AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← All news

Topic

Vendor Risk

Vendor risk refers to the potential threats and compliance gaps introduced when enterprises rely on third-party AI providers, tool makers, and service vendors. In AI governance, vendor risk encompasses concerns about data security, model transparency, regulatory compliance, and the vendor's own governance practices since enterprises remain liable for how external AI systems perform and handle sensitive information. Managing vendor risk requires rigorous vendor assessment, contractual controls, audit rights, and ongoing monitoring to ensure third-party AI solutions meet organizational and regulatory standards.

6 items

ResearchUS2026-06-19

Harvard Law Review Identifies Fiduciary Blind Spots in Frontier AI Board Structures at OpenAI and Anthropic

A January 2025 Harvard Law Review article analyzes how unconventional board structures at frontier AI companies such as OpenAI and Anthropic create unresolved fiduciary and accountability gaps. The article argues that mission-driven governance models and atypical stakeholder control mechanisms may fail to constrain "amoral drift" in corporate AI decision-making. Enterprise compliance teams relying on these companies as critical AI vendors should treat the analysis as a vendor governance risk signal.

corporate governancefrontier AIvendor riskfiduciary dutyboard oversight
ResearchCanada2026-06-16

Canada's New AI Strategy Puts Workforce Literacy and Sovereign Infrastructure at the Center of Enterprise Compliance Risk

A June 2026 analysis by Canadian law firm BD&P examines Canada's new national AI strategy, identifying workforce AI literacy, sovereign AI infrastructure, and trusted partnership standards as the pillars with the most direct compliance implications. The commentary highlights that Canadian enterprises face governance obligations spanning employee training programs, vendor oversight, and participation in emerging standards development. Compliance teams with Canadian operations should treat this as an early signal to audit existing AI governance programs against the strategy's priorities.

Canada AI policyAI literacyvendor riskstandards developmententerprise compliance
InsightUnited States2026-06-13

Fable 5 and Mythos 5 Suspended by U.S. Export Control Directive: Three Governance Gaps Enterprise AI Programs Have Not Planned For

On June 12, 2026, a U.S. government export control directive required Anthropic to suspend all access to Fable 5 and Mythos 5 for foreign nationals, effectively disabling the models for all customers overnight. The immediate trigger was a narrow code-analysis jailbreak technique, but the directive exposes deeper gaps: most enterprise AI governance programs have no continuity plan for government-mandated model suspension, no process for nationality-based access controls, and no export control review in their AI vendor assessment workflow.

export controlsAnthropicFable 5Mythos 5frontier modelsnational securityforeign national accessvendor riskbusiness continuitycybersecuritygovernment directivemodel accessgeopolitical risk
Corporate PolicyGlobal2026-05-01

Safety Pause Commitment Dropped from Anthropic's Responsible Scaling Policy Version 3.0

Anthropic released version 3.0 of its Responsible Scaling Policy (RSP) in February 2026, eliminating the company's original commitment to pause AI development if safety could not be guaranteed in advance. The safety pause provision had been a defining feature of Anthropic's voluntary governance framework since the company introduced the RSP in 2023. The removal marks a material shift in how Anthropic's self-imposed development constraints are structured, moving away from a precautionary halt mechanism toward an updated framework whose specific replacement controls have not been fully detailed in public reporting. For enterprise compliance teams, this change is relevant to vendor risk assessments and third-party AI governance reviews, as Anthropic's RSP has been cited by organizations as evidence of supplier-level safety commitments when procuring or integrating Claude-based products. Compliance teams that reference Anthropic's published governance commitments in internal risk documentation, procurement due diligence, or regulatory disclosures should review whether those references remain accurate under the new policy version.

AnthropicClauderesponsible scalingfrontier AI safetyvendor riskprocurementcorporate AI policythird-party governancerisk managementUnited States
Corporate PolicyUS2026-02-05

GPT-4.5 Arrives as 'Research Preview,' Triggering Procurement and Risk Controls Before Any Production Use

OpenAI released GPT-4.5 under a research preview designation, describing it as its largest and most capable chat model to date, in notes published to the OpenAI Help Center. The research preview status signals that the model has not yet reached a full general availability release, which carries direct implications for how enterprises may procure, test, and deploy it. Organizations that treat preview models as production-ready without appropriate governance controls risk accepting undefined risk profiles that fall outside standard AI risk management processes.

OpenAIGPT-4.5model procurementrisk managemententerprise governancevendor risktransparencymodel evaluationUnited States
Corporate PolicyGlobal2025-05-30

Four Corporate AI Governance Gaps Partnership on AI Says Organizations Must Close Now

The Partnership on AI published a position piece on May 30, 2025, arguing that corporate AI governance programs are materially incomplete without formal controls spanning supply chain responsibility, end-user terms and conditions, AI assurance ecosystems, and real-time monitoring of autonomous AI agents. The piece targets enterprise compliance and risk functions and connects each governance gap to documented incident patterns and operational accountability failures. It does not carry binding regulatory force but represents practitioner-level guidance from a recognized multi-stakeholder body whose membership includes major technology deployers and civil society organizations.

AI agentsvendor riskassurancesupply chaincorporate governance