Topic

Third-Party Risk

Third-party risk refers to the potential threats and compliance challenges that arise when organizations rely on external vendors, contractors, contractors, or service providers to handle data, systems, or AI models. In AI governance, managing third-party risk is critical because external vendors may have inconsistent security standards, unclear data handling practices, or inadequate AI safety measures that could compromise an organization's compliance posture and regulatory obligations. Enterprises must assess vendor AI capabilities, contractual protections, audit rights, and cybersecurity practices to mitigate exposure to liability, data breaches, and regulatory penalties stemming from third-party AI systems or negligence.

3 items

ResearchUS2026-05-03

Anthropic's Safety Board Structure Among Frontier AI Governance Mechanisms Analyzed in Harvard Law Review

A March 2026 Harvard Law Review article examines how frontier AI companies such as OpenAI and Anthropic have adopted governance structures designed to counterbalance commercial profit pressures with safety-oriented accountability. The analysis focuses in particular on Anthropic's charter mechanism, which grants Class T shareholders the right to elect three of five board directors either after May 24, 2027 or eight months following the receipt of $6 billion in investment capital, whichever occurs first. These trustees are empowered to prioritize safety considerations, structurally limiting the influence of purely profit-driven incentives at the board level. The research classifies these arrangements as prosocial corporate governance tools and situates them within broader stakeholder-focused approaches to managing AI development risks. For enterprise compliance teams, the analysis provides a framework for evaluating whether AI vendors' internal governance structures credibly constrain high-risk development practices, which is increasingly relevant to third-party risk assessments and AI procurement due diligence. While the article is not a binding instrument, its articulation of concrete governance benchmarks offers practical reference points for assessing AI suppliers against emerging standards.

Anthropic OpenAI corporate governance board structure AI safety frontier AI accountability procurement third-party risk United States

Corporate PolicyGlobal2026-04-19

Cybersecurity Concerns Trigger Restricted Rollout of Claude Mythos Preview, Anthropic Says

Anthropic has applied deployment restrictions to Claude Mythos Preview, a model in its Claude series with advanced reasoning capabilities comparable to the Opus and Sonnet lines, citing cybersecurity safety concerns identified during red-teaming evaluations. The restricted rollout reflects a deliberate governance decision to limit access before broader release, following internal safety testing that flagged potential cybersecurity risks associated with the model's capabilities. For enterprise compliance teams, this action signals that leading AI developers are operationalizing pre-deployment safety gates that can delay or constrain commercial availability of frontier models. Organizations that have integrated or planned to integrate Claude-series models into workflows should assess vendor communication channels to understand which model versions are accessible and under what conditions. The restriction also underscores the growing importance of supplier-side AI governance disclosures as part of third-party risk management programs.

Anthropic Claude cybersecurity red-teaming model evaluation risk management transparency frontier models restricted rollout third-party risk

ResearchGlobal2025-05-30

Shadow AI and Client-Side Widgets Create an Inventory Gap That Existing Controls Do Not Cover, Kiteworks Analysis Finds

Kiteworks published a research piece on May 30, 2025, framing the central AI governance challenge as an architecture and visibility problem rather than a policy problem. The analysis identifies shadow AI deployments, embedded client-side scripts, third-party AI widgets, and fragmented controls as the primary blind spots undermining enterprise AI oversight. It recommends continuous inventory, Content Security Policy and script allowlists, third-party AI monitoring programs, joint incident response planning, and treating AI widgets as data processors under applicable privacy frameworks.

shadow AI third-party risk data privacy AI inventory vendor management