AI-vendor register with data flows
Demonstrate that the organization maintains a complete, current inventory of all AI vendors with documented data flows that enables risk assessment and governance oversight.
Description
What this control does
An AI-vendor register with data flows is a centralized inventory documenting all third-party artificial intelligence systems, services, and providers used across the organization, including detailed mappings of what data is sent to each vendor, how it is processed, and where outputs are stored or consumed. This register captures vendor names, contract details, AI capabilities utilized, data classification levels, processing purposes, retention policies, and cross-border transfer mechanisms. Maintaining this register enables organizations to understand their AI supply chain risk surface, enforce data governance policies, meet transparency obligations, and respond rapidly to vendor-specific security incidents or regulatory inquiries.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete, current inventory of all AI vendors with documented data flows that enables risk assessment and governance oversight.
Associated risks
Risks this control addresses
- Unauthorized transmission of sensitive or regulated data to AI vendors without appropriate legal or technical safeguards
- Shadow AI adoption where business units deploy AI tools without security review, creating unmanaged attack surfaces
- Inability to conduct impact assessments when an AI vendor experiences a data breach or service compromise
- Non-compliance with data localization, cross-border transfer, or data residency requirements due to unknown vendor processing locations
- Inadvertent exposure of intellectual property, trade secrets, or customer data through AI training or model fine-tuning without contractual protections
- Failure to enforce data minimization principles when excessive data is shared with AI vendors for unnecessary processing purposes
- Vendor lock-in or operational disruption due to lack of visibility into dependencies on AI services across business processes
Testing procedure
How an auditor verifies this control
- Request the current AI-vendor register and confirm it includes fields for vendor name, service type, data categories processed, data flow direction, processing purpose, and geographic locations.
- Select a sample of five business units or departments and interview stakeholders to identify AI tools in active use, comparing findings against the register to detect unrecorded vendors.
- Review procurement records, SaaS license inventories, and cloud billing statements from the past 12 months to identify AI-related expenditures and cross-reference with the register.
- For a sample of three high-risk AI vendors handling sensitive data, obtain and review data processing agreements, data flow diagrams, and data classification mappings documented in the register.
- Examine network traffic logs or data loss prevention system logs for a one-week period to identify API calls or data transfers to known AI vendor endpoints and verify they are documented.
- Interview the register owner or data governance team to confirm the update process, review evidence of quarterly reviews or updates, and verify accountability for register maintenance.
- Select two AI vendors processing personal data and trace their register entries to corresponding privacy impact assessments, vendor risk assessments, or security questionnaires.
- Test completeness by selecting three known AI tools from IT asset inventories or endpoint management systems and verifying their presence in the register with accurate data flow documentation.
Where this control is tested