Dependency on providers

Mitigation strategy

1. Establish a mandate for minimizing single-vendor dependency by either training sensitive models in-house or adopting a multi-cloud/multi-provider deployment strategy to ensure resilience against provider failure. Concurrently, index only the minimum necessary data for AI retrieval and implement row-level access controls to shrink the potential blast radius of a compromised or misconfigured identity. 2. Enforce stringent contractual obligations that require AI providers to adhere to established interoperability standards and data protocols (e.g., Model Context Protocol or industry-specific standards) to ensure technical and data portability. These agreements must also stipulate mandatory disclosure of AI components, transparency on risk controls, and defined exit strategies to facilitate a seamless transition to alternative services. 3. Enhance the Third-Party Risk Management (TPRM) framework by incorporating AI-specific due diligence and continuous monitoring. This involves modifying risk-tiering models to prioritize vendors based on the criticality of the AI use case and the sensitivity of the data, and requiring evidence of holistic controls, auditability, and alignment with emerging global governance mandates such as the EU AI Act.