The modern enterprise runs on third-party AI it does not always know it is running. Foundation models are called from SaaS platforms. AI features are embedded in CRM plugins, productivity tools, code editors, and customer service platforms. Each of these introduces a supplier whose AI behavior is part of the enterprise’s operational surface, and whose security posture is effectively inherited.
27001:2022 has controls for third-party risk. The question is whether those controls, as written, actually cover what AI suppliers bring into the organization.
## The common belief
The belief that closes most vendor assessments is that the standard third-party risk process handles AI vendors like any other supplier. Send the security questionnaire. Check SOC 2 or 27001 status. Review the DPA. Approve.
That process was designed for suppliers whose behavior is bounded: they process your data according to a contract, in systems they control, with security controls you can verify. AI suppliers break several of those assumptions.
## What makes AI suppliers structurally different
### 1. The product changes without notice
A traditional SaaS vendor updates its platform on a release schedule, often with change notices and retention of prior functionality. An AI vendor updating its underlying model may do so weekly or daily, without clear communication, and the new model may behave materially differently from the one you evaluated. Your security questionnaire captured a snapshot. The reality is a moving target.
### 2. The inputs travel further than expected
Queries sent to third-party AI systems become, in many architectures, potential training data for future model versions. Even when terms of service exclude customer data from training, the reality of chained subprocessors, log retention, and fine-tuning practices is rarely as clean as the contract suggests. Your data governance policy may forbid sending sensitive data to external parties; your developers may be doing exactly that through an AI coding assistant your ISMS has no visibility into.
### 3. The failure modes are novel
Traditional third-party risk focuses on breach, unavailability, and non-compliance. AI suppliers add failure modes that existing control frameworks do not name: hallucinated outputs entering workflows, biased recommendations reaching production decisions, prompt injection attacks exploiting downstream systems, training data contamination affecting customer-specific behavior.
### 4. The supply chain has more layers
An AI vendor often runs on another AI vendor’s foundation model, which runs on another vendor’s infrastructure. Each layer has its own data handling, its own governance, and its own security posture. Your second-tier and third-tier AI suppliers may be invisible to you entirely.
> The ISMS control for third-party risk was built for suppliers. AI suppliers are supply chains.
>
## What the 27001:2022 controls cover, and where they stop
The relevant 2022 Annex A controls include A.5.19 through A.5.23 (supplier relationships, ICT supply chain, cloud services), A.5.21 (information security in ICT supply chain), and A.5.23 (information security for cloud services). These controls ask the organization to define security requirements for suppliers, verify those requirements are met, and monitor compliance over time.
Applied to AI suppliers, the controls produce reasonable first-order coverage: data security in transit, encryption at rest, access controls, incident notification. Where they stop:
– No explicit requirement to evaluate the supplier’s AI governance practices
– No explicit requirement to assess model behavior or drift over time
– No explicit requirement to audit subprocessors for AI-specific practices
– No explicit requirement to monitor the supplier’s model updates and their impact
Each of these gaps is addressable within the 27001 framework, but only if the organization extends its supplier evaluation methodology deliberately.
## Reframing the question
The question most vendor assessment processes ask is “Does this supplier have adequate security?” The question needed for AI suppliers is “Does this supplier have adequate security AND adequate governance of the AI system we are integrating, AND visibility into their own supply chain?”
The second question requires different evidence and different contractual terms. It also usually requires integration between the security team and the AI or data science team, which many organizations have not formalized.
## The structural shift
Supply chain visibility has been the direction of travel in information security for the past decade: 27001:2022 added specific controls, NIST SP 800-161 codified ICT supply chain risk management, and EU NIS2 extended scope to critical supply chain dependencies. AI is pushing the trend one layer further. The expectation is shifting from “show me your suppliers’ security” to “show me your suppliers’ AI governance, and their suppliers’ AI governance.”
Organizations that build this capability now will meet the expectation when it becomes procurement default. Organizations that defer will add the work later, under more time pressure, during a regulatory inquiry or a customer-driven audit.
## What this means for your organization
Inventory your AI supply chain explicitly. Start with the AI features your organization uses directly, then trace through SaaS platforms and embedded tools. Many organizations discover 3–5x more AI vendors than they had previously counted.
Extend the vendor security questionnaire with AI-specific sections. Model update practices, subprocessor disclosure for AI, training data handling, model behavior monitoring, incident response for AI-specific failure modes. Zertia publishes a template on request.
Contract for change. Your terms with AI suppliers need to address what happens when the underlying model changes materially. Without that, a supplier can replace its model with one that behaves differently and technically remain in compliance with a contract written for the old one.
> Your ISMS certifies that you govern information security. Your AI supply chain is where that governance is leaking, silently, through vendors that were onboarded before anyone drew a boundary around AI.
>
—
Ready to extend your supplier governance to AI?
📩 [[email protected]](mailto:[email protected]) · 🌐 [zertia.ai](http://zertia.ai)
–
