Skip to main content

Pro audit program · v1.0

AI Vendor & Data-Sharing Risk

Most "AI risk" is really 3rd-party risk: data egress to OpenAI/Anthropic/Google + training opt-outs + retention. Quick check.

  • General target area
  • ISO 42001 / Vendor Risk framework
  • 7 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

Most “AI risk” is really 3rd-party risk: data egress to OpenAI/Anthropic/Google + training opt-outs + retention. Quick check.

Risks addressed

  • Critical Confidential data exfiltrated via free-tier AI tools
  • Critical Data used to train the provider next model
  • High Output relied on without verifying provenance / accuracy

Controls (7)

  1. AI-vendor register with data flows

    High

    AI-vendor register with data flows

    How to test + evidence

    Testing procedure: Every AI vendor in use mapped to what data is sent.

    Evidence to collect: Vendor register.

  2. Enterprise tier / DPA covering training opt-out

    Critical

    Enterprise tier / DPA covering training opt-out

    How to test + evidence

    Testing procedure: Confirmation in contract that customer data is NOT used to train the provider models.

    Evidence to collect: Signed DPA / contract clause.

  3. Block / proxy free-tier consumer AI tools

    High

    Block / proxy free-tier consumer AI tools

    How to test + evidence

    Testing procedure: Egress controls block consumer AI domains for corporate devices, or proxy through approved gateway.

    Evidence to collect: Egress policy + DLP.

  4. Approved-tool allowlist communicated to staff

    High

    Approved-tool allowlist communicated to staff

    How to test + evidence

    Testing procedure: Staff know what they can use and what they cannot; reminders + training.

    Evidence to collect: Policy + training material.

  5. PII / IP not sent to AI without classification check

    Critical

    PII / IP not sent to AI without classification check

    How to test + evidence

    Testing procedure: DLP scans uploads / pastes to AI tools for Restricted-classified data.

    Evidence to collect: DLP policy + sample alert.

  6. Retention limit + log purge on AI vendor side

    Medium

    Retention limit + log purge on AI vendor side

    How to test + evidence

    Testing procedure: Vendor retention configured to minimum or zero where possible.

    Evidence to collect: Vendor retention setting.

  7. Provenance + human-review of AI output for critical use

    High

    Provenance + human-review of AI output for critical use

    How to test + evidence

    Testing procedure: Code / legal / medical / customer comms from AI reviewed by qualified human before use.

    Evidence to collect: Review process doc.