercial availability of frontier models. Organizations that have integrated or planned to integrate Claude-series models into workflows should assess vendor communication channels to understand which model versions are accessible and under what conditions. The restriction also underscores the growing importance of supplier-side AI governance disclosures as part of third-party risk management programs.

Anthropic Claude cybersecurity red-teaming model evaluation risk management transparency frontier models restricted rollout third-party risk

Corporate PolicyUS2026-02-05

GPT-4.5 Arrives as 'Research Preview,' Triggering Procurement and Risk Controls Before Any Production Use

OpenAI released GPT-4.5 under a research preview designation, describing it as its largest and most capable chat model to date, in notes published to the OpenAI Help Center. The research preview status signals that the model has not yet reached a full general availability release, which carries direct implications for how enterprises may procure, test, and deploy it. Organizations that treat preview models as production-ready without appropriate governance controls risk accepting undefined risk profiles that fall outside standard AI risk management processes.

OpenAI GPT-4.5 model procurement risk management enterprise governance vendor risk transparency model evaluation United States

ResearchGlobal2025-05-30

Shadow AI and Client-Side Widgets Create an Inventory Gap That Existing Controls Do Not Cover, Kiteworks Analysis Finds

Kiteworks published a research piece on May 30, 2025, framing the central AI governance challenge as an architecture and visibility problem rather than a policy problem. The analysis identifies shadow AI deployments, embedded client-side scripts, third-party AI widgets, and fragmented controls as the primary blind spots undermining enterprise AI oversight. It recommends continuous inventory, Content Security Policy and script allowlists, third-party AI monitoring programs, joint incident response planning, and treating AI widgets as data processors under applicable privacy frameworks.

shadow AI third-party risk data privacy AI inventory vendor management

Corporate PolicyGlobal2025-05-30

Four Corporate AI Governance Gaps Partnership on AI Says Organizations Must Close Now

The Partnership on AI published a position piece on May 30, 2025, arguing that corporate AI governance programs are materially incomplete without formal controls spanning supply chain responsibility, end-user terms and conditions, AI assurance ecosystems, and real-time monitoring of autonomous AI agents. The piece targets enterprise compliance and risk functions and connects each governance gap to documented incident patterns and operational accountability failures. It does not carry binding regulatory force but represents practitioner-level guidance from a recognized multi-stakeholder body whose membership includes major technology deployers and civil society organizations.

AI agents vendor risk assurance supply chain corporate governance