All Posts
Productivity

Getting Started with AI Vendor Management

Blog Image
Published on
September 23, 2024

Introduction

If you just read my previous blog post, which reflects on the urgency of AI governance and the pitfalls of not starting with vendor management, then you came to the right next post. This blog post dives deeper into the practical steps of establishing a vendor management program for AI Governance, focusing on how to build it without using sophisticated tools.

1. The Foundation of Vendor Management: Understanding Your Vendor Landscape

Most posts will tell you to start by mapping out your organization’s vendor landscape. I'm not. As I expressed to your before, your employees aren't waiting to adopt AI in tools they are using, so all your prep time is making your business more valuable. Instead, pick the top 5-10 tools your company uses (that you know they use) and create a spreadsheet. Classify these vendors as your high risk, critical or whatever metric you want to use to indicate the level of importance.

2. Assessing and Categorizing Vendor Risk

Okay, I know I said we need to get going, but I have to take a step back and explain categorizing vendors. Catgorizing risk levels is not easy, which is why I told you to start with your top 5-10. The top 5-10 should be the vendors that are used by a lot of people in your organization. Take Jira as an example. Jira is often a developers tool, but because of its project management features, a lot of operations teams have adopted it and conformed it to their use case. I am often asked to use Jira in my capacity as an attorney to track contract review! So it can be a very widespread tool with a ton of data in it. That means it fits the 1. high usage, 2. ease of use, 3. unstructured data capture, 4. information will range from confidential proprietary code to customer data. That's high risk. Not all vendors pose the same level of risk, but I encourage the use of at least 3 categories with the logic I just used.

Risk Categories:

  • Low Risk: Vendors with little to no access to confidential data (e.g., office supplies).
  • Medium Risk: Vendors with access to confidential information but not critical data (e.g., marketing tools).
  • High Risk: Vendors with access to sensitive data or systems that could impact business operations or compliance (e.g., cloud providers, AI development platforms).

3. Back to Those 5-10 Vendors

Create a spreadsheet in Sheets or Excel and label the columns as such, vendor, risk category (they should all be high), type of confidential data, GenAI features?, internal teams, link to terms of service, link to privacy policy, ResponsibleAI disclosure, cost, use and pass?. It does not have to be in that order, but those are the critical columns.

Hopefully the columns are self explanatory, but for the internal teams one, you need to identify which teas are using it. In my Jira example above, some teams may be using it for a higher level of confidential data than others.

4. Approving an Already Approved Vendor

What happens if you review a vendor's terms of service and notice that they are training a model on your data? It's tricky because you have not even picked your AI governance framework or process yet! So how can you approve them? The simple answer is you can't. At this point, you are taking action with your AI governance role but you are also developing your program. Sneaky, eh? Yes, you cannot build an AI Governance program sitting at your desk and reading articles on the internet like this one. By having all this data about your existing vendors you are learning how your company is adopting AI, which has a significant influence on the program you want to launch as well as the data supporting your position to management.

Conclusion: Start Small, Think Big

Building a vendor management program without tools might seem daunting, but starting small with basic steps can make a big difference. Don't make yourself crazy, you multiple hat wearer with too much to do. Start with what you already have. It will inform your program but it will also let you get started on day 1 of your new role.

Featured Blog

We are constantly writing new content. Check back often or join our newsletter!

Business

The Top 6 Legal Considerations for Licensing AI Software

This blog post explores the current state of licensing, whether it is online terms of service or main services agreements, and what you should look for to understand your rights and the rights of your vendor.
Business

Navigating the Global AI Regulatory Landscape: A Guide for Business

Exploring the diverse global AI regulatory landscape, including the EU’s AI Act, the decentralized approach in the US, and the varying frameworks in the Asia-Pacific region. It highlights the importance of understanding these regulations to ensure compliance and build what's right in AI technologies.
Business

The Cost of AI Theater

This article highlights the importance of AI governance by teaching you how to interrogate your vendors like a seasoned detective, minus the trench coat. After all, it’s not just about knowing if they use AI—it’s about making sure your data doesn’t become the plot twist in their next sci-fi thriller!
Business

Mitigating Deepfake Phishing in Corporate Structures: Essential Steps for AI Governance

This blog post discusses how deepfake technology is being used to exploit corporate hierarchies through sophisticated phishing attacks. The post emphasizes the need for robust AI governance and vendor management processes to prevent costly breaches and ensure secure verification of requests.
Productivity

Getting Started with AI Vendor Management

In my view, starting an AI governance program means evaluating your existing vendors with information you already have.
Productivity

How to Start an AI Governance Program

Most people start an AI governance program by backing up and building a process. I argue that your employees aren't waiting around for your beautiful policies. You need to start with vendor management.
View all

Stop Wasting Your Time on Assessments

Gain efficiency and remove tedium by using ClearOPS

Get StartedContact